Unlike other countries, the United States is not known for having a uniform regulatory approach to data security. Instead, companies and organizations targeting U.S. residents and the U.S. government face a patchwork of federal, sector-specific, and state laws. California’s legislature, however, took a significant step in June 2018 by passing the strictest state-level data security regulation in the United States. The California Consumer Privacy Act of 2018 (CCPA) governs the steps businesses transacting California must take when collecting, sharing, and responding to verified requests involving consumers’ personally-identifiable data. While the CCPA is not supposed to conflict with other federal regulations, companies looking to conduct business in the world’s fifth-largest economy may need to revamp their data collection and security practices to ensure seamless interstate commerce.
What Types of Businesses and Data the California Consumer Privacy Act Targets
The CCPA targets sole proprietorships, partnerships, LLCs, corporations, and other organizations that transact in California and either collect, sell, purchase or receive consumers’ personal data. The law broadly defines “personal data” as including not just individuals’ names and physical addresses, but also their aliases; e-mail and IP addresses; government identification numbers; biometric data; commercial and property records; purchase histories; online browser and search histories; geolocational data; employment data; and FERPA-protected educational data. On top of this, the law regulates any data companies generate about users that are based solely from inferences from existing consumer patterns, demographics and transactional histories. Not all companies, however, are required to comply with the CCPA. In order to fall under the CCPA’s purview, organizations must generate more than $25 million in annual revenue; collect, share, purchase, sell, or otherwise work with the personal data of at least 50,000 users; or generate at least 50% of their gross income from selling users’ personal data.
What Data Security and Handling Steps the California Consumer Privacy Requires Businesses to Take
Many CCPA provisions mirror those of the European Union’s GDPR, though they aren’t as stringent. Under the CCPA, businesses must cooperate with consumer requests to review the specific data they collected on them and their business reasons for collecting it. They’re also required to publish conspicuous online procedures allowing consumers to prevent businesses from collecting their data or directing them to delete their existing data files outright. Beyond this, businesses are prohibited from selling data belonging to either minors between the ages of 13-16 without their consent or minors under the age of 13 without their parents’ consent. Noncompliant companies could face the greater of actual damages or $100-$750 in civil fines per exposed individual—or even injunctive, declaratory, or other court-approved relief in its place—if they fail to use reasonable and appropriate safeguards to protect unencrypted or unredacted consumer data that was compromised during data breach events. Companies could face up to $7,500 per violation in civil fines for other CCPA violations.
How Businesses Can Address California Consumer Privacy Act Compliance Immediately
While the CCPA does not take effect until January 1, 2020, businesses should start taking steps now to ensure compliance and avoid costly data-breach-related litigation. Moving your consumer data and business software is the easiest way you can achieve CCPA compliance. This allows you to securely work with your consumers data anywhere on any device while leveraging 2FA, HIPAA-compliant controls; multiple physical, server and data security layers; 256-bit AES encryption; and SSL-A-certified servers.
Abacus Private Cloud can help you achieve your CCPA compliance goals. Contact us to learn how and to see if your existing safeguards are up to speed with up-and-coming requirements.