What is the California Consumer Privacy Act and how will it affect your business? Part 1

Remember all that talk in 2018 about the introduction of the GDPR across Europe? For many of us in the US, it didn’t seem real because it wasn’t in our corporate jurisdiction and we were observers rather than participants.

That’s all about to change because on January 1, 2020, the California Consumer Privacy Act came into play. While the California Attorney General’s Office (CAG) won’t start enforcing it until July 1, and business-to-business communications are exempt until January 1, 2021, this is the time to start preparing for it because it has big ramifications for many businesses.

Another notable day in the month is Data Privacy Day on January 28. An extension of Data Protection Day in Europe, the efforts to make the public and business aware of data privacy issues are led by the National Cyber Security Alliance.

Either by accident or design, the theme for 2020 is Respecting Privacy, Safeguarding Data and Enabling Trust, which I hope this series of posts about the CCPA from me and my colleague, Devin Conn, will help you to follow. There are several related topics to talk about:

  • Which businesses the CCPA applies to
  • The penalties for non-compliance
  • The rights the CCPA grants to California consumers
  • What constitutes ‘personal information’
  • The requirements the CCPA imposes on businesses
  • The steps you need to take to be compliant
    • Cataloging your data
    • Introducing policies for managing your data
    • Protecting your data

In this post, I’ll be covering the businesses that will be affected by the CCPA and the big one – the penalties for those who fail to comply.

Which businesses does the CCPA apply to?

The CCPA applies to any for-profit business with revenues of over $25 million, along with those that buy, sell or share the personal information of 50,000 or more consumers, households or devices. If your business derives 50% or more of annual revenues from selling personal information, you’re also in the mix whatever your revenue, and there are additional obligations for businesses holding the data of more than four million consumers.

There are three exemptions for businesses already covered by existing legislation. Health providers and insurers, for example, are already subject to HIPAA, financial companies are covered by the Gramm-Leach Bliley Act, while the Fair Credit Reporting Act governs credit reporting agencies.

At first glance, this appears to let a lot of companies off the hook. The Standardized Regulatory Impact Assessment of the CCPA issued by the CAG estimates that 15,643 businesses in California have revenues of more than $25 million. That’s a pretty small number compared to the 800,000 business in the state.

But take a look again at the second category. Holding the data of more than 50,000 consumers, households or devices is a pretty easy target to reach for any company that markets itself to consumers or businesses. So easy that the impact assessment’s lower bound estimate for the number of businesses in California that will be affected by the CCPA is 383,328.

That’s a big jump from 15,643 and it means 48% of businesses in the state will need to be thinking about how to comply. Particularly when the impact assessment goes on to say: “The CCPA will fundamentally change how firms work with personal data. Some industries will be forced to completely revise their business models to incorporate the newly required data protections.”

And just in case you don’t think it applies to your business because you’re in Paris, Texas, or even Paris, France, it may well do so. Like the GDPR, the CCPA applies to any company that handles the data of the residents it protects, wherever the company is based. Given that California is the world’s fifth largest economy, there’s a pretty good chance, especially if you’re based in the US, that residents of California are hiding inside your database.

What are the penalties for non-compliance?

The big headline penalty when the GDPR was introduced in the EU was a fine for non-compliance of up to €20 million, or 4% of annual global turnover, whichever is higher. It’s been followed through with as well, with fines of €200 million for British Airways, €110 million for Marriot International and €50 million for Google being the highest to date.

The CCPA isn’t quite as ambitious, with penalties of up to $2,500 per violation or $7,500 for intentional violations. Consumers can also bring legal action for statutory damages ranging from $100 to $750 – or actual damages – per consumer, per incident.

That doesn’t sound a lot but those penalties can add up very quickly. Even at the £2,500 mark, that’s $2.5 million per 1,000 records, for example. In October 2019 it was revealed that an unsecured online database belonging to Best Western Hotels exposed the data of hundreds of thousands of bookings for nearly a month. It included the travel plans of US army generals, as well as their email addresses, phone numbers, and other sensitive personal data.

While Best Western is still slighting from the bad headlines it received, the good news for the hotel chain is that the CCPA wasn’t being enforced. Suddenly, the $2,500 for each violation (and I suspect it would have been the $7,500 figure given the nature of the leak) adds up to an eyewatering fine.

Then there’s the legal action to think about. Section 1798.150 of the CCPA says: “Any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.”

Now imagine a class action law suit brought on behalf of the hundreds of thousands of people involved in the Best Western story. Again, we’re talking big sums.

What are the take-aways?

For me, there are three take-aways from this introduction the CCPA.

  1. More businesses than expected will need to comply with the CCPA, given that all it takes to be affected is to have more than 50,000 consumer records on file. It’s not just about the $25 million in revenue.
  2. Maintaining reasonable security procedures and practices for data has moved from good business sense to a legal requirement in order to avoid a fine or civil action.
  3. Encrypting your data is a good way to start thinking about how your business can comply with the CCPA because the Act talks about unauthorized access or disclosure of nonencrypted and nonredacted personal information. If It’s encrypted, your business will likely be compliant even if there is a leak.

Want to know more?

This is the first in a series of blog posts about the CCPA from me and my colleague, Devin Conn. If there’s an area of particular interest, you can discover more about it right now:

  • Part 2: The rights the CCPA grants to California consumers, and what constitutes ‘personal information’
  • Part 3: The requirements the CCPA imposes on businesses
  • Part 4: The 3 areas businesses need to focus on to be compliant

For future reference, we’ve also combined them in a comprehensive CCPA whitepaper that you can download and share with colleagues.

For more information about how Redgate can help your business meet the obligations of the CCPA, visit the Redgate Solutions page online, or connect with me on LinkedIn.