January 1, 2020 not only ushered a new year and a new decade, it also saw the start of a slew of new laws in the state, the most significant of them being the California Consumer Privacy Act (CCPA). Although it is modeled somewhat on the European General Data Protection Regulation (GDPR), the CCPA takes privacy to a whole new level and gives consumers a benefit the GDPR doesn’t have: the right to sue.
The CCPA protects the privacy of any consumer that resides in California and requires that companies that transact business with those consumers follow certain requirements, regardless of where the company itself is located. Technically, the CCPA applies only to companies so-called covered entities — that fall into one of three categories:
- Gross revenue of $25 million or more
- Collects the personal information of 50,000 or more consumers, households or devices
- Derives 50% or more of its revenue from the sale of personal information.
The initial impression from many small businesses that look at these criteria is probably “well, this doesn’t apply to me” but the reality is that the CCPA sets a standard of privacy protection that could result in a lot of fines and litigation, even if you think you are exempt.
One of the major requirements of the CCPA is that companies who transact business with California consumers must maintain “reasonable security procedures” yet it does not define what that looks like. However, the attorney general of the state has previously defined the National Institute of Science & Technology (NIST) framework (https://www.nist.gov/cyberframework) and the Center for Internet Security (CIS) 20 controls (https://www.cisecurity.org/controls/cis-controls-list/) as the minimum standard for reasonable security.
What should you do if you are or suspect you might be a covered entity? First and foremost, get familiar with the law and how it applies to you. The California attorney general’s website has a page dedicated to the CCPA (https://www.oag.ca.gov/privacy/ccpa) so you can start there. There are also numerous sources available online if you do a search for CCPA.
If the CCPA does apply to your business, you will have to make changes to your website to provide for additional disclosures and give visitors to the site the option to provide information or not. You will also have to document what information you have collected already and will be collecting and make that information available to consumers on demand. Finally, you will have to start taking cybersecurity very seriously if for no other reason than to demonstrate that you are taking reasonable security procedures to protect consumer data.
If you have any questions or want to learn more about your security risks, feel free to contact us for a free security assessment.