Happy New Year! The CCPA is now in force

California Consumer Privacy Act button

What is the CCPA?

The California Consumer Privacy Act (CCPA) is one of the strictest privacy laws in the US and comes into force on January 1, 2020.

The CCPA will have a significant impact on corporate privacy rules across all sectors of technology, media, entertainment and telecommunications.

The CCPA gives California residents the ability to control how businesses process their personal information. Businesses must comply with data subject requests to access or delete the data the business might hold on them. Businesses will also have to comply with requests for data subjects to opt-out of having their information shared or sold.

Who does the CCPA affect?

The CCPA applies to businesses, which means for-profit legal entities that collect or sell personal information belonging to consumers. 

Businesses must comply with the CCPA where any of the following apply:

  • They have at least $25 million in annual revenue
  • They hold more than 50,000 users’ or devices’ data
  • They earn more than 50% of their revenue from selling data

The CCPA does not apply to:

  • Health providers and insurers already covered by HIPAA
  • Financial companies regulated by the Gramm-Leach-Biley Act
  • Credit reporting agencies under the Fair Credit Reporting Act

How to comply with the CCPA

  • Establish clear policies around consumer privacy to align with CCPA
  • Implement mechanisms for data subject requests to ensure residents can access or delete their data
  • Identify what CCPA-related data is collected, and map how the data is processed and where it resides
  • Invest in regular training of employees so they understand the company’s responsibilities and how to handle consumer requests
  • Properly vet and risk-assess third parties who handle personal information on the company’s behalf
  • Establish a breach response plan to deal with and properly disclose of any data breaches

Penalties for breaching CCPA

Consumers can bring legal action for statutory damages against a company that breaches the CCPA. The amounts range from $100 to $750 per violation. Statutory damages mean consumers do not have to prove they suffered any financial loss, only that the company was in breach of the law.

How to build a CCPA compliance program

Identify and classify what personal information is held by performing a data audit.

  • Understand where personal information is stored
  • Assess the risk of the data being lost, stolen, or otherwise misused
  • Locate any unnecessary data and safely and securely destroy it
  • Limit access to data through permissions
  • Implement a program to monitor and protect personal data against threats
  • Subject all data to continual review to ensure permissions and security are up to date
  • Monitor new cyber threats and adjust security measures as needed

Further training

VinciWorks has a suite of online courses relating to US privacy laws, including Data Privacy: Fundamentals and CCPA: An Overview. VinciWorks is a leader in GDPR training and provides full-service solutions to compliance for global business. Our courses can be fully customized to suit your organization and industry.