A Finance Exec, A Real Estate Developer, And a Former CIA Analyst Walk Into A Bar

by Caitlin Gruenberg

California has long been a trail-blazer for privacy and data protection regulations in the United States. Currently, the United States primarily puts privacy and data protection in the hands of individual states and industries, rather than using a comprehensive approach.  Unfortunately, this has led to an inconsistent view of privacy and a misunderstanding of consumers’ rights in regard to their personal information. California and the California Consumer Privacy Act (CCPA) seek to correct misconceptions and hold businesses accountable for the personal information they collect.

Since 2016, when the European Union (EU) introduced the General Data Protection Regulation (GDPR), U.S. companies who fall in scope have been forced to address the personal data of EU data subjects in fear of potentially catastrophic fines upon implementation in May 2018. The State of California took the GDPR mind-set and ran with it.

Related: 6 Security Controls You Need For General Data Protection Regulation (GDPR)

On June 28, 2018 the California Consumer Privacy Act was passed, signed into law, and will take effect January 1, 2020. While the CCPA is a less stringent version of its distant cousin from across the pond, GPDR, the whirlwind conception and adoption of CCPA has certainly set the bar for consumer privacy laws in the U.S. By providing businesses with more regulations regarding the processing California residents’ personal information, the CCPA adds to California’s already “mature” privacy outlook (by U.S. standards only).

The Business

Businesses who will be regulated by the CCPA will also be subject to fines. The Attorney General will enforce civil fines for negligence, up to $2,500.00 per violation, and intentional violations, up to $7,500.00 per violation.

Businesses who are in scope are defined by the CCPA as:

  • For-profit entities that have gross revenue in excess of $25 million; or
  • For-profit entities that buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, devices or households, on an annual basis; or
  • For-profit entities that derive 50 percent or more of its annual revenues from the sale of consumers’ personal information.

Ultimately, there will be headaches and growing pains, but businesses have roughly 15 months left to prepare for CCPA.  Businesses need to know what personal information they collect from consumers and what they do with the data.  From there, a plan for how to meet the requirements set forth in this legislation can materialize.  If plans are set in motion and prioritized now, excuses of “not enough time” and “what is CCPA”, won’t need to be cited and panic will not ensue.

Related: Cover Compliance With A Risk-Based Approach To TPRM

The Consumer

Approximately 40 million California residents will have more rights regarding their personal information than ever before.  Upon enforcement of CCPA, California residents are entitled to the following:

  1. The right to know what personal information is being collected, sold or disclosed about them; and to have that information “reasonably accessible”.
  2. The Right to Access the personal information a consumer maintains.
  3. The Right to Deletion. A consumer may submit a request for a business to delete any personal information they may have collected.
  4. The Right to Opt-Out and have a business cease the sale of their personal information.
  5. The Right to Opt-In for consumers under age 16.
  6. The Right to Equal Service and Rights, preventing discrimination of those who fall under the CCPA.

The CCPA is certainly groundbreaking for consumer privacy rights, but a plan is only as good as its execution. Moving forward, education and awareness will be critical for consumers in understanding their new rights and how to exercise them.

What’s Next 

Businesses who fall in scope of the California Consumer Privacy Act, who thought they dodged the GDPR-bullet, will have to take a look at their current practices and prioritize privacy. California has continued to pave the privacy path with CCPA, hopefully the remaining 49 states will follow.


analytics third-party risk management (TPCRM)