[BreachExchange] CCPA – What Is It And What Does Your Business Need To Know?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 22 20:20:55 EST 2019


https://www.jdsupra.com/legalnews/ccpa-what-is-it-and-what-does-your-10406/

The California Consumer Privacy Act of 2018 (CCPA) is here and it’s best to
start now to learn what this law is, who it applies to, and what you and
your business can do to be prepared. This article is a follow up to our
earlier post on the CCPA.

Although the Act was passed in 2018 and signed into law by Gov. Jerry Brown
on June 28, 2018, the effective date is January 1, 2020 with a six (6)
month delay in enforcement after that date. As we all know well, that date
will be here before you know it. Systems take time to program, and lawyers
and others need time to analyze and interpret definitions and provisions on
behalf of their business clients. Add to that, the regulations to the CCPA
still need to be developed and we are currently in the midst of the
California public hearing process, whereby the Attorney General of
California has undertaken a series of public hearings to hear and receive
public comment about the CCPA [view related post].

What we know right now is that the CCPA deadline is coming soon.  What is
this broad privacy law? Who does it apply to? What protections are included
for consumers? How does it affect businesses? What rights do consumers have
regarding their personal information? What happens if there is a violation?
These are some of the questions we’ll try to answer in the coming weeks and
we’ll begin by explaining the purpose of the CCPA, the types of businesses
impacted, and the rights that the CCPA gives to consumers regarding their
personal information.

It’s no surprise that the state of California tackled data privacy law in
such a big way. News reports from 2018 rank California’s economy as the
fifth largest in the world and science and technology is a big sector of
that economy.  The CCPA’s stated legislative purposes describe how
California’s world leader role in technology, the proliferation of personal
information shared by consumers with businesses, and the right of privacy
of California residents, all intersected into the development of this
comprehensive law. Cal. Civ. Code Sec. 2.

One of the most critical facts to know is that the CCPA not only applies to
consumers, but also applies to for profit businesses that do business in
the state of California.  A business is defined as one that that collects
consumers’ personal information, has more than $25 million in revenue,
alone or in combination, and annually buys, receives for the business’s
commercial purposes, sells or shares for commercial purposes, the personal
information of 50,000 or more consumers, households or devices or derives
50% of its annual revenues from selling a consumer’s personal information.
Cal. Civ. Code §1798.140. A key fact to note from this definition is that
the CCPA applies to any business does that “does business in the State of
California” not just businesses residing or incorporated in California.

The CCPA is a consumer directed law that empowers a consumer to determine
how a business can store, retain and use their personal information. The
CCPA gives consumers a set of rights about the personal information that
businesses collect about them, and the CCPA then directs those businesses
that possess that personal information what the business can or must do
with a consumer’s personal information. It’s quite empowering for a
consumer to be able to tell a big corporation: I don’t want you to sell my
personal information or I want you to delete my personal information. The
rights of consumers and the obligations of the businesses are distinct, but
intertwined in this law: on one side are the rights of consumers, and on
the other, the obligations of businesses to comply with the directions of
their customers and consumers.

The consumer’s rights are broad and summarized generally:

The right to request that a business that collects a consumer’s personal
information disclose to that consumer the categories and specific pieces of
personal information the business has collected;
- The right to request that a business delete any personal information
about the consumer which the business has collected from the consumer;
- The right to request that the business that collects personal information
about the consumer discloses broad categories of information including, the
categories of information it has collected about that consumer, the sources
from which the personal information is collected, the business or
commercial purpose for collecting or selling the personal information, the
categories of third parties with whom the business share personal
information, and the specific pieces of personal information it has
collected about that consumer;
- The right to request that a business that sells the consumer’s personal
information, or that discloses it for a business purpose, disclose certain
categories of personal information to that consumer;
- The right to, at any time, direct a business that sells personal
information about the consumer to third parties not to sell the consumer’s
personal information – known as the right to opt out.

Cal. Civ. Code §§1798.100, 105, 110, 115, 120.

The challenge for businesses will be to understand the rights of consumers
and how to translate those rights and requirements into business
operations, processes and practices to ensure compliance with the law. In
the coming weeks, we’ll focus on understanding these challenges, as well as
many other provisions, including how the CCPA will impact businesses with
respect to the personal information of children under the age of 16. It
certainly worth mentioning at that outset, penalties for violations can be
up to $7,500 per incident. Doing the math, even a small data breach of
1,000 customers could cost a business $7.5 million dollars.


--
#BetterDataMatters - Want to meet up at RSA? Find us at Booth #6285 North
Expo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190122/f0362701/attachment.html>


More information about the BreachExchange mailing list