Cyber security incidents have become more common and the scale of these data breaches continues to grow. More than 3,800 data breaches have been publicly announced so far in 2019, a staggering increase of 54% over the past four years, according to a report by Risk Based Security.
In response to this spiraling threat, many states are drafting new legislation to help govern how organizations handle sensitive consumer data. The largest and most comprehensive consumer protection law to date was passed last year in California and this ambitious legislation—the California Consumer Privacy Act (CCPA)—goes into effect on January 1, 2020.
The CCPA includes significant changes to give consumers more control over their personal data by regulating how organizations can collect and store private information tied to their customers. And while California is the largest state in the nation—with a population of 40 million and an economy that would be the fifth-largest in the world if it were its own country—it is important to understand that the importance of CCPA extends beyond the state. Other states, notably New York and Nevada, are now introducing their own privacy regulations that are modeled after some of the elements of CCPA.
Here are some facts about CCPA:
- It applies to for-profit businesses that have gross annual revenues in excess of $25 million, OR buy, receive, sell or share information from at least 50,000 consumers, OR derive 50% or more of their annual revenue from selling personal information;
- The law governs any information that identifies, relates to, describes or is capable of being associated with a California resident;
- The scope extends to data collected going back 12 months; and
- All companies must comply by January 1, 2020, and enforcement action will begin by the California Attorney General on July 1, 2020.
This is serious business because CCPA creates significant risks for businesses. CCPA requires that companies know their data and provides consumers with greater rights over their personal data, including: the right to know what personal information is being collected, is being sold or disclosed, and to whom; request that the company delete their personal information; and be free from retaliation for exercising any rights. CCPA also requires more detailed disclosures about how the company will use personal information and an option to opt-out of their information being sold or provided to others for marketing purposes. Moreover, the law mandates that employers implement reasonable security measures to protect against personal data breaches.
The penalties for non-compliance with CCPA are substantial. The law provides individuals with the ability to recover damages ranging from $100 to $750 per consumer per incident for data breaches. It also allows individuals to bring class actions on behalf of other affected California residents (an “individual right of action”) that could extend this damages exposure even wider. On top of this liability, CCPA enables the California Attorney General to enforce an injunction prohibiting an employer from further processing employee data and to levy financial penalties as well: up to $2,500 for each negligent violation and up to $7,500 for each intentional violation.
On October 2, AccessData and Sheppard Mullin will co-host a free webinar on this topic for corporate risk managers, privacy officers, information governance executives and legal professionals.
AccessData will review how technology solutions can assist with CCPA compliance. Tips will include using software to: identify personally identifiable information; assist with post-breach remediation; identify and locate data using advanced search capabilities in digital investigative tools such as Quin-C; inventory the software applications installed on your organization’s computers; conduct discreet investigations and forensically collect suspect data without detection or interruption of workflow; and other techniques.
The expert speakers will discuss everything related to CCPA, including what the new law means for any organization that is collecting data tied to California residents, current areas of contention in the law, best practices and tips for complying with CCPA at your organization, and how you can leverage technology to manage data privacy. This program has been approved for MCLE credit by the State Bar of California.
To sign up for the CCPA webinar, please click here.