On January 1, 2020 the State of California put into effect perhaps one of the biggest data protection laws we’ve seen thus far in the U.S. The CCPA, or the California Consumer Privacy Act, applies specifically to for-profit business both inside and outside the State. What does this mean for consumers and businesses?
From a consumer standpoint, expect to see some fairly standard elements that we’ve seen in similar laws:
- Consumers will be alerted as to what of their personal information will be collected by a business
- Consumers will be made aware if their personal information is going to be sold, disclosed, or distributed to others
- Consumers will have full visibility into who their personal information will be shared with
- Consumers will now have the right to opt out of having their personal information sold
- Consumers will have the option of obtaining a copy of their personal information
- Business will still be required to give consumers the same services and prices, regardless of whether or not they opt out of sharing their personal information
Why are these laws important? To answer that, let’s look at an example . In early 2019, global Indian-based consulting firm, Wipro, announced that its internal IT systems were compromised and at least a dozen customers were impacted. Stories like this are becoming more common, and these types of breaches impact consumers and businesses alike. The Annual Cost of a Data Breach, a report sponsored by IBM Security, analyzed data breach costs across 507 orgs spanning 16 geos and 17 industries. It was estimated that the average cost of a data breach was 3.92 million (USD) with the U.S. lending the most expense number to that range at 8.19 million (USD).
Does your business have to comply? The answer to that may not be entirely straightforward. What we do know is that if your company falls into the below list then you will be required to comply:
- All companies that service California residents and make at least $25 million in annual revenue
- Any sized company that has personal data on at least 50,000 individuals or that collect more than half of their revenues from sale of personal data
- Companies do NOT have to be based in California, or have a physical presence there, to fall under the CCPA law.
- Companies do NOT have to be based in the United States to fall under the CCPA law
- Insurance institutions, agents, and support organizations are exempt as they must already comply with Californias Insurance Information and Privacy Protection Act (IIPPA)
What happens if your company does not comply? Companies will have 30 days to comply with the law once a regulator has notified them of a violation. If the violation is not addressed, the business could be find up to $7,500 per data record. The average size of a data breach is 25,575 records…that is a potential fine of $191,812,500.
What data is considered “protected” under the CCPA? In addition to olfactory information, internet browsing history, and visitor interactions with websites or applications, the following is considered “personal information”:
- Personally identifiable data such as real name, alias, address, IP Address(es), email address, government issued document numbers (drivers license, passport, etc), and other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information (personal property, purchase history, and tendencies)
- Biometric data
- Internet or electronic network activity
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar
- Education information that is not generally available as outlined in the Family Educational Rights and Privacy Act
- Any creation of consumer profile based on observed consumer preferences, trends, or behavior
While these changes will create additional overhead for data stewards and data governance committees, the provisions are aimed to provide consumers and businesses with more transparency and collaboration around collected data. As we continue to see more advancements in data and analytics, and as the importance of data continues to increase, it is safe to assume that we’ll see more regulations rolling out in the near future.