Cyber threats and attacks have been evolving and increasing every year. Regulations to protect consumer data have largely failed to keep pace. The most significant – the European Union’s General Data Protection Regulation (GDPR) – went into effect in May 2018 and has become the model for data protection law.
So far, the U.S. has not passed similar rules at the federal level. However, states are beginning to take matters into their own hands. In July 2019, New York updated its data protection regulations when it passed the New York SHIELD Security Act (Stop Hacks and Improve Electronic Data Security).
California passed the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. According to an American Bar Association post, it sets the standard higher than ever before for U.S. companies regarding data privacy regulation.
What is the CCPA?
The CCPA gives consumers the power to compel companies to disclose and/or delete all personal information they have collected about an individual. At the same time, the law expands the definition of what is considered personal information. Beyond basic contact information, it now includes: purchase history, purchase consideration, biometric, geo-location, employment and education information. It also includes browsing history and other online activity that can be tracked, as well as audio, electronic, visual, thermal, olfactory and similar information.
Under the new law, consumers who request that personal data be deleted, not disclosed, or sold to third parties cannot be refused service or charged a higher price for compliance.
Which Businesses Must Comply with the CCPA?
All for-profit legal entities that do business in the state of California must comply with the CCPA. But you don’t have to be physically located in the state to be affected by the law. If you’re an out-of-state company that sells to California residents or even displays a website in the state, you’re subject to its regulations if you:
According to Business Insider, California now has the fifth-largest economy in the world – just ahead of the UK. As such, it’s unlikely that many companies will want to or be able to afford to give up selling products and services there.
In fact, many companies are planning to make their CCPA compliance a nationwide implementation in advance of growing interest in consumer privacy regulation elsewhere. The law could become the de facto answer to the GDPR in the U.S.
What are the Penalties for CCPA Non-compliance?
Penalties for non-compliance can become serious quickly. For intentional violations, the law provides for fines up to $7,500 per record! These are enforced by the California Attorney General. Consumers can sue individually and seek penalties of between $100 and $750 or in class actions if a company fails to protect consumer data through cybersecurity carelessness leading to a breach, or otherwise fails to comply.
Fortunately, the CCPA contains a “cure” provision that gives a company that is sued 30 days to correct the breach or otherwise come into compliance.
What Are the Right Steps to Take Now and Going Forward?
With January 1, 2020 right around the corner, if you haven’t already assessed your need to comply with the California Consumer Privacy Act, get together with your legal counsel immediately to begin the process.
Even if your company is not required to comply, don’t ignore this important legislation. While California and New York have taken the lead on data privacy, it’s reasonable to expect other states will join the trend. Every company that collects consumer data can benefit from strong data protection guidelines.
Today, it’s also very important that companies get support from cybersecurity specialists to be sure that we have cybersecurity policies and procedures in place and that they’re properly implemented.
Given the potential reputational and bottom line costs of data breaches, consumer data protection also protects our enterprises and the financial services industry as a whole.
Interestingly, the CCPA poses a new area of regulatory compliance. Regulated companies are accustomed to complying with complex SEC and FINRA rules as well as the protection of personal data under the traditional definition. This new legislation signals a shift in broadening the protection of consumer data across regulated and non-regulated businesses. Proper compliance will require a multi-disciplined approach including technology, marketing, and legal teams to deliver solutions.