CCPA: Worst-Case Scenarios

https://www.flickr.com/photos/oatsy40/34767677374/
“Danger” by oatsy40 from Flickr (Creative Commons License)

The new California Consumer Privacy Act went into effect on January 1, 2020. I’ve received a handful of emails and seen some updates from businesses informing me that their privacy policies have changed, but not as many as I expected. I hope the businesses who are required to comply with this law know the risk they take if opt not to comply with this new privacy law.

What if There’s a Data Breach

Like the General Data Protection Regulation in the European Union (GDPR), you have to notify the impacted people if you have a data breach. If you have a data breach impacting personal information, you must notify the individuals “in the most expedient time possible and without unreasonable delay.” In either case, If the breach causes you to notify at least 500 California residents, you must also notify the California Attorney General’s Office.

If you are in a position where you are entrusted with data that you do not own or license, such as if you are a data storage business, and you have a breach, you must notify the business or person that hired you about the breach.

CCPA Penalties

The CCPA is unique in that it is the first privacy law to allow a private right of action. An individual is allowed to sue a company for failing to comply with the CCPA, $100-$750 per violation or their actual damages, whichever is more. This right is limited, however, to situations where there’s unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information because the business failed to use reasonable security measures. That means if the business did everything right and there was still a data breach, an impacted person can’t sue for their damages.

In addition to individuals suing for damages under the CCPA, the California Attorney General may fine a business for failing to comply with this law, Up to $7,500 per violation.

My CCPA Cheat Sheet

Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.