The California Consumer Privacy Act (CCPA) was passed in 2018 by Jerry Brown with the aim of protecting consumer data from being shared, deleted, and given access to any third parties. This new guideline has gone into effect January 2020, the Attorney General will start delivering enforcement action in July 2020. This new act will impact any business that has clients in California – not just companies that have headquarters there.
An obvious example of a company that leverages personal data for profit would be Facebook. They deliver a free social media platform and in turn collect numerous amounts of data ranging from addresses, friends, affiliations, phone numbers etc. Facebook has been highlighted in the media due to 2018’s election scandal where Cambridge Analytica apparently leveraged consumer data from Facebook to assist with campaigning.
What does this mean for businesses?
Any business with customers/clients that reside in California (population 39.5M) will have to comply with these regulations. This will require massive overhauls of how businesses operate, so it will be disruptive. If you r company falls into any of these categories, you must start making adjustments:
Any company that is in the $25M+ range is slightly more than a small business and should already have some data governance in place. These companies will have to follow an outline, out measures in place and be able to prove that they are complying with the regulation. The measures will go back 12 months, so in theory, companies should have started this in 2019.
What types of Measures are required under CCPA
Data can be leveraged by many different departments within an organization, but it generally becomes an issue for IT, Security and Compliance Officers. “Reasonable” security requirements are being asked to be in place to demonstrate a CCPA compliant operation. These requirements are similar to other regulatory requirements, where the business is basically being asked to cover their butts in the case of a lawsuit. A lawsuit would be facilitated by negligence that caused harm.
Other practices that may help would include, Multi-Factor Authentication, Data Encryption and Fraud Alerting. The list can go on and on, but the threat landscape marries with compliance will most certainly drive businesses to be more responsible.
What specific data is covered under CCPA
There is a specific outline that demonstrates what type of data will fall under CCPA.
What are the associated penalties of not complying with CCPA
A class action lawsuit will cause the more financial damage for a business. A lawsuit situation would arise in the event that non-encrypted or no-redacted personal information is breached. The defending business would have the burden of proving that best practices were followed, and they could prove it with a log trail. There are also defined regulator penalties. The maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Others, who lack specific intent, will be subject to a smaller $2,500 fine.
How can Mindcentric assist with CCPA
Mindcentric works with clients to establish an ITIL defined IT operation with a full suite of security measures. Our team has worked within regulated industries since 1999, delivering fully secure and complaint IT solutions. Mindcentric’s core operation has headquarters in San Diego County and serves clients across the globe.