If your organization collects, stores, and/or sells personal information about California residents, it has hopefully completed its preparations for the California Consumer Privacy Act (CCPA), which took effect January 1. This law is intended to provide Californians with the ability to know and control specifically what types of personal information companies collect about them. For the purpose of the CCPA, personal information includes things like names, addresses, phone numbers, e-mail addresses, and demographic and biometric information. Information found in public government documents, however, is exempt.
Slightly complicating this matter is that the Office of the California Attorney General is still in the process of reviewing and finalizing the regulations that will be used to enforce the law. It has committed to publishing the specific regulations on or before July 1, 2020, so there is a chance that the shape of the law will change between now and then.
But for now, companies must give California residents a way to determine what personal information is collected about them, give them a way to erase (or request erasure of) any information they don’t want the company to have, and also opt out of having their information sold by the company to a third party.
So, who does this affect? A company needs to comply with the CCPA if it does business in California, collects personal information about California residents, and also satisfies one or more of the following conditions:
- Annual gross revenues of at least $25MM
- Possess personal information of 50,000 (or more) residents
- Earn more than half of annual revenue from selling consumers’ personal information
For companies that need to comply, there are no specific technical requirements (encryption, segmentation, etc.), per se. Just that the company has to “implement and maintain reasonable security procedures and practices.” Companies can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional.