California Dreaming or Nightmare?
Although European regulators recently set the standard for data privacy under the General Data Protection Regulation (“GDPR”), the world is now focused on the U.S. and watching the state of California raise the bar to protect an individual’s right to privacy. Many firms are struggling to understand their responsibilities under the new California rules and assessing their ability to comply with what has been called the “American GDPR.”
The California Consumer Privacy Act of 2018 (“CCPA”) was originally enacted in June 2018 and then updated in September 2018. The regulation protects California residents' personal information from unauthorized disclosure, sharing or sale. The CCPA defines "personal information" very broadly, grants consumers specific rights to control their information, and imposes specific requirements on any businesses that collect or sell this information.
Although California rule makers attempted to clarify the definitions and scope of the regulation, there is still much open to interpretation. Organizations are working with their legal counsels to both determine if they are subject to the regulations as well as define the requirements.
The cost of CCPA noncompliance could be significant. In addition to fines in the amount of $2,500 per violation or $7,500 per intentional violation, the CCPA defines consumers’ rights to a judicial remedy and compensation for damages from an organization that fails to protect their data. The state of California is prepared to levy fines for violations of the rules; however, the reputational impact associated with noncompliance can cripple a business, which may outweigh any regulatory fine.
Firms that had spent a significant amount of time and resources preparing to comply with GDPR are considering whether those efforts will also be sufficient to support the CCPA requirements. There are many similarities between GDPR and the CCPA; however, the differences will require additional work to achieve compliance with the California regulations.
Prepare now. Know your data. Organizations subject to the CCPA will be faced with a significant task to define the risks, update data governance policies, and create controls to comply with the regulation, which takes effect six months after its publication or July 1, 2020, whichever comes first.