< Back to Blog
3 Key Points About CCPA
Standards & Regulations

3 Key Points About CCPA

By Dov Goldman Nov 26, 20193 min read

What is CCPA?

 

The California Consumer Privacy Act (AB 375), which will go into effect on January 1, 2020, is expected to significantly strengthen data collection and privacy in the USA. Similar to the way the General Data Protection Regulation (GDPR) defined data privacy in Europe, the CCPA regulation is expected to set the standard for data privacy in the USA, and other states will undoubtedly follow California’s example. 

What does your organization need to know about this significant California privacy law? Here are three important points. 

To Whom CCPA Applies

CCPA applies to companies that do business with California citizens, even without offices in the state of California. This might seem like a limited number of people. Bear in mind, however, that nearly 40 million people live in California — more than in Canada and about 12% of the US population. California also has the fifth largest economy in the world, with a GDP of more than $2.7 million.

In addition, the CCPA regulation only applies to businesses that fall into at least one of these categories:

  • Earn a gross revenue of greater than $25 million
  • Buy, sell or share the personal information of at least 50,000 consumers, households or devices, which does not all have to be from California
  • Derive 50% of its annual revenue from selling personal information

Not surprisingly, many businesses are expected to have to comply with CCPA. 

What CCPA Provides

CCPA grants Californians specific privacy rights over their personal data that is being used by businesses and their suppliers. These rights include:

1)  Right to know what personal information is being collected about them

2)  Right to know whether their personal info is sold or disclosed and to whom

3)  Right to say no to the sale of personal information

4)  Right to access personal information

5)  Right to delete personal information

6)  Right to equal service and price, even if they exercise their privacy rights

With CCPA, people have the right to sue if these privacy guidelines are violated, even if there is no breach. However, CCPA also gives businesses 30 days to cure alleged violations.

The Role of Cybersecurity 

CCPA stipulates that organizations must implement “reasonable” security measures but does not specify what that entails. However, in the event of a breach that impacts personal data, victims could sue if an organization fails to demonstrate that it implemented such measures. Organizations that already beefed up security controls in response to GDPR will likely have less to do in this respect. However, organizations should preferably make sure that their cybersecurity strategy is up to par, regardless of compliance requirements.

At a minimum, organizations must regularly monitor the flow of data within its systems and the systems of its vendors, be continuously aware of every security breach and strategies for mitigation, and quickly understand what personal data may have been exposed and how to react.

Want to learn more about how Panorays can provide your company with a CCPA solution? Contact us.

humbnail
Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
4 NIST Standards Your Organization Should Align With
May 27, 2020 4 NIST Standards Your Organization Should Align With Dov Goldman
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.