With 2019 coming to a close and the CCPA deadline for compliance a couple of days away, we wanted to revisit the law and some last-minute details to make sure that you are prepared for 2020.
Does your organization need to comply with CCPA? Not all companies will find that they fall under the definition provided. The law specifies that businesses that do business in California, regardless of their headquartered location, and meet any of the following criteria must comply:
For a recap of how to prepare, revisit our blog where we discuss how to make sure your relationships with third party data complies with CCPA. Some steps that organizations can take to understand how to handle vendor relationships and prepare for CCPA are summarized below:
If you were hoping to wait until 2020 to see how CCPA unfolds in the new year, you may want to reevaluate and take steps to prepare quickly.
December has made it clear that California will not be taking the CCPA lightly. In response to requests to postpone the CCPA deadline, Attorney General Xavier Becerra said in an interview with Reuters, “We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply. If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
With that bold statement and the announcement for the proposed California Privacy Rights Act, California is making a prominent display of just how seriously data privacy rights will be taken by the state, leading the way in this space.
One of the interesting pieces of the CCPA, and one that businesses need to be keenly aware of, is consumer’s Private Right to Action. In the new year we will be looking to see how California residents may exercise this right, what if any lawsuits may unfold, how companies will be responding, and the fines that will be paid. These lawsuits may originate from instances where their “non-encrypted or non-redacted personal information” is breached, or if they feel that their data has not been handled according to accepted agreements. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.
This all means that California is taking this law very seriously. If you would like more insight into CCPA, take a look at our previous series on the topic here. We at Validity will continue to keep you updated on the ever-evolving data privacy space and wish you a Happy New Year!