It’s understandable that people are interested in locating, locking down and establishing ownership of their personal data. Beyond unwittingly serving as the main profit driver of many companies and the danger that it’s being held on poorly protected information technology infrastructure, personal data stored by companies is also susceptible to government subpoena.
Increasingly, efforts to define consumer rights over personal data are resulting in new laws and regulations, including the European Union’s General Data Protection Regulation (GDPR), the Delaware Data Breach Law and the California Consumer Privacy Act of 2018 (CCPA). The latter went into effect on January 1, 2020, with enforcement beginning midyear, giving law firms and other organizations little time to ensure they and their clients are compliant. California’s attorney general is actively formulating regulations to enact the CCPA. These rules will help guide businesses in applying the law to their activities.
The CCPA of 2018 broadly provides California citizens the rights to know what personal information a business has collected, sold or disclosed about them; to learn to whom their information was given; to access their information; and to opt out of its sale.
Businesses failing to comply with the law’s provisions face financial penalties that start small but quickly add up.
DOES THE CCPA APPLY TO ME?
Many small- to medium-sized businesses will be exempt from the CCPA because they don’t trade in consumer data as a main course of business and don’t meet the minimum revenue threshold. Nonetheless, it’s important that business owners consult with their legal professionals to discuss possible areas in which compliance with these new regulations may be necessary.
The rules also require that businesses planning to sell consumer information provide a notice of such at the time they collect that information from their customers.
The CCPA applies to businesses engaged in collecting, processing, sharing or selling Californians’ data if:
- They gross over $25 million in revenue annually; or
- They (solely or in combination with others) deal with the personal information of 50,000 or more consumers, households or devices; or
- They make over 50% of their revenue from the trading of consumer data.