California Consumer Privacy Act (CCPA): The essentials…
The California Consumer Privacy Act (CCPA) is a data privacy law effective January 1, 2020. The data security framework and regulations apply to any “business” – regardless of location – that collects “personal information” from residents of California.
Essentially, if you don’t implement and maintain reasonable security procedures and practices against the unauthorized access, theft, or disclosure of personal information and you experience a data breach you can reasonably expect to be fined and entangled in a civil lawsuit. A reasonable minimum cost calculation is $100 multiplied by the number of customer records breached or disclosed PLUS fines and attorney fees.
CCPA covers any data related to customers, including individual consumers and entities, plus vendors and employees.
A business can be fined up to $2,500 for each violation by the state (California) or $7,500 for each intentional violation. Additionally, consumers (solely or in a class-action) can recover a minimum of $100/consumer/incident and the greater of $750/consumer/incident or actual damages/consumer/incident PLUS any relief the court deems appropriate.
A “business” is defined as any one or more of the following:
- Gross revenues over $25,000,000
- Buys, sells, receives, and or shares personal information for 50,000 or more consumers, households, and or devices. If you collect personal information via any method it would be prudent to assume that is considered “receives”. Interestingly enough the law makers carved themselves out of this requirement by excluding its effectiveness on political activities so if you are part of a political effort you get a pass – refer to the full language for a complete understanding: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
- Derive 50% or more of revenue from selling consumer personal information
“Personal information” is defined as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
For the full text of the CCPA please visit: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
DriveStrike is one of several reasonable security measures and is very affordable at less than $1 per device per month for businesses protecting at least 26 devices, see https://drivestrike.com/pricing/ for full details on our pricing plans and subscription options.