Starting January 1, 2020, the California Consumer Privacy Act (CCPA)
will enhance privacy rights and consumer protection for residents of California, one of the most populated states in the United States. Companies that don't comply can risk consumer backlash, hefty fines, and possible lawsuits. This new policy is a pretty big deal, but luckily we can help you work through it.
What Is the CCPA?
The CCPA allows any California consumer the right to see all the information a company has saved on them. It also gives Californians the power to request a full list of all the third parties that their data is shared with. Additionally, it allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Consumers also have the freedom to opt-out of the sale of their data and must not be discriminated against for doing so. For example, consumers cannot be charged different prices or rates for exercising their CCPA rights.
Who Does the CCPA apply to??
The CCPA applies to companies that collect personal information of Californian residents, do business in California, and:
- Have annual revenues of $25 million or more
- Companies of any size that have personal data on at least 50,000 people
- Companies that collect 50% or more of their revenues from the sale of personal data
Companies don't have to be based in California or have a physical presence there to fall under the law. Companies don't even have to be based in the United States to affected by this law.
Does the CCPA apply to nonprofits?
In most situations, nonprofits won't be impacted by the new law. However, there are a few stipulations that will force some nonprofits to comply. Here's what you need to know.
While the CCPA generally does not apply to nonprofit entities, it would apply to a nonprofit that
- controls or is controlled by a for-profit entity subject to the Act;
- operates under a brand name it shares with a for-profit entity (e.g., a co-branded corporate foundation);
- enters a joint-venture with a for-profit subject to the Act; or
- contracts with an entity through an agreement that requires compliance with the CCPA.
If your nonprofit falls into any of these categories, you should pay close attention to the requirements of the CCPA. But even if it doesn't, the law systematizes the general privacy principles individuals have come to expect from those collecting and using their data. So to be safe, it would be good practice for all nonprofits to consider processes and policies that reflect these principles.
California consumer privacy act vs. GDPR
The CCPA doesn't have some of the General Data Protection Regulation's (GDPR)
most demanding requirements, such as the narrow 72-hour window in which a company must report a breach, however it many ways it goes even farther.
The GDPR grants consumers the rights to object to direct marketing and restrict the processing of their data, and the CCPA provides consumers with the right to object to the sale of their data.
Being GDPR compliant doesn't necessarily mean you are CCPA compliant. However, if you already took steps needed to comply with the GDPR, you might have already met some of the CCPA requirements.
What Is the Cost of Non-Compliance?
In addition to the PR nightmare that could follow non-compliance, companies can face a civil penalty of up to $2,500 per violation and up to $7,500 per intentional violation. This means that if you violate the CCPA-guaranteed right of just 100 users, you could be fined up to three-quarters of a million dollars.
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn't resolved, companies will be met with a fine of up to $7,500 per record. The cost of these fines could rack up exceptionally quickly.
The bill also provides individuals the right to sue for the first time and allows for class action lawsuits, if companies don't comply within the 30-day grace period.
How BizStream and Kentico Can Help with CCPA Compliance
This can all seem very daunting, but fortunately, Kentico provides functionality that helps clients comply with the CCPA, and our team knows exactly how to implement it. To facilitate compliance with various legislations, you can leverage the Data Protection application. However, the features included still require exact knowledge of how your company gathers, processes, and stores personal data. Our team can help implement the functionality based on the specifics of your website and the legal requirements you want to fulfill.
Fear not, we're here to help! Contact us here
to get started!