The California Consumer Privacy Act (CCPA): Just the basics
The California Consumer Privacy Act (CCPA) greatly expands California consumers’ rights with regard to their personal information. Because of the law’s expansive reach and the significant financial risks associated with non-compliance, companies across the globe are focused on harmonizing their operating behavior with the new requirements. For most, this is an uphill battle, as compliance creates a number of operational challenges.
The CCPA applies to for-profit businesses that operate (either physically or digitally) in California and meet at least one of the following conditions:
- Have annual gross revenues over $25 million
- Buy, receive, sell, or share personal information of more than 50,000 California consumers, households, or devices
- Derive 50% or more of annual revenue from selling these consumers’ personal information
Increased financial risk for security failures. As of Jan. 1, 2020, California consumers, including employees, are now permitted to bring lawsuits for security breaches resulting from a business’s failure to “implement and maintain reasonable security procedures and practices.” Unlike most other U.S. privacy laws, which leave enforcement in the hands of regulatory agencies, the CCPA opens the door for class-action litigation with statutory damages of $100 to $750 per consumer, per incident, or actual damages, whichever is greater.
Enhanced consumer rights: The CCPA also grants California consumers new rights with regard to their personal information. As summarized in a release from the California attorney general, the CCPA grants:
- Right to know – Consumers may request that businesses disclose what personal information is collected, used, shared, or sold by the business.
- Right to delete – Consumers may request that a business delete the consumer’s personal information held by both the business and, by extension, the business’s service providers.
- Right to opt out – Consumers may direct a business to cease the sale of the consumer’s personal information. As required by the law, businesses must provide a “Do Not Sell” information link on their websites or mobile apps.
- Rights for minors regarding opt-in consent – Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- Right to non-discrimination – Businesses may not discriminate against consumers in terms of price or service when a consumer exercises a privacy right under CCPA.
At CohnReznick, we help our clients develop privacy programs that meet the challenges of CCPA compliance. Our services include:
- CCPA readiness assessment
- Security assessment and program development
- Privacy strategy and governance
- Vendor risk management
- Consumer request fulfillment program
- Development of policies and procedures
Press ReleaseCohnReznick earns CMMC Third-Party Assessment Organization AuthorizationThe C3PAO designation allows CohnReznick to assess Department of Defense contractors seeking CMMC compliance under the joint surveillance voluntary assessment program or as soon as the CMMC rule is finalized.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.