02/20/2020

The California Consumer Privacy Act (CCPA): Just the basics

    California Consumer Privacy Act (CCPA)

    The California Consumer Privacy Act (CCPA) greatly expands California consumers’ rights with regard to their personal information. Because of the law’s expansive reach and the significant financial risks associated with non-compliance, companies across the globe are focused on harmonizing their operating behavior with the new requirements. For most, this is an uphill battle, as compliance creates a number of operational challenges. 

    Which companies are regulated under the CCPA?

    The CCPA applies to for-profit businesses that operate (either physically or digitally) in California and meet at least one of the following conditions:

    - Have annual gross revenues over $25 million

    - Buy, receive, sell, or share personal information of more than 50,000 California consumers, households, or devices

    - Derive 50% or more of annual revenue from selling these consumers’ personal information

    What are the important elements of CCPA compliance?

    Increased financial risk for security failures. As of Jan. 1, 2020, California consumers, including employees, are now permitted to bring lawsuits for security breaches resulting from a business’s failure to “implement and maintain reasonable security procedures and practices.” Unlike most other U.S. privacy laws, which leave enforcement in the hands of regulatory agencies, the CCPA opens the door for class-action litigation with statutory damages of $100 to $750 per consumer, per incident, or actual damages, whichever is greater. 

    Enhanced consumer rights: The CCPA also grants California consumers new rights with regard to their personal information. As summarized in a release from the California attorney general, the CCPA grants:

    Right to know – Consumers may request that businesses disclose what personal information is collected, used, shared, or sold by the business.

    Right to delete – Consumers may request that a business delete the consumer’s personal information held by both the business and, by extension, the business’s service providers.

    Right to opt out – Consumers may direct a business to cease the sale of the consumer’s personal information. As required by the law, businesses must provide a “Do Not Sell” information link on their websites or mobile apps.

    Rights for minors regarding opt-in consent – Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.

    Right to non-discrimination – Businesses may not discriminate against consumers in terms of price or service when a consumer exercises a privacy right under CCPA.

    How to prepare

    At CohnReznick, we help our clients develop privacy programs that meet the challenges of CCPA compliance. Our services include:

    - CCPA readiness assessment

    - Security assessment and program development

    - Privacy strategy and governance

    - Vendor risk management

    - Consumer request fulfillment program

    - Development of policies and procedures

    Subject matter expertise

    • Bhavesh Vadhani
      Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
      Bhavesh Vadhani

      CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

      Go to Bio
      • Close

      Contact

      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic

    Related Insights

    Tech logos illustrating cybersecurity
    Insight

    New SEC cybersecurity guidelines: Next steps for public companies

    GCS_Federal-Agencies-Cybersecurity_web-banner
    Insight

    Federal agencies face complex cyber compliance – but relief is underway

    shadows of people as coworkers/employees discussing and interacting with each other with a blue colorwash
    Insight

    Practical Infrastructure: A blueprint for program management success

    Image illustrating cybersecurity SEC rules
    Insight

    Today’s boards need cyber expertise more than ever

    transaction private equity
    Insight

    Zero Trust 2.0: Strengthening security for a shifting threat landscape

    Related services

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.