In June 2018, California passed a consumer privacy act that has only started to go into effect this spring (2020). The California Consumer Privacy Act (CCPA) could have a greater impact on U.S. companies than even the European Union’s General Data Protection Regulation (GDPR). CCPA compliance doesn’t include some of the most stringent requirements of the GDPR, such as the 72-hour window when a company must report a breach. However, it takes a broad view of what constitutes as private data. Learn more about what the CCPA means for your clients and how you can help them protect themselves from liability.
What Is the CCPA?
The CCPA, also known as AB 375, is a law that entitles any California consumer to see what information the company has saved on them, including any information shared with third parties. In addition, consumers can sue companies when privacy laws are violated—even when no breach has occurred.
Which Companies Are Affected By the CCPA?
All companies serving California residents that have at least $25 million in revenue annually are subject to the law. Also, any company that has personal data on at least 50,000 people or that receive more than half of their revenues from the sale of personal data must comply. A company does not have to be physically located in California (or even in the U.S.) to fall under this law.
CCPA vs. GDPR and Why It Matters
Some have called the CCPA “the California GDPR” since they overlap in some important ways. The CCPA is the first big state privacy act in the U.S., going far beyond the legislation introduced in Maine and Nevada. As stated above, it gives Californians new rights to request businesses to disclose data they have collected and opt out of third-party data sales.
Both the CCPA and the GDPR include the right to be informed, the right of access, and the right of deletion.
However, the GDPR focuses on how websites handle personal data, requiring prior consent from the user. That means that the GDPR has specific requirements about how consent is obtained when a user is on a website. For example, scrolling on a company website isn’t considered valid consent, and companies cannot use cookie walls (which makes consent conditional for accessing the website).
The main difference, then, is that the GDPR focuses on creating “privacy by default” for users from the EU, while the CCPA seeks to create transparency about the way data is being used.
Many businesses will now have to abide by the regulations of both laws because they have EU visitors on their websites, as well as customers from California.
How to Be CCPA Compliant
Residents of California whose personal information is exposed in a data breach can seek damages between $100-$750 per incident, even in the absence of harm. In addition, the California Attorney General (AG) can bring action to any company violating the CCPA, with civil penalties between $2,500 and $7,500 (depending on the intentionality of the violation).
During 2020, 27 of 89 data-breach incidents reported to the California AG have resulted in CCPA compliance litigation. Before the passage of the CCPA, the risk of being sued after a breach was 4-6%. Now, we’re seeing an increase to about 30% of reported breaches—even before the full effect of the CCPA has set in.
There are three major types of CCPA litigation:
In these cases, plaintiffs seek CCPA damages after a data breach. But, this only applies in certain types of data breaches. Three criteria must apply for a breach to be legally actionable:
- Personal information. The information breached must be personal information as defined by California’s data breach notification law. This is good news for companies because this law defines personal information much more narrowly than the CCPA.
- Unencrypted and unredacted. A recent amendment to the CCPA requires that the information be both unencrypted and unredacted (rather than either-or). This also narrows a consumer’s right of action.
- Negligence. The breach must have been a result of the business’ violation of the duty to maintain “reasonable security measures and practices,” though the CCPA has yet to define exactly what these are.
2. Data privacy
The CCPA doesn’t give consumers the right to sue for privacy violations. However, there have been more complaints where the defendant is alleged to have failed to meet a requirement of the CCPA, such as providing disclosure of privacy practices.
In some cases, the CCPA isn’t listed as a cause of action. Rather, the complaint is that the company committed an unlawful practice by failing to safeguard personal information. This would then violate applicable laws such as the CCPA.
ProWriters and CCPA Compliance Requirements
It’s clear that while ransomware has been one of the biggest drivers of insurance claims, state privacy statutes are the next claims trend on the horizon. California’s CCPA will change the practices of businesses across the nation, and it’s very likely that other states may follow suit with their own privacy laws as time goes on.
These laws put the burden on companies to safeguard data, install proper security practices, and demonstrate transparency about how a consumer’s personal data is being used.
If you’d like to learn more about how to educate your clients on cyber threats and liability, we invite you to download our free whitepaper, The Six-Step Guide to Becoming Your Clients’ Cyber Expert.
At ProWriters, we’re here to support you by providing our product expertise and unparalleled customer support. Try out our Cyber IQ Platform to instantly compare rates or schedule a call with one of our experts.