Q: I keep hearing about various data privacy regulations being passed, but my company does not do business overseas. Should I still be thinking about doing anything, and if so, why?
A: Yes, absolutely! The General Data Protection Regulation (GDPR) that took effect in May arguably has gotten the most press because of its global reach and implications. But just because your business doesn’t operate on a global scale doesn’t mean that you shouldn’t be proactive in addressing data privacy and/or cybersecurity issues.
First and foremost, Ohio approved legislation last year that will provide a legal incentive for businesses with a cybersecurity program meeting certain criteria. Because data breaches and cybersecurity issues have unfortunately become a matter of when, rather than if, the smartest thing you can do is make sure your company has a plan in place. And if you already have a plan in place, make sure you set aside time annually, at a minimum, to review and update it in order to ensure compliance.
Ohio isn’t the only state taking measures to address data privacy and cybersecurity issues, however. California also passed legislation, the California Consumer Privacy Act of 2018 (CCPA), at the end of June. This new regulation, which is the first major data privacy law passed in the United States, will formally take effect on January 1, 2020. The CCPA gives “consumers” – defined as natural persons who are California residents for tax purposes – several key rights with respect to their personal information:
- The right to know what personal information a business has collected on them, how it was collected, what it is being used for, and whether it is being disclosed or sold, and to whom;
- The right to “opt out” of having a business sell their personal information to a third party; and
- The right to have a business delete their personal information entirely, subject to some exceptions.
So why is the CCPA worth paying attention to? First, because it will affect an estimated 500,000 small to medium U.S. businesses – many of whom may not fall under the GDPR’s reach. But second, because California historically has been the first state to address privacy issues. In 2002, it became the first state to require notifications of data security breaches, and in 2004, it passed the first law requiring websites to have privacy policies. In other words, the CCPA could well be the first of many other state data privacy laws, or potentially even start the conversation on establishing national privacy legislation; it is a strong indicator of things to come.
Though the CCPA has been compared to the GDPR, don’t assume that being in compliance with GDPR means your company automatically complies with the CCPA – the two laws are not all that similar. For example, the CCPA defines “personal data” much more broadly, gives California consumers greater rights to access their personal data, and is stricter on data sharing for commercial purposes.
As things currently stand, the CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and (1) earn $25 million or more in annual revenue; or (2) hold the personal data of 50,000 or more California residents, households or devices on an annual basis; or (3) obtain at least half its revenue selling personal data of California residents.
Penalties for noncompliance with the CCPA are divided into two categories: Intentional and unintentional. Intentional violations are $7,500 per violation; unintentional violations are subject to a $2,500 fine per violation. Additionally, companies could be ordered in civil lawsuits to pay statutory damages between $100 and $750 per California consumer and incident, or actual damages – whichever is greater – on top of any other court-ordered relief.