August 7, 2018

Last Updated on January 12, 2024

The State of California, the fifth largest economy in the world, has just enacted the most far-reaching consumer privacy legislation in the US—giving citizens more control over how companies share and sell their personal data.

What could this new law mean for your business?

Meet the California Consumer Privacy Act of 2018 (CCPA)

While it only protects California consumers, California Assembly Bill 375, called the California Consumer Privacy Act of 2018 (CCPA), has the potential to impact how companies across the US and even worldwide collect and use personal data. This is because most firms doing business with California citizens won’t benefit from maintaining separate sets of privacy protections for Californians and for everyone else.

How Does This Legislation Affect Businesses?

Besides forestalling added business process complexity, moving towards CCPA-compliant protections for all consumers better positions organizations as other states, or even the US federal government, enact similar legislation. This approach also supports compliance with international privacy legislation like the EU’s GDPR.
The new law compels businesses to disclose to individuals on request what personal data they’ve collected, why they have collected it and who they’ve sold it to. Similar to the GDPR’s “right to be forgotten,” it also gives consumers the right to demand that companies delete their data, as well as tell them they can’t sell or share it. Special protections apply to children under 16.
The CCPA also gives California’s attorney general more authority to fine violators (up to $750 per consumer per violation). Further, in the event of a data breach it empowers consumers to sue firms that failed to implement “reasonable security procedures and practices appropriate to the nature of the information…”

Who Must Comply?

Any firm anywhere that collects or sells California citizens’ personal data is subject to the CCPA if it meets one of these three criteria:  

  • Earns $25 million or more in annual revenue; 
  • Sells 50,000 consumer records in a year; and/or 
  • Derives 50% or more of its annual revenue from the sale of personal information.

What You Need to Do

If your company fits the above profile, you should begin analyzing how you collect and use personal data, including what categories of data you collect, how you use it and with whom you share or sell it. This will facilitate responses to initial consumer requests, while helping your firm address not just this mandate, but others that are very likely to follow.
The global debate over privacy continues to heat up, and consumers are becoming both more concerned and better informed about the issues. About 80% of Californians approved of a proposed ballot initiative that gave rise to the CCPA.
To connect with experts about how best to position your business to successfully negotiate these changes, contact Pivot Point Security. 
Also, check out Part 2 of this post here: California’s New Privacy Law Means US Firms Can’t Delay Privacy Initiatives Any Longer (Part 2)

For more information on CCPA:

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times