If your company is like many of our SMB/SME clients, GDPR was a short-lived event.
You heard about the regulation, kicked-off a GDPR project, realized how significant the work effort was and how limited the likelihood of an action against your organization was, and went back to business as usual.
For many of our clients, we were part of that conversation and largely in agreement. On first blush that might sound odd—but we are in the business of helping clients manage information related risk and ignoring GDPR was often the right call.
Evaluating GDPR Business Risks
Risk is a product of the impact of the risk being realized and the probability that the risk would be realized. For GDPR:
- The Impact is defined by the law and is very significant. Fines range between the greater of 2-4% of your annual revenue or ~ $11-$22 million (depending on the severity of the non-compliance). Based on impact, we clearly should have paid attention to GDPR.
- The probability that the risk would be realized for most of our SMB/SMEs was very, very low. Most have the PII of a very low number of EU residents, significantly decreasing the chance of a claim by a European Data Protection Agency (DPA). Most of our clients’ EU resident data is also limited to just a name and a business email address, which further reduces the likelihood of a claim (relative to B2C PII). Further, it was widely acknowledged that it was questionable as to whether a DPA would have the authority and jurisprudence to enforce GDPR on a US company with no employees or offices within the boundaries of the EU. So, based on probability, which most thought approached 0%, we should have been largely unconcerned about GDPR.
So ignoring GDPR was good business, as the near-zero probability of sanctions lowered the risk to a point where the cost and effort to comply wasn’t justifiable.
Unfortunately, I don’t think that risk equation is going to work out the same for anyone who has the PII of Californians.
Evaluating California Consumer Privacy Act (CCPA) Business Risks
- The impact of CCPA is defined as fines of up to $2,500 per violation or $7,500 per intentional violation. Notably it does not place a cap on the total amount of fines. So, if you ignore the California Consumer Privacy Act (CCPA) and you have a breach that impacts only 1,000 Californians, you are on the hook for $7.5 million in fines and likely several more million dollars for legal fees, reputational damage, customer loss, etc. Based on impact, you should pay attention to CCPA.
- The probability that the risk would be realized is likely moderate to high for most SMB/SMEs with the PII of Californians. A recent Vanson Bourne study on 850 SMBs (10-1,000 employees) noted that 64% of them had sustained a cyber-attack in the past year. As 62% also cited that they “lack the skills to deal with security issues,” it is logical to conclude that many of those attacks would have resulted in access to PII. Further, enforceability isn’t in question—the California Attorney General will have no obstacles in filing suit against any US-based business. So, based on probability, you need to pay attention to CCPA.
That is why I posited ignoring CCPA will be bad business for most organizations: the impact is very high, and the probability is moderate to high.
Assuming you agree (and with my power of persuasion and use of logic and statistics, why wouldn’t you?), you need to determine whether CCPA applies to your organization.
CCPA applies to for-profit entities that both collect and process the personal information of California residents and do business in the State of California. However, a physical presence in California is not a requirement.
Additionally, the business must meet at least one of the following criteria for the CCPA to apply:
- The business must generate annual gross revenue more than $25 million,
- The business must receive or share the personal information of more than 50,000 California residents annually, or
- The business must derive at least 50% of its annual revenue by selling the personal information of California residents.
The good news is that the criteria notably reduces the number of companies that CCPA applies to.
The bad news is even if you don’t meet these criteria it is likely still worthwhile for you to comply with the CCPA.
Unfortunately, GDPR was just the first of what is going to be a tsunami of privacy regulations. Brazil (LGPD), Mexico (FDPL) and California (CCPA) quickly followed up with very similar PII regulations. Dozens of countries and states are working on similar regulations that will go into effect over the next few years.
So, as we move forward, the likelihood that your organization will need to comply with one or more of these PII regulations approaches the certainty of death and taxes.
Hope you didn’t read this blog post looking for good news…