On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) is set to go into effect, and many businesses must get ready to comply. The CCPA is the most comprehensive privacy law in the U.S. Complying with the law can be an asset for any organization as privacy is a top concern for consumers.
The CCPA comes on the heels of the European Union’s response to growing concerns of privacy protection. The EU General Data Protection Regulation (GDPR) took effect in Europe in 2018. The CCPA has similar directives as the GDPR. While the GDPR regulates all organizations across the globe that provide goods and services to consumers who reside within EU countries, the CCPA regulates all organizations that have data for consumers who live in California.
On October 10, 2019, the California Department of Justice released the long-awaited draft regulations of the CCPA. Here are the key points:
How the CCPA protects consumers
The CCPA provides consumers with the right to:
- Know what personal information is collected, shared, and sold
- Have personal information deleted by businesses
- Opt-out of the sale of personal information to second and third parties (Children under 16 must provide opt-in consent.)
- Non-discrimination in terms of price and service
The CCPA applies to the following businesses:
Businesses, where at least one of these is true, must comply with additional regulations to ensure consumers are afforded their rights under the CCPA. The business:
- Has more than $25 million in gross annual revenue
- Shares, sells, buys, or receives for commercial purposes the information of at least 50,000 consumers, devices, or households
- Derives at least 50 percent of its yearly revenues from selling consumers’ personal information
If you’re a business that’s required to comply:
Penalty levels for non-compliance are based on a company’s worldwide revenue. You’ll want to assess your organization’s appetite for risk. But you’ll also want to consider the long-term value to your brand in terms of being a good citizen and practicing the most ethical standards in service to your customers. The cost of updating your systems for CCPA compliance is probably worth the long-term value.
If you run an older company, your consumer systems were likely built way before modern-day privacy issues were top of mind. In this case, you’ll want to assess whether your databases should be updated (using the power of manual process and an army of rules) or replaced entirely with a modern (and potentially costly) system.
If you’re a smaller business that’s starting to build its customer database:
If you are a newer, smaller business, you can benefit from your lack of historical data. You have an opportunity to be a good steward at the outset and embrace CCPA-compliant systems, which can also integrate potentially stricter cyber and privacy requirements in the future. If you do it right, CCPA can be a boon for your organization, particularly in today’s age of consumer mistrust.
Remember: If you maintain data of EU residents, you’ll want to apply the even stricter privacy guidelines of the GDPR to your cyber operations. When in doubt, you should follow the more stringent of the two regulations—the GDPR.
For more details about the CCPA, including how it compares to the GDPR, see the CCPA factsheet published by the Calfornia Department of Justice.
The ability to connect with customers on a digital plane creates new opportunities and innovation, and it also comes with great responsibility. Protecting consumer privacy from digital theft and misuse is arguably one of the most significant business challenges of our time. Luckily for us, there’s insurance.
There are quite a few permutations of cyber insurance. The solution that’s right for your business depends on several factors, including how you store your data, and if you engage in eCommerce, send mass marketing emails, or sell consumer data to third parties.
For information about a cyber insurance program that can protect your business from risk, contact your Newfront representative.
The information provided is of a general nature and an educational resource. It is not intended to provide advice or address the situation of any particular individual or entity. Any recipient shall be responsible for the use to which it puts this document. Newfront shall have no liability for the information provided. While care has been taken to produce this document, Newfront does not warrant, represent or guarantee the completeness, accuracy, adequacy, or fitness with respect to the information contained in this document. The information provided does not reflect new circumstances, or additional regulatory and legal changes. The issues addressed may have legal, financial, and health implications, and we recommend you speak to your legal, financial, and health advisors before acting on any of the information provided.