The California Consumer Privacy Act, So, Encrypt your Data
As of January 3, 2020, CCPA is law, but the regulations are still pending a final release.
CCPA is now a law, but the specific regulations for companies are still pending an official release from California Attorney General Xavier Becerra. These regulations will probably not be ready until sometime after July 1, 2020 (or, roughly six months after the regulation’s official release).
Though, companies have been warned not to treat this a grace period.
Affected Businesses
CCPA applies to businesses that serve California residents, and that meet at least one of these conditions:
- Collect the personal information of 50,000 people or more every year
- Annual revenues above $25M
- Receive at least 50% of their revenue from selling data
Right to access personal data
Every Californian has the right to see what data companies hold on them. Disculsures must include data held by non-Californian companies.
Disclosures must also include the categories of personal data, specific pieces of personal information, what 3rd parties have obtained their info from or sold to, what inferences the company has made about them (such as behavior, attributes, psychology, intelligence, or abilities inferences). For security purposes, companies may ask for a copy of a consumer’s state-issued ID or other forms of identification before they satisfy a request. Companies must acknowledge these requests in 10 days. They’re permitted 45 days to deliver.
Right to delete personal data
California residents have the right to delete the information companies hold about them.
Right to opt-out of the sale of data
CCPA allows Californians the right to opt-out of the sale of their data.
Right to obtain employee data from employer
Interestingly, you can direct these requests to your employer (responses to these employer/employee requests must also include a statement of the official purpose for holding the data, too).
Parents’ rights regarding their children’s data
If data is from a child 13 years of age or younger, it is required to obtain parental permission before selling or sharing it for commercial benefit.
Consequences for Non-Compliance
When a regulator finds a violation, the company has 30 days to comply. If the violation still exists after 30 days, then there’s a fine of up to $7,500 per record.
Consequences for Data Breach containing Personal Data
Here’s where things get controversial.
The law prescribes penalties for unauthorized access to personal data. It’s agnostic about whether the breach was from an internal-threat, negligence, theft, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” As currently written, AB 375 allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
For example, after the Capital One credit card hack in July 2019, there were about 100 million records stolen. Under CCPA, when theft results in 100 million Californian records stolen, that would result in a fine between 10B to 75B dollars, or actual damages, whichever is greater.
But the controversial part is that no one seems to be able to agree on what,
“maintain reasonable security procedures and practices”
actually means. Some have argued it means that businesses must encrypt sensitive data. Others say that it means nothing more than just throwing up a simple firewall.
But one thing is for sure: no one wants to be the first to find how and what it means, which will almost certainly require a judge, a courtroom, an army of lawyers, and a severe data-security incident.
