Doing Business in California? You Better Be Ready for The CCPA

The California Consumer Privacy Act (CCPA) goes into effect later this Wednesday, January 1, 2020, and if you have any customers that reside in California, you need to take steps now to protect the privacy of any sensitive information you collect on them. Fail to do so, and your business faces potential fines as well as embarrassing and costly consumer lawsuits.

If this reminds you of the General Data Protection Regulation (GDPR), the privacy compliance regime that the European Union (EU) began enforcing last year, it should: both mandates spring from a desire to protect the private data of individuals in a world where businesses have been careless with it – if not downright ruthless in exploiting it for profit.

The good news is that if you’ve already stepped up your data privacy game for GDPR, you’re already on the path to achieving CCPA compliance, although some terminology and requirements differ.

The two are alike in that both give consumers much greater control over their personal data, and incent companies to do a better job of protecting it. Thus, CCPA empowers every California resident to request that any company that collects personal data on them to give them access to that data, provide them a copy of it, delete some or all of it, and stop selling it to other companies.

But CCPA goes further than GDPR in a few important respects:

1. Consumers have the right to sue companies for monetary damages if their personal data is abused, whereas GDPR uses hefty regulatory fines as its big stick to make companies comply.
2. CCPA also worries about the potential abuse of metadata, and so it requires companies to not only let consumers look at personal data, but explain how it is being categorized, where it comes from, and who it’s being sold to. Further, if a company is able to expand a consumer’s profile by making inferences about the individual (say, by looking at offline data to draw conclusions about an individual’s income or buying preferences), the consumer is entitled to access and control that information, too.
3. CCPA doesn’t give companies as much wiggle room as GDPR on how they are supposed to comply with various provisions of the law. For instance, CCPA explicitly says that businesses under its jurisdiction must put a “Do Not Sell My Personal Data” button on their homepage.

GDPR casts a wider net over which companies it applies to: in essence, if you have at least one customer who’s an EU resident, you have to comply. By contrast, CCPA only applies to companies that earn at least $25M/year in revenue, or collect personal data on at least 50,000 individuals, or derives more than half their revenue from selling consumer personal information. (That still covers a lot of businesses.)

There are also differences between the two in choices of bureaucratic jargon. For example, GDPR calls the main objects of its protection “data subjects” while CCPA calls them “consumers”. CCPA doesn’t make as fine a distinction between GDPR’s “controllers” and “processors” of personal data, but the law still covers that distinction conceptually. In any event, it’s not hard to map the two glossaries.

Further, just as prepping for GDPR will make your CCPA burden lighter, achieving CCPA compliance now will likely help you down the road with similar regulations currently being considered by at least a dozen other US states. (US federal privacy regulations that would likely supersede state-level measures are also under consideration, but would likely be less consumer-friendly.)

Where Acronis can help is with the CCPA’s requirements that businesses take reasonable security measures to protect personal data. We can help by improving your cyber protection infrastructure and services with the following capabilities:

• Fast, flexible, simple backup of personal data. This will enable you to restore the data you are required to protect in the event of a data loss incident due to natural disaster, malware attack, hardware failure, IT staff errors, etc.
• Protection against the most pervasive malware threats that threaten access to personal data, notably ransomware attacks.
• Strong, automated data encryption both in storage, backups, and in transit over networks to protect personal data from theft, tampering or destruction.
• Data search inside backups. This makes it easier to honor personal data access requests; you can search backup copies without touching live production systems.

The deadline for CCPA compliance is here, and the penalties for non-compliance are non-trivial. You need to know how it strengthens and broadens the definition of individual privacy rights. You need to familiarize yourself with its new terminology to understand your place in the framework – and start ensuring compliance by improving the reliability and cybersecurity of your data protection infrastructure.

As the GDPR experience reminds us, California regulators will likely be looking for high-profile violators early on to set an example for the rest of us. Take steps now to make sure you avoid that humiliating and expensive fate.

Note that this blog post is for informational purposes only. It is not intended to and should not be relied upon or construed as legal advice. You should not act or refrain from acting on the basis of any content in this essay without seeking legal or other professional advice.