In the first installment of our series on CCPA, Jenna Waters offered a breakdown of the coming law, and its general implications on privacy in the US. In Part II, we introduce the more statistical aspects of the law and what impact, if any, the CCPA's defined ranges and amounts will have from organization to organization.
With the 2020 deadline fast approaching, many companies are scrambling to understand the legislation behind CCPA and how it will affect their organizations. To help our audience get a closer look at this act, we will be touching on the critical information associated with it. Like I did, you may find yourself thinking that there is a lot of of ambiguity around the CCPA and what some of the legislation actually entails, so help make sense of confusing and sometimes seemingly contradictory information, I offer you my thoughts alongside the overview of this legislation.
What the CCPA's Effective Date Means
To begin, the date to mark on your calendar is January 1st, 2020, the day the California Consumer Protection Act takes effect, and when organizations who fall under compliance requirements need to comply. In addition to this date, there is a small grace period of 6 months after final regulations have been published (or July 1st, 2020, whichever comes sooner). However, this grace period only limits when California's attorney general Xavier Becerra can act upon violations and already a bill has been introduced to amend the grace period, allowing the attorney general to act on violations from day one of CCPA. This is just one example of the confusion around an as-yet unsettled and untested law.
Potential Impact to Your Pocketbook
Understanding these deadlines associated with CCPA are important for the fact that the fines could possibly get astronomical very quickly. For starters, accidents that are deemed unintentional can face penalties of up to but no more than $2,500 per violation. For those violations considered intentional, fines of up to but no more than $7,500 dollars could be levied upon the business. This may sound somewhat mild, and it may be if interpreted to cover an entire breach. However, per violation is not well-defined in the legislation. It's absolutely unclear at this point if and how what judges will interpret as a violation, as well as whether or not an incident will be bundled together. Personally, I believe it is unlikely that violations would be bundled together, due to the fact that $2,500 or $7,500 for a potentially massive incident is nothing to most big companies, so it really would not be punitive. In fact, it would almost be pointless, because large organizations would simply ignore CCPA if all they had to do was pay a few thousand dollars. If looking at other, similar, privacy laws and the trend of breach fines, it is more likely to be per-record, with each record being an individual violation. We will see.
Consumer Rights Under the CCPA
With our focus typically falling squarely on organizations as they relate to the growing book of privacy laws, it is good to remember that consumers are not left out of the spotlight when it comes to legal action. From the other side of the aisle, any consumer whose rights are violated may take civil action to recover damages in an amount of no less than $100 and no greater than $750 per consumer incident. While that is a small number for a single consumer, it supports the trend of aggregate damage-seeking. In other words, if a number of consumers team up, they have the ability to punish the offending organization together. At the same time, having a per-consumer cap filters out frivolous law suits that currently clog our legal system. If, however, actual damages exceed $750, the amount of actual damage is chosen over the $750 maximum. So, if one experiences true and demonstrable personal damage, one still has an avenue for justice. In addition, consumers have a right to any other relief the court deems proper. With that, we will have to see how initial incidents unfold in the courts to get a better gauge on what a consumer can expect when it comes to the full scope of legal action.
Organizations Who Will Be Affected
At this point, you may be wondering, does CCPA affect my organization? That's a good question, and luckily CCPA outlines the criteria for organizations to know whether they must become compliant with legislation. These requirements are as follows:
- $25,000,000 in revenue or greater
- Annually buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices in California
- 50% or more of the organizations/business revenue is derived from selling personal information
What It Means for the Rest of Us
As you can see, the requirements are pretty high. My feeling here is that CCPA is trying to hold the big dogs accountable. These tend to be the organizations perceived as the most egregious violators, because they hold the most personal data. So when a Facebook or Google violates consumer privacy or mishandles the security of personal data, wide swaths of consumers are affected. At the same time, it will be interesting to see if the true intent behind the CCPA is to simply invite companies to acknowledge privacy as a viable concept in order to generate an atmosphere where privacy can be taken more seriously. In the meantime, it would behoove all organizations to at least begin looking at their data collection, data sharing, storage, and security practices. This issue doesn't seem to be going away anytime soon, and only time can tell how data privacy will play out as a whole in our country.