Coronavirus or not, the enforcement date for the California Consumer Privacy Act (CCPA) is still set for July 1, 2020.
Organizations have just days to become CCPA compliant. Businesses in adherence with Europe’s General Data Protection Regulation (GPDR) have an advantage, as the two laws are similar in their objectives, disclosure requirements, exceptions, private rights of action, and more. The two regulations differ greatly, however, in the details.
Here’s what you need to know to protect your organization.
The Cost of Noncompliance
The European Union has handed out more than €153 million in total GDPR fines since the law’s enactment in 2018. The smallest infringements under GDPR can result in fines of up to €10 million or 2% of the firm’s worldwide annual revenue (whichever is higher). The most severe violations can reach €20 million or 4% of annual revenue. One company was slapped with a fine of €54 million.
CCPA fines start with civil penalties of up to $7,500 per violation. Statutory damages related to breaches range from $100 to $750 per consumer per incident or actual damages, whichever is greater. While the individual fines for GDPR may appear to be much higher, the catch is that there’s no ceiling on the number of CCPA violations. This makes the financial impact of CCPA noncompliance more alarming because it’s harder to plan for.
The total cost of CCPA fines can add up quickly, potentially outweighing that of GDPR. If 100,000 users within the database are impacted by a breach, for example, the total fine could reach $750 million. Considering 148 million people were recently affected by a single data breach, the potential for significant financial penalties is quite severe.
How to comply with CCPA
In most cases, organizations with a framework in place for GDPR compliance can transfer, replicate, or refine processes and policies for CCPA. But given the CCPA is still in draft form, and a CCPA 2.0 is likely, compliance leaders should expect changes and be prepared to act.
Here are four tips to help you comply with the CCPA:
- Survey all internal stakeholders about where relevant information resides. Any personal identifiers – name, postal address, driver licenses, geolocation, biometric data, and educational information – are within scope of CCPA and should be accounted for during this phase.
- Look at key business applications and create an inventory of the type of information used. Note why it’s being collected and the consumer profiles, third parties, and service providers involved.
- Examine third parties closely since they can be part of virtually every aspect of a business. It’s essential that risk and compliance managers know and document which third parties are covered by their CCPA compliance program, how they handle information, and the specific data to which each party has access.
- Know where exceptions lie, as there are many exceptions within scope of CCPA. The responsibility is on risk and compliance managers to give a valid reason as to why the business is (or isn’t) taking action. Create an inventory so you always have the information you need ready and available to prove your case.
Regardless of whether your company is directly affected by the CCPA, GDPR, or similar legislation today, there’s a good chance you will be soon. Numerous states are considering data-privacy legislation, and there is potential for a federal mandate.
While important, avoiding fines is just one reason to institute strong data-privacy measures. According to Deloitte, 80% of consumers are more likely to purchase from organizations that protect their personal information. Companies that ignore data privacy will clearly be penalized on many fronts. Are you prepared?