It’s 2020! At the fresh start of this new decade, where 5G technology and big data further enable our transformation to artificial intelligence and automation, data security has become the center of attention for governments, corporations, and consumers. The more user data a company stores, the more capable the company is at offering efficient products and services. Thus, these user data can worth millions of dollars, making them an attempting target for cybercriminals.
Indeed, the last few years were not very pleasant for Silicon Valley. After multiple data breaches compromised millions of user data (e.g. Facebook data breach of 2018, 2019), the State of California has finally started to take action to protect consumers’ privacy. The California Consumer Privacy Act (CCPA), initially passed in 2018 with final amendments signed in late 2019, has finally come into effect as of January 1, 2020.
Will my company be affected by the CCPA?
Despite coming into effect, the law will not be enforced until July this year, so there is still one last chance for you to get fully prepared. The CCPA will apply to all companies 1) with an annual revenue of above $25 million, 2) selling data of more than 50,000 consumers, 3) possessing data of more than 50,000 users, or 4) those that derive more than 50% of their annual revenue from selling their customers’ personal information. If your business falls into one of the conditions above, this law will apply to you. All the Silicon Valley tech giants (i.e. Google, Apple, Amazon, Facebook) fall into one or more of these categories.
My company is not located in California, should I be concerned?
Yes. Not only does the CCPA apply to all companies located in California, all companies who collect or sell the personal information of Californian residents, regardless of their location, are regulated under the act.
How should my company comply with the CCPA?
As a business, you are now required to have a button on your homepage that reads “DO NOT SELL MY PERSONAL INFORMATION”. Whenever a user clicks on it, you will be forbidden from selling that user’s personal information to any third party. You also must notify customers about what information you are collecting from them, either before or during collection, and twice a year if asked. Moreover, you need to inform customers about what type of third parties you will share their information with as well as a list of those third parties. Lastly, whenever being asked, you have to explain to customers about any commercial purposes of information collection.
What are my legal obligations to the customers?
You are required to delete a customer’s data immediately if asked. You must also stop sharing a customer’s information with third parties when asked to do so and to not penalize the customer in any way (e.g. price discrimination, low-grade service). Lastly, your customer has the right to sue you if you are careless at protecting their information, leading to an unauthorized data breach. For example, if your data is not encrypted, you can be sued for careless protection.
The bottom line
Different from its counterpart in the EU (i.e. General Data Protection Regulation, GDPR), under the CCPA, your company is responsible for the consequences of any cyberattacks. The GDPR only requires companies to report any data breach to the Data Protection Authority (DPA), and to report them to consumers if the data breach poses a high risk to them. However, the CCPA holds your company legally accountable if you suffer a data breach where the data was not protected in a reasonable manner. In short, your company is legally responsible for the conduct of the attackers.
Need help with securing your data?
Penta Security is ready to help your business adapt to the CCPA! MyDiamo is a popular solution for managing open source database security, chosen by companies and healthcare providers in the EU in compliance with the GDPR. With its advanced cryptographic standards, MyDiamo minimizes your risk of suffering any data breach. For more information about MyDiamo, click here.