What SMBs need to know about the California Consumer Privacy Act

The California Consumer Privacy Act, or CCPA, aims to strengthen privacy rights and consumer protection for residents of California. This law applies to any business worldwide that receives personal details and data from any California residents either directly or indirectly. The law also applies to business that meet at least one of the following additional criteria: 

- Make an annual revenue of more than $25 million (USD) in total (not just in CA)

- Receives personal data from at least 50,000 consumers, devices, or households per year, and lastly

- Obtains 50% more of its annual revenue from the sale of personal information about California residents. 

CCPA and GDPR both encourage transparency in businesses and require these companies to report data breaches to consumers with the aim of better protecting these consumers and their personal information. GDPR, which protects users in the European Union, defines personal information as any information that can identify someone directly or indirectly, while on the other hand, the CCPA defines private data more broadly to include any information that identifies, relates, describes, or can be associated with someone directly or indirectly.

Many of GDPR’s provisions focus more on the portability of data across international lines and companies’ abilities to process data. One of the most notable ways that they differ are in their opt-in/out policies where GDPR requires users to opt-in to data collection while CCPA only offers consumers the right to opt-out. Additionally, CCPA requires that sites include a “Do Not Sell My Information” link and modify their privacy policies to include a CCPA disclosure. 

With this in mind, the CCPA will arguably be much more effective at protecting consumers’ information from being sold in primary and intermediate user information markets. 

The CCPA allows consumers to take better control of their data and control whether companies can utilize or sell it. If a consumer finds that an organization does not comply, and has proof that their information was taken or accessed, they can sue the company for its failure to maintain reasonable security procedures.

Although CCPA went into effect on January 1, 2020, enforcement did not start until July 1. This means organizations now be held accountable and can be fined up to $2,500 per negligent violation or up to $7,000 per intentional violation.

Only a few weeks into enforcement, I think that California’s Attorney General’s office may look to make an example out of early offenders to send a strong message.

Now that the CCPA has gone into effect, I would expect that a nationwide act is more likely to be passed in the next ten years because of the overwhelming support for the concept that we’ve seen in California, the United States’ largest economy.

Due to the CCPA parameters, small family-run stores are likely in the clear, but high-growth small businesses will need to take action to become CCPA compliant. To ensure they comply, these businesses should prepare to enhance their privacy protections and update their privacy policies. Organizations must also implement reasonable security measures in order to protect their consumers’ personal information. And, to ensure that no missteps are made, training employees on CCPA compliance is key.

If an organization has yet to prepare for the CCPA legislation, they need to act fast and update their privacy policy. Hackers always target those who are least suspecting it, making ill-prepared businesses that much more desirable. To combat this, organizations should consider implementing top-notch security tools, patching vulnerabilities and training employees to be more cyber aware in order to ensure their customers' personal information is safe.