What SMBs need to know about the California Consumer Privacy Act

(Image credit: Wright Studio / Shutterstock)

After being signed into law back in 2018, the California Consumer Privacy Act (CCPA) became enforceable on July 1 of this year. This means that businesses operating in California as well as those earning half of their revenue from selling customer data will now need to comply with the act or be subject to fines. While similar to Europe’s General Data Protection Regulation (GDPR), CCPA has its own provisions that businesses will need to familiarize themselves with.

To learn more about CCPA and how it will be enforced by California’s Attorney General’s office, TechRadar Pro spoke to the director of SiteLock, Logan Kipp.

Can you tell us a bit more about the California Consumer Privacy Act (CCPA) and the ramifications it has for how businesses handle consumer data?

The California Consumer Privacy Act, or CCPA, aims to strengthen privacy rights and consumer protection for residents of California. This law applies to any business worldwide that receives personal details and data from any California residents either directly or indirectly. The law also applies to business that meet at least one of the following additional criteria: 

- Make an annual revenue of more than $25 million (USD) in total (not just in CA)

- Receives personal data from at least 50,000 consumers, devices, or households per year, and lastly

- Obtains 50% more of its annual revenue from the sale of personal information about California residents. 

(Image credit: Dooffy / Pixabay)

How does CCPA compare to GDPR and are there any major differences? Will it be more or less effective?

CCPA and GDPR both encourage transparency in businesses and require these companies to report data breaches to consumers with the aim of better protecting these consumers and their personal information. GDPR, which protects users in the European Union, defines personal information as any information that can identify someone directly or indirectly, while on the other hand, the CCPA defines private data more broadly to include any information that identifies, relates, describes, or can be associated with someone directly or indirectly.

Many of GDPR’s provisions focus more on the portability of data across international lines and companies’ abilities to process data. One of the most notable ways that they differ are in their opt-in/out policies where GDPR requires users to opt-in to data collection while CCPA only offers consumers the right to opt-out. Additionally, CCPA requires that sites include a “Do Not Sell My Information” link and modify their privacy policies to include a CCPA disclosure. 

With this in mind, the CCPA will arguably be much more effective at protecting consumers’ information from being sold in primary and intermediate user information markets. 

What protections does CCPA give consumers and will they be able to seek legal action against companies that mishandle their data?

The CCPA allows consumers to take better control of their data and control whether companies can utilize or sell it. If a consumer finds that an organization does not comply, and has proof that their information was taken or accessed, they can sue the company for its failure to maintain reasonable security procedures.

(Image credit: Pixabay)

What is the highest fine possible under CCPA and do you think California’s attorney general’s office will look to make an example out of early offenders?

Although CCPA went into effect on January 1, 2020, enforcement did not start until July 1. This means organizations now be held accountable and can be fined up to $2,500 per negligent violation or up to $7,000 per intentional violation.

Only a few weeks into enforcement, I think that California’s Attorney General’s office may look to make an example out of early offenders to send a strong message.

Now that CCPA has gone into effect, do you think that a nationwide data protection act is more or less likely to be passed?

Now that the CCPA has gone into effect, I would expect that a nationwide act is more likely to be passed in the next ten years because of the overwhelming support for the concept that we’ve seen in California, the United States’ largest economy.

(Image credit: Shutterstock)

What steps can small businesses take to ensure that they comply with CCPA?

Due to the CCPA parameters, small family-run stores are likely in the clear, but high-growth small businesses will need to take action to become CCPA compliant. To ensure they comply, these businesses should prepare to enhance their privacy protections and update their privacy policies. Organizations must also implement reasonable security measures in order to protect their consumers’ personal information. And, to ensure that no missteps are made, training employees on CCPA compliance is key.

What advice would you give to organizations that have yet to prepare for the new legislation?

If an organization has yet to prepare for the CCPA legislation, they need to act fast and update their privacy policy. Hackers always target those who are least suspecting it, making ill-prepared businesses that much more desirable. To combat this, organizations should consider implementing top-notch security tools, patching vulnerabilities and training employees to be more cyber aware in order to ensure their customers' personal information is safe.