Mythbusting the CCPA: Why the New California Consumer Privacy Act Matters to You

In less than 60 days, the California Consumer Privacy Act (CCPA) will take effect. Security and privacy experts say it is the strictest data privacy law in the US and requires protections similar to GDPR. This law grants California residents new rights with respect to personal information collected about them by companies. They have the right to know what information is being collected and to tell a business not to share or sell their personal information.

In addition, CCPA states that consumers have a right to access their information and a right to delete personal information. Businesses must honor consumer requests to access their information at no charge and send that information digitally or via snail mail. The costs for not complying with CCPA are serious and steep.

Non-compliant organizations can be penalized with an array of fees. Government entities can inflict a fine of $7,500 per violation. Consumers receive statutory damages between $1,000 and $3,000 and can file class action lawsuits without showing loss of property or money.  In the event of a data breach, consumers can recover damages of $100-$750 per incident. A sizeable breach of tens of thousands of customers can add up quickly and run into the millions.

As this law goes into effect on January 1, 2020, you may have some misinformation about some key aspects of the law and its impact on businesses around the globe. We want to let you know the #facts and bust some myths that might be giving you a false sense of security.

Myth #1: My business isn’t located in California; therefore, I’m exempt.

While CCPA only applies to California residents, it includes companies that have California customers. These regulations are expected to apply to more than 500,000 U.S. businesses. If your company receives personal data from California residents AND if it—or the parent company or a subsidiary—meet one of these three criteria, you must comply with CCPA regulations:

• Your business collects personal information on 50,000 or more California residents, households or devices
• 50% or more of your annual revenue comes from selling information on California residents
• Your annual gross revenues exceed $25 million

Myth #2: I don’t keep sensitive data on my customers; therefore, I’m exempt.

CCPA isn’t limited to social security numbers or other Personally Identifiable Information (PII). Personal information is much broader in scope than most companies might think. It includes identifiers such as a real name, postal address and geolocation data, Internet Protocol address, email address. CCPA also covers records of purchase or consuming history, browsing and search history, employment and education information, biometric information, as well as audio, visual or thermal information.

It is difficult to imagine a business that doesn’t retain some information on their customers such as an email address or purchase history. Therefore, if you meet one of the three criteria above, you are likely impacted by CCPA.

Myth #3: I already comply with GDPR so I’m covered.

The CCPA’s required privacy policy disclosures are broader than those required by the GDPR. For example, GDPR defines personal data as any information relating to an identified or identifiable person.  But CCPA also includes information that is capable of being associated with a specific California resident or household, which makes the breadth of data that your business must be prepared to disclose greater than GDPR.  Additionally, CCPA requires your business to disclose whether it sells personal data and a description of third parties receiving that data. This privacy policy must be kept current, updated annually and cover the activities of the previous 12 months.

Another way CCPA goes beyond GDPR is how it defines “sale” – under the California regulation, it’s any form of disclosure, in any format, to any other third party in exchange for money or other valuable consideration. Consumers have the right to opt out of such sales with no repercussions. “Other valuable consideration” could arguably include providing your data to an analytics service for your own benefit, as that is valuable business intelligence.

On a more positive note, CCPA gives business up to 45 days – 15 days longer than GDPR – to verify the identity of requesting individuals and respond to disclosure requests and California residents can only make two requests every 12 months.

Myth #4: I don’t need any tools to help me with CCPA compliance.

As noted above, businesses need to verify the identity of the person requesting the data. Your business can only supply personal data if it is a verifiable request. The fact that there are 40 million residents in California, dozens of large-scale data breaches, account takeover fraud and a disturbingly growing trend of synthetic ID fraud means that your business needs to work with a company who can quickly, securely and seamlessly verify the identity of your customers. You don’t want to disclose personal information to a fraudster in an effort to comply with CCPA.

Acuant technology is designed to protect Personally Identifiable Information (PII) and addresses data privacy. We have a solution for every use case and problem you want to solve when it comes to identity verification. With Acuant, you can enhance security, prevent fraud and meet regulations – including CCPA and GDPR. All workflows are privacy minded, using encryption in the cloud with no images or data being stored.

To learn more about the Acuant Trusted Identity Platform, schedule a demo.