Articles & Blogs

Who should prepare for the California Consumer Privacy Act?

September 5, 2019 | By Accorian

Any for-profit company that does business or has customers in California should prepare for the California Consumer Privacy Act (CCPA). Here’s why they should.

The CCPA applies to businesses that are collecting data and personal information of residents in California, who meet one of the following conditions:

  1. Has an annual gross revenue of $25 million or more.
  2. The organization stores the data for over 50,000 or more consumers, households or devices.
  3. Selling consumers’ personal data yields to 50% or more of the annual revenue.

The General Data Protection Regulation (GDPR) that took effect May 25, 2018 has inspired law makes to look into new ways to protect the consumer. 

The California Consumer Privacy Act (CCPA)  legislation passed in 2018 and will take effect in the State of California on January 1, 2020. 

This new law will give California residents the right to:

  • Access their personal information that was collected
  • Request that their personal data be deleted from the company’s database
  • Opt-out of the sales or transfer of their personal information to third parties
  • To be treated the same as others who allow the company to use their data 

How similar is CCPA to GDPR?

While CCPA is similar to GDPR, they have their differences. The chart below shows some of the similarities.

GDPR (General Data Protection Regulation) is a bill designed to protect and control the usage of the personal data of European (EU) citizens in and outside Europe. The legislation applies to all companies who collect, store and process any data belonging to EU citizens. This law affects companies regardless of where they are located in the world. If you’re dealing with EU citizens, you need to comply with GDPR. 

CCPA (California Consumer Privacy Act) is an online privacy act that closely mirrors the GDPR, but it was made for  residents of California.

 The bill was signed into law in June 2018 and will go into effect in January 2020. Similar to the GDPR, the CCPA allows any California consumer to request any data that U.S company has collected from them. It also allows them to request the deletion of that data, and failure to comply with those requests can result in fines. 

At a recent Press Conference, California Attorney General Xavier Becerra said that the CCPA is “groundbreaking protection for consumers, it gives them the ability to control the use of their personal data and once again we’re first in the nation to do something like the CCPA act.”

Will other states enact similar laws?

Why does California’s new law matter to everyone else? It’s part of a global trend that pushes companies to have greater accountability and to respect their consumer data.

Consumers around the globe gravitate towards companies that respect their privacy. These laws not only allow customers to view the data that is collected on them, they will also be able to request that data from those companies without any issues. 

Nevada recently passed an online privacy amendment, meanwhile proposals in Washington DC and in New York seem to be gaining attention. However some states are slow to enact strict privacy laws. A bill similar to CCPA failed to pass in Texas and Washington. 

Privacy laws can help your business

As consumers trust in large corporations continue to decrease, it’s important that businesses take steps to become compliant. When a company takes GDPR and CCPA seriously, it makes them seem trustworthy to customers which is a huge big benefit for them. Reducing risks also lowers the risk of fines that can affect a company’s profit margin. More companies are working on become compliant through HIPAA and a HITRUST certification.

Start preparing early

“While this law just covers California currently, large companies will soon have to offer similar rights to Americans,” said Alastair Mactaggart, the chief advocate of the CCPA.

While some larger companies have addressed both GDPR and CCPA, mid-market and smaller companies also need to take action. So what needs to be done?

Create data profiles – your company should know where your customer’s data is located and who has access to it. 

Review your company’s data-governance – If your company collects consumer data in any way, you should evaluate your collection practices. For example, retail companies with loyalty programs will need to adapt data tools that allow them to comply with privacy laws. 

Assess your privacy controls – Update processes and software, install patches and look for gaps in meeting CCPA requirements.

Set up a CCPA management team – This team can handle regulations and the implementation of CCPA. Your best defense is to hire a Data Protection Officer. 

Accorian can help you

The security experts at Accorian can help you understand CCPA and help you scope, identify gaps, assist with remediation and conduct a final assessment. 

Whether it’s GDPR, HIPAA or HITRUST, our security experts can help you prepare for impending consumer privacy laws.

 Contact us today to get started.

Recent Blog

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide