The first part of California’s privacy law went into effect on January 1, 2020 with the second deadline set for July 2020, bringing with it a collection of regulations affecting how the data of the state’s residents must be managed. The California Consumer Privacy Act (CCPA) defines rules and guidelines for businesses in relation to how they must manage consumer data whilst giving consumers the right to decide what happens with their personal information.
Most online businesses are affected
The CCPA applies to any organization doing business with California residents where one of the following are true:
- Has gross annual revenues of over $25 million; or
- Generates more than half of its annual revenue from selling consumer data; or
- Collects the personal data of 50,000 or more consumers, households or devices
With the last of the three requirements being easy to hit, almost all organizations doing business with California residents online and maintaining user information, such as names, addresses, email addresses or browser cookies, will likely need to comply with the CCPA.
The first violations will be examples
The effects of the General Data Protection Regulation (GDPR), Europe's data privacy law, are already being felt as governing bodies are now starting to issue fines for violations with some of which being substantial. Businesses within Europe are now realizing that GDPR is more than just a suggestion of compliance – there are large, far-reaching consequences as a result of not conforming to the rules. Failing to comply with the CCPA regulations can result in fines ranging from $2,500 to $7,500 for each violation.
The California Attorney General has said they only have the bandwidth to bring a few cases a year and that he expects consumers to take action themselves against organizations who are in violation.
With the Attorney General having limited resources, it stands to reason that the state will look to make examples of the cases which they do choose to bring to court and the first few will no doubt send shockwaves throughout the business world.
Open to wide interpretation
The CCPA is currently open to wide interpretation and the initial litigated cases will likely be used to form case law and set a standard for cases moving forward. However, because of the lack of prior activity, courts will largely be unpredictable in terms of how they bring verdicts, potentially leading to large and lengthy processes.
Although it is early days in terms of CCPA litigation, we are starting to see the first cases working through the courts and once the later part of the bill becomes enforceable, we are sure to see more.
Ensighten website compliance enforcement
Ensighten’s technology enables organizations to not only become compliant with the CCPA and other global data privacy legislation, but also enforce compliance throughout their online properties.
By providing clear ways in which users can understand how their data is being used and giving the ability to easily leverage their rights to prevent the sale of their information, organizations are able to clearly demonstrate that they are in compliance with the CCPA.
But compliance without enforcement is weak, especially in a world where the average website uses an abundance of third-party tools or pieces of functionality. Generally, solutions in this space simply take the user’s choice and pass this on to downstream providers using their APIs and trusting that they honor the request.
Ensighten allows organizations to eliminate the risk posed by third-party components by managing access to data at the source, the website, and ensuring that where users make certain choices over their data, these choices are enforced even down to third-party interactions.
Get in touch to find out more about how you can protect your website from data leakage or theft while complying with global data privacy legislation.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.