California recently passed the California Consumer Privacy Act (CCPA) of 2018. Effective as of January 1st, 2020, the bill is a big step up in consumer privacy.
Small Businesses, however, may be affected if they meet any of the three thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If your business falls into any of those three categories, here what you need to look out for:
Starting in 2020, businesses will have 45 days from the receipt of a data request to give a consumer the information they have on them free of charge. The disclousre must cover the 12 month period from before the request was made and the disclosure must be delivered by mail or electronically at the consumers request. Depending on the amount of customers and prospects your business has on file, requests can be timely and expensive.
Businesses will be required to “provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information…'”. This link must lead to a web page that allows any consumer to opt out of the sale of their personal information by your business. Also the web page must describe section 1798,120 of the bill, which means a lot of web developers copying and pasting this:
(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.(c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.(d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
Data Breach Fines
If your business suffers a data breach, and it is determined that you failed to implement and maintain reasonable security procedures and practices, the following actions may occur:
- To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- Injunctive or declaratory relief.
- Any other relief the court deems proper.
So for example, a data breach that involved only 1,000 users could potentially cost a business $100,000 to $750,000.
To see the full text of the bill, click here!
DATA BREACHES CAN HAPPEN TO BUSINESSES OF ANY SIZE
CALL 718-967-7000 NOW FOR A NETWORK ASSESSMENT
If your company is like many organizations, your IT infrastructure progressed over time, trying to keep up with the pace of your business. Without the right kind of IT planning and careful technology management all along, your technical environment probably has gaps.
Our IT assessments provide a clear picture of your current IT infrastructure and operations. Whether faced with budget shortfalls, limited resources, aging infrastructure or an outdated strategy, our detailed assessment reports provide relevant findings and recommendations to spur meaningful organizational change.
NetConnect provides comprehensive assessments of both IT infrastructure and IT operations. Our IT infrastructure assessments evaluate all major infrastructure components, including servers, storage networks, security, desktop infrastructure, end-device hardware and applications. Our IT operations assessments evaluate critical operational areas, such as IT strategic planning, IT staffing, IT operational processes, IT governance, IT vendor management and IT support.