California Consumer Privacy Act (CCPA) Sets the Bar in the USA
With the Privitar Data Privacy Platform™, enterprises can mitigate the risks from the California Consumer Privacy Act’s (CCPA) most pressing regulatory compliance challenges:
With many states proposing similar or identical legislation, recognition that implementing a single standard for the entire country can be more cost effective and efficient, and an understanding that US consumers are demanding their sensitive personal data be protected, leading businesses are committing to CCPA compliance across the entire US.
Does the CCPA Apply to Me?The CCPA is the most significant US privacy law to date. It applies to all for-profit companies doing business in California that collect, share or sell California consumers’ personal data and meet one of the following criteria:
- Has >$25M in annual revenue
- Processes data on >50,000 consumers, households or devices
- Generates >50% of revenues from selling personal data.
Private Right of Action
Consumers can exercise a Private Right of Action (PRA) if certain types of data, as defined in the California Data Breach Notification Law, leak. This data includes driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information. Affected consumers can claim damages of $100-$750 per person for distress alone. Damages are uncapped for actual harm. Privitar enables you to pseudonymize these data types and eliminate the risk of PRA.
California Attorney General Fines
The state Attorney General has new investigative authority and the power to levy fines up to $2,500 – $7,500 per incident per person for violations.
Request for Deletion
Consumers can request their data to be deleted. Although this sounds straight-forward, in practice it can be challenging for organizations to comply. And non-compliance can result in fines. Learn more about the Right to be Forgotten.
Taking Data Outside the Scope of the CCPAThe CCPA does not apply to data which has been de-identified and aggregated. Simple pseudonymization is not enough, because pseudonymous data can be identifying when combined with other proprietary or publicly available data. However, using Privitar’s advanced de-identification functionality you can move beyond pseudonymization to take data out of the scope of the CCPA.
Don’t Delete: De-Identify
Fulfill Requests to be Forgotten while Maintaining the Value of DataThe California AG’s draft regulations confirm that de-identifying data is sufficient to comply with deletion requests. With direct and quasi-identifiers de-identified, you can retain behavioral and historic data that enables you to maximize the value and insights from future aggregate analyses.
Ready to learn more?
Our team of data privacy experts are here to answer your questions and discuss how data privacy can fuel your business.