The law applies to entities doing business in California or collect personal information from California consumers and meet any one of the following criteria:

  • As of January 1, of the calendar year, the company exceeded $25 million in gross revenue in the preceding calendar year.
  • The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
  • The company derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.

If the criteria is met California residents have the following rights to:

  • Opt-out of sharing personal information
  • Opt-out of certain used and disclosures of sensitive personal information, examples: SSN, DL, geolocation, race, health data
  • Correct inaccurate personal information
  • Know more details of business’s information practices
  • Have options regarding automated decision-making

Increased obligations on businesses include:

  • Requirements related to data retention, data minimization, purpose limitation.
  • Requirements to pass deletion requests to service providers, contractors, and third parties the business has sold or shared information.
  • Requires additional contract provisions with service providers, contractors, and third parties.
  • Possibly increasing auditing requirements, performing annual cybersecurity audits, and providing the California Privacy Protection Agency with regular risk assessments.

The enforcement and penalty goes beyond and modifies the California Consumer Privacy Act (CCPA) in the following areas:

  • Creates and transfers rulemaking and enforcement from the California attorney general to the California Privacy Protection Agency, which is a new state agency.
  • Removes the 30-day cure period.
  • Triples penalties for violations involving minors under 16.
  • Expands the types of data breaches that are considered within scope of the data breach privacy right of action to include: breaches of a username or email address combined with a password or security question and answer that would permit access to an online account.

California may be leading in data privacy laws, but other states are moving in this direction. Other states include Colorado, Connecticut, New York, Utah, Virginia and Washington.

To meet various state data privacy requirements, we suggest doing the following:

  • Know your data – where is it, what is it, who has it.
  • Have a holistic data privacy program. Identify the highest bar (likely CPRA) and use this measure for all privacy processes.
  • Ensure a plan is in place or has been executed to meet the more stringent privacy requirements.
  • Stay well-informed of changes to laws.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Kevin W. Cornwell | IT Audit Associate Director