by Kellie M. Delaney
No sooner did many big companies breathe a collective sigh of relief that they had tackled some of their obligations under the EU’s General Data Protection Regulation (GDPR), than the California Legislature passed the California Consumer Privacy Act of 2018 (CCPA), aiming to head off a state ballot initiative that was otherwise headed for the ballot in November. The CCPA will take effect on January 1, 2020. So California businesses – and anyone who does business with California consumers – is understandably asking, now what?
Background on the GDPR
The GDPR is a comprehensive regulatory framework from the European Union that extends a host of privacy rights to individuals, among them the right to be forgotten, the right to data portability, the right to correct data that’s incorrect, and others. It could apply to companies who have employees in the EU or who hold or process some kind of personal data of an EU citizen. It includes extensive requirements for security breach notifications, designation of a data protection officer, requirements for international data transfers and sanctions that could be as high as 4% of a company’s annual revenue.
Suffice it to say, the GDPR is a really big deal if you do business in the EU and handle personal data of any kind. Companies were required to be compliant with GDPR in May 2018. In one PwC survey, 88% of companies expected to spend over $1M to comply with GDPR.
Many small businesses (SMBs) are under the impression that they’re not covered by GDPR as an SMB. However, if you handle the data of an EU individual on a regular basis, you’re probably subject to the GDPR. The only exemption is for SMBs who occasionally handle such data.
Which Businesses are Covered by the California Consumer Privacy Act
There are 3 different ways to be considered a “business” READ MORE