The Fraud Examiner
Are You Ready for California’s New Data Privacy Law?
Ron Cresswell, J.D., CFE
Research Specialist, Association of Certified Fraud Examiners
In 2018, California adopted the most comprehensive data privacy law in the United States. The new law is called the California Consumer Privacy Act (CCPA), and it takes effect on January 1, 2020. Many of the CCPA’s requirements will look familiar to organizations
that already comply with the EU’s General Data Protection Regulation (GDPR). Both laws require notice of what types of personal information a business collects and for what purposes. However, the CCPA has some unique provisions that have no counterparts
in the GDPR.
What follows is a broad overview of the CCPA and how it differs from the GDPR. Due to space constraints, this article does not discuss every provision of the new law. To comply with the CCPA, covered organizations should consult with their legal department
or outside counsel.
of the CCPA
Generally, the CCPA applies to any organization, inside or outside of California, that:
- Is for-profit
- Collects the personal information of California residents
- Meets any of the following thresholds:
- Has annual gross revenue in excess of $25 million;
- -Annually buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
- -Derives 50% or more of its annual revenues from selling consumers’ personal information.
The scope of the CCPA is significantly restricted by the three thresholds listed above. Many small businesses do not meet any of those thresholds and, therefore, are not covered by the CCPA. By contrast, the GDPR applies to almost any organization that
collects, sells or otherwise processes the personal information of persons in the EU for commercial purposes. As such, the GDPR covers a larger population of organizations than the CCPA.
Right to opt out of sales
Not a member? Click here to Join Now and access the full page.