February 18, 2020

Ask the Expert: California Consumer Privacy Act

Hear from Mike Borromeo, VP of Data Protection at Stericycle, The Provider of Shred-it Information Security Solutions on Why Your Business Needs to be Prepared for the California Consumer Privacy Act (CCPA)

North America’s first major consumer privacy legislation just came into effect and your business needs to be ready for it.

To learn more, we sat down with Mike Borromeo, VP of Data Protection, Stericycle, the provider of Shred-it information security solutions, to understand what organizations across the U.S. and Canada need to know about the California Consumer Privacy Act.

What is the California Consumer Privacy Act (CCPA) and why should businesses be aware of it?

The CCPA is a landmark piece of privacy legislation that took effect on January 1, 2020. It’s important because it establishes privacy rights for individuals in California, giving them more control over how their data is collected, processed, stored and shared. While these types of privacy rights are already available in other parts of the world, this new law is the first step towards providing privacy rights to American citizens. 

What does the CCPA require businesses to do?

The CCPA grants privacy rights to California residents with respect to the collection of their personal information. These rights include the ability for individuals to request a copy of the personal data an organization has about them, opt out of having an organization sell their data, or even request it be deleted entirely. Under the CCPA, businesses must fulfill these requests within specific timeframes or risk being fined or sued if they are unable to comply.

Is every business impacted by this legislation?

No, but it is estimated that the vast majority (about 75%) of California businesses will be. An organization only needs to meet one of the following thresholds for the legislation to apply:

  • Have annual gross revenues of $25 million USD
  • Handle personal information of at least 50,000 Californians
  • Derive 50% or more of revenue from the selling of personal information

What about businesses based outside of California?

You are subject to the law if your organization handles the data of California residents and meets at least one of the thresholds listed above. Even if your business doesn’t, it would be smart to begin monitoring developments in privacy law because this is how new legislation is trending.

Are there any costs associated with complying with the CCPA?

There are substantial potential costs businesses need to be aware of. An economic impact assessment commissioned by the California Attorney General’s office says an organization’s initial compliance costs could range from $50,000 to $2 million USD, depending on its size and type of company. The total overall cost of initial compliance with the CCPA is expected to be approximately $55 billion USD. This figure does not include ongoing compliance costs, potential fines or settlements either.

Are most organizations ready for the CCPA?

The reality is, probably not. Many organizations still struggle with fundamental questions such as: What type of personal information do we collect? Where do we store it? Who is responsible for it? Who are we sharing it with? If your organization struggles answering those types of questions, it’s natural that you will also struggle with trying to comply with requirements set forth in the CCPA.

Should businesses look to outside data protection experts to help them navigate this new legislation?

Absolutely. The thing to remember when you’re dealing with privacy legislation like the CCPA is that it’s the protection of data in all forms. Many businesses are focused on privacy rights from a digital perspective but forget that the paperless office doesn’t really exist. Outside data protection experts can help lower your risks by making sure you’re protecting data properly, regardless of which form it’s in.

 Concerned about how the CCPA and other privacy legislation could impact your business? Please contact us to speak with a Shred-it information security expert and get a free quote for how Shred-it can protect your documents as well.