Challenge of addressing the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) aims to give California residents more control over how companies collect and use their personally identifiable information (PII). The CCPA does this by granting California residents certain rights to see and control the PII that companies collect about them. Companies subject to the CCPA must comply with the data privacy law by creating mechanisms that allow California residents to exercise those rights. For example, the CCPA allows a California resident to know what personal information a company is collecting about him or her, and obtain a copy of that information. It allows residents to know when their information is sold or disclosed, and to whom; and gives residents the right to opt out of such sales. A company must also provide equal services and prices to all residents even when they exercise their opt-out rights.
As a practical matter, most companies can’t easily restrict CCPA requirements to California residents only. This means companies will need to extend the CCPA requirements to all the PII they handle, and any necessary policies or procedures (such as granting methods for residents to view PII) will likely need to apply enterprise-wide. Enforcement and litigation risks for non-compliance could be severe. The CCPA allows the state to seek civil monetary penalties for each infraction, and it also allows consumers to file their own civil litigation seeking damages arising from data privacy breaches.
See How Data Privacy Training Can Help