Dov Goldman (dov@panorays.com) is the Director of Risk and Compliance at Panorays in Tel Aviv, Israel.
Legal teams are charged with ensuring that third-party business partners, outsourcers, and suppliers comply with regulations. Therefore, it’s not surprising that many legal teams are particularly worried about how the newly enforceable California Consumer Privacy Act (CCPA)[1] will shape those relationships.
There’s good reason for concern: Businesses that fail to comply could face penalties of up to $2,500 per negligent violation and $7,500 per intentional violation. Individuals can also seek damages of between $100 and $750, and actions can be aggregated into a class action, which may expose a company to enormous financial penalties through its consumers. For these reasons, legal teams must understand the importance of vendor compliance with CCPA and why partners who are noncompliant pose an unacceptable risk.
The regulation
Similar to the way the General Data Protection Regulation defined data privacy in Europe, CCPA is leading the way in US data privacy regulations. Many states have already started to follow California’s example by introducing their own, often similar, privacy regulations.
CCPA applies to companies that do business with California residents, whether the organization has a California office or not, and where at least one of the following is true:
-
Revenue of greater than $25 million;
-
Buy, sell, or share the personal information of at least 50,000 consumers, households, or devices, which do not all have to be from California;
-
Derive 50% of its annual revenue from selling personal information.
There are numerous exemptions to CCPA; however, it’s expected that even those businesses not legally required to comply with CCPA will likely do so anyway. This is because other data privacy laws in the making will mandate similar standards. Moreover, it’s best and simplest for businesses to provide the same rights for all their customers, rather than just those who live in California.
