Release date: November 25, 2019
Duration: 60 minutes
With the CCPA taking effect in less than two months, credit unions should act now to shore up their data security programs and revise their policies, procedures, and privacy notices. They should also review vendor agreements and their cyber-coverage. Taking these steps now is key to avoiding liability down the road.
The CCPA gives California residents the right:
- to know what personal information (PI) is collected about them;
- to know if their PI is shared or sold and to whom;
- to prohibit the sale of their PI;
- to access their PI;
- to have their PI deleted; and
- to not be discriminated against for exercising their rights.
California is the world’s fifth largest economy, giving the CCPA broad coverage. Businesses of all sizes and industry need to be aware of the CCPA and its requirements.
The CCPA covers any company doing business in California with one of the following: (i) gross revenue exceeding $25 million annually; (ii) collects the PI of 50,000 or more people, households, or devices; or (iii) makes half of its annual revenue from selling PI.
Businesses must give consumers detailed disclosures about how they handle consumer PI. Businesses must advise consumers of their rights under the CCPA, respond to consumer requests for access or deletion, and provide consumers an opt-out for the sale of their PI.
There are two ways the CCPA can be enforced. Consumers can file civil lawsuits (including class actions) if their PI is subject to a data breach resulting from a business’s failure to implement and maintain reasonable security procedures. Statutory damages range from $100 to $750 per incident (i.e. per person). Alternatively, after July 1, 2020, the California Attorney General can bring a civil action to recover a civil penalty of $2,500 per violation and up to $7,500 for each intentional violation.
MEET THE PRESENTER
Genevieve Walser-Jolly is a partner at Severson & Werson, APC. Ms. Walser-Jolly is the Author of the California Continuing Education of the Bar’s Treatise on the California Consumer Privacy Act. (Walser-Jolly, The California Consumer Privacy Act, Ch.10A, Privacy Litigation (CEB 2019)). She is also a Certified Information Privacy Professional (CIPP/US).