So what’s in the CCPA regulations?
It applies to any qualifying business, in any country who has customers or employees based in California. Qualifying businesses being those who have annual gross revenues in excess of $25 Million or
trades data on more than 50,000 customers annually or
derives 50% or more of it’s annual revenue from selling personal information.
Sanctions: California consumers may invoke the new law where enforcement actions may include a $2,500 penalty per record for an unintentional violation and $7,500 penalty for an intentional violation. (If Cambridge Analytica happened today, that would be 50 million multiplied by $7,500 or 375 with nine zeros).
At a lower level, the act allows a “Private right of action” for California Residents, allowing claims of $100 to $750 per incident, whether actual harm is proven or not. This law is tied to the recently updated California Data Breach Notification Law AB 1130 which defined data in scope including driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information.