Download free GDPR compliance checklist!

Tag Archives for " US "

Does the California Consumer Protection Act (CCPA) have teeth?

On January 1st, 2020, the strictest privacy law ever passed in the United States will go into effect: the California Consumer Protection Act (CCPA).  This law will establish broad privacy protections and allow consumer interaction with previously private personal data across the United States.  Many have questions regarding the potential impact this new law will have on businesses, specifically as to whether these rules will have a positive impact on society.  To have a meaningful impact, the CCPA must exude authority and be enforced strictly.  Here is how the CCPA will show its teeth if you aren?t complying with the new law.

Financial impact

A 48-page research report released by California?s Department of Finance revealed the broad range of potential costs companies might face in order to become and remain compliant with the CCPA.  Researchers estimated that total compliance costs for all companies under the scope of the law will range from $467 million to $16.5 billion between 2020 and 2030.  Firms with fewer than 20 employees (the low end of the spectrum) may have to pay around $50,000 initially to become compliant.  On the upper tier, companies with more than 500 employees would average around $2 million in initial costs.  Large companies and small companies alike will feel the impact right from the beginning.  The total sum of initial compliance payments would be equivalent to 1.8% of California?s GDP- a staggering percentage. 

Scope of this impact

?While the CCPA is a California state piece of legislation as opposed to a federal one, the impact will be felt by companies across the nation and the globe.? The law will cover out-of-state merchants who sell to Californians or even display a website within the state.? Rather than create separate systems, lawyers are in consensus that companies will likely apply the CCPA rules nationwide. ?Even if these laws do not project across the country, however, it is estimated that 75% of California businesses earning less than $25 million per year would be impacted by this regulation.

Furthermore, as public opinion is now in favor of data protection laws, Congress could use the CCPA as a springboard for broader federal legislation.  House Speaker and California Representative Nancy Pelosi has strongly advocated for these protections federally.  So, while the law technically applies only to business within California, the CCPA could impact companies nationwide both in the short term and long term.

Penalties outlined in the CCPA

?Violations of the CCPA carry significant penalties for noncompliance, similarly to Europe?s privacy law, the GDRP.? Each transgression can cost companies up to $7,500, while consumers may sue firms for up to $750 if hacked.? These hacks raise a larger concern involving class action lawsuits allowed by a private right of action clause within the CCPA.? The provision for statutory damages resulting from a data breach will increase class action activity because of the breadth of possible claims from plaintiffs due to California?s broad data breach notification requirement, which is not limited to a risk-of-harm standard.? This will put companies who are subject to the CCPA at serious risk regarding class action lawsuits.

Furthermore, the CCPA will likely allow the plaintiff?s bar to bring Unfair Competition Law (UCL) claims, which prohibit businesses from engaging in unlawful, unfair, or fraudulent business practices.  The UCL allows plaintiffs to borrow violations of other laws, such as the CCPA.  Although the CCPA outlines in its first amendments of the data breach section that private right of action shall only be applied to data breaches, the UCL has proven successful in providing a pathway in order to use violations of other laws as leverage for claims.  The jargon behind these laws may seem confusing or broad, but companies must be aware of the possible risks they face when tackling the CCPA.  The GDPR has already issued fines up to 20 million pounds, and a similar storm seems to be barreling down upon businesses in America.

The CCPA has bite

The California Consumer Protection Act will change the face of American privacy law as we know it.? If companies are not properly prepared or informed about the future they face, the wide-reaching costs which will result from the CCPA, both internally and externally, will be an eye-opener.? The Silicon Valley has fought this legislation with hundreds of millions of dollars based on what they foresee happening in the future.? Make sure your company is prepared to deal with the CCPA.


At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale.

MEPs back EU-US Umbrella Agreement on data exchanges for law enforcement purposes

EU Parliament on December 1, 2016 voted to back the EU-US Umbrella Agreement on data protection in exchanges for law enforcement purposes.?Agreement covers the transfer of all personal data exchanged between the EU and US regarding?criminal offences.

The deal is to?ensure high, binding data protection standards in the?data exchanged.?The Agreement itself is not a?legal basis for data transfers, but protects those data that are already exchanged legally, says?Parliament’s lead MEP Jan Philipp Albrecht.

Umbrella?Agreement?will ensure citizens in?both in EU and US?have equal rights to:

– be informed in the event of data security breaches,

– have inaccurate information corrected and

– judicial redress at court.

The Agreement also sets limits on onward transfers of data and retention periods.

Source: MEPs back EU-US data protection deal on exchanges for law enforcement purposes

The Shadow Brokers publish NSA spy tools

A hackers group that calls itself the Shadow Brokers recently published on web and made accessible to everyone sophisticated hacking and surveillance tools. They claim that those tools come come from breach of NSA.

Released hacking tools exploit vulnerabilities in software that the vendor doesn?t know about (so called “zero day vulnerabilities”) and thus haven’t fixed – making everyone using this software a potential target. Published tools revel that United States government has been hacking for decades without big attention.

Full story

DoJ is trying to predict how terrorists will use the Internet of Things

It is estimated that by year 2020 there will be anywhere up to?50 billion internet-connected devices and 20% of them will be cars and or trucks. Such rapid explosion of use of connected devices explodes comes with security risks. Therefore US Department of Justice, together with?other agencies, is evaluating and trying to predict those risks before they come into reality.

Full story

Microsoft on their win aigainst US

Recently?Microsoft?won a closely-watched case against US Department of Justice on disclosure of European customer data. In that case?US court of appeals ruled that US search warrants do not reach our customers? data stored abroad. In this article?Microsoft explains their motivation fighting this case and why they think it’s a big deal.

Full article

White paper on EU-U.S. Privacy Shield

It is still uncertain when and whether at all?EU-U.S. Privacy Shield will be adopted and enter into force. In mean time, Bloomberg BNA has prepared and published a white paper which examines “the challenges that U.S. and EU regulators encountered in reaching the Privacy Shield agreement, the additional privacy protections companies will be required to commit to under the agreement, and those aspects of the Privacy Shield framework that might cause a company previously self-certified under the Safe Harbor to consider alternative mechanisms”.

Download BNA Privacy Shield white paper

This?white paper?will let you better understand what Privacy Shield would require of companies if approved by the European Commission. (Free registration is required to access report.)

Access White Paper