CCPA (California Consumer Privacy Act)

Many other regions, countries and states are introducing their own data security policies similar to the European and UK GDPR policies.

The CCPA (California Consumer Privacy Act) allows any California consumer the right to see all the information a company has saved on them, request for their data to be deleted from a system and see a full list of all the third parties the data is shared with.

Generally, if you are following good practice for GDPR you will also be following good practice for CCPA.

The ultimate goal of this law was to make California residents aware of the data being collected about them, whether it was sold and to whom, to disallow the sale of their data, and to request the deletion of their data. It applies to things that could directly or indirectly tie to a customer, including name, address, IP address, email address, signature, physical description, social security number, address, telephone number, passport number, driver's license, insurance policy number, education, employment and employment history, bank account numbers, and any other financial, medical, or health insurance information.

There are some key differences between GDPR and CCPA. The first is the territorial reach. GDPR covers residents in the EU, and the CCPA covers residents in California. The second is the scope. Whereas the GDPR covers all personal data regardless of the source, the CCPA only considers data that was provided by a consumer. Additionally, the CCPA also allows residents to opt-out of the sale of personal information.

It is worth noting that if a business is operating within the state or collecting personal information of California residents, it must comply with the CCPA's requirements – so that means that all Encore events in California must comply, even if visitors are from other states or countries.

If you're fined under CCPA, it is per violation. Hypothetically, let's say that a company has an incident where 1000 customers had their data fall into the wrong hands. You'd be charged $7,500 per violation (so that is 1000 x $7,500! (Yikes!) , which is a difference from GDPR’s penalties. However, unlike GDPR, businesses are also open to legal liabilities per customer. Each customer can file a private lawsuit between $100 and $750 in damages, or for their actual damages, whichever are higher. If you have multiple violations, customers can file a lawsuit for each separate violation. Once served, companies have 30 days to resolve the violationviolation, or they'll face additional civil penalties.