1 min read
What Idahoans Need to Know About Cybersecuring Medical Devices
In light of increasing cyber-threats over the past several years, governments, industries and individuals all over the world are turning their sights...

In 2022, the California Attorney General fined Sephora $1.2 million for ignoring customer opt-out requests. Shoppers had clicked "do not sell my data" — and the company sold their data anyway. The fine got attention not because $1.2 million is catastrophic for a global retailer, but because of what it signaled: California was done asking nicely.
Since then, enforcement has accelerated. In 2023, California upgraded its privacy law with the California Privacy Rights Act (CPRA), creating a dedicated enforcement agency — the California Privacy Protection Agency — with a full-time staff and a mandate to audit businesses. The "wait and see" era for CCPA compliance is over.
If your business is based in Boise or Idaho Falls and has any customers, website visitors, or employees in California, this applies to you.
The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. It gave California residents the right to know what personal data businesses collect about them, the right to request deletion, and the right to opt out of having their data sold.
In 2023, the California Privacy Rights Act (CPRA) upgraded that framework significantly:
A real enforcement agency. The California Privacy Protection Agency (CPPA) operates independently of the Attorney General's office. It has dedicated investigators, can initiate audits, and issues its own fines. CCPA enforcement used to depend on the AG deciding to act. CPPA enforcement is ongoing and systematic.
Employee and job applicant data is now covered. The original CCPA exempted HR data. CPRA removed that exemption. If you have California-based employees or you've recruited candidates in California, that data is now subject to the same rules as customer data.
B2B data is now covered. CCPA originally exempted business contact information (a name and email collected from a business relationship). CPRA removed that exemption. If you collect contact information from California-based vendors, partners, or business customers, that's personal data under the law.
Sensitive personal information gets extra protection. CPRA created a new category — "sensitive personal information" — that includes Social Security numbers, financial account details, precise geolocation, health data, biometric data, and more. Businesses must disclose when they collect this category and give consumers the right to limit its use.
Right to correct inaccurate data. Consumers can now request that businesses correct personal information that's wrong, not just delete it.
CCPA/CPRA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
For most Idaho manufacturers, engineering firms, and professional services businesses, the $25M revenue threshold is the most likely trigger. But the 100,000 consumer/household threshold is easier to hit than it sounds if you have a website with California traffic — analytics tools collect personal data.
Practical scenarios that affect Idaho businesses:
You have a website with Google Analytics or similar tools, and some of your visitors are from California. That's personal data collection under CCPA, even if you never sell anything directly to California consumers.
You manufacture a product that's distributed to California retailers or businesses. Your California business contacts are now covered under CPRA's removal of the B2B exemption.
You've posted job listings that California applicants have responded to. Applicant data is now covered.
You have a California-based customer, vendor, or partner whose employee contact information is in your CRM.
None of these require you to have a storefront in California. The law follows the data, not the business location.
The Sephora violation wasn't complicated. Customers opted out. The company ignored those opt-outs and continued sharing data with third parties through tracking cookies. They also failed to honor opt-outs submitted through browser-level Global Privacy Controls (GPC) — a signal that browsers can automatically send to websites requesting privacy protection.
The practical lesson: it's not enough to have a privacy policy. The opt-out mechanism has to actually work. If you tell users they can opt out of data collection and tracking, then your website must be configured to respect that at a technical level — including GPC signals from browsers like Firefox and Brave.
Many business websites were built without this in mind. If yours uses third-party analytics, advertising pixels, or remarketing tags, and you have California visitors, your technical setup may not be compliant — even if your privacy policy says the right things.
The fine structure under CCPA/CPRA:
Those numbers scale fast. A breach affecting 1,000 California customers could expose you to $750,000 in private suits — before the CPPA adds its own penalties on top.
Under the original CCPA, businesses received 30 days' notice to fix a violation before fines kicked in. CPRA removed that grace period. The California Privacy Protection Agency can now fine businesses immediately, without warning.
The CPPA also has broader authority than the AG's office did — it can proactively audit businesses, doesn't need a consumer complaint to open an investigation, and has a dedicated staff for exactly that purpose.
Audit what data you're collecting and where it goes. Start with your website: what cookies and tracking tools are active, what data they collect, and which third parties receive it. Then expand to your CRM, HR systems, and any cloud tools that handle personal information.
Update your privacy policy — and make opt-outs work. Your privacy policy needs to reflect what you actually collect and why. The opt-out mechanism (and GPC compliance) needs to be tested, not just written about.
Review your vendor agreements. Under CCPA/CPRA, if you share personal data with a service provider, that provider must be contractually bound to use it only for the purposes you've specified. Review your agreements with CRM vendors, marketing platforms, HR software providers, and anyone else who handles personal data on your behalf.
Assign someone responsibility. The law requires you to have a process for handling consumer requests — someone needs to be responsible for receiving, logging, and responding to requests to know, delete, or correct data within the required timeframes (45 days for most requests).
Talk to legal counsel if you're above the thresholds. This post gives you context, but CCPA/CPRA compliance involves legal obligations that go beyond IT. An attorney familiar with California privacy law should be part of your compliance plan.
California led, but it's no longer alone. As of 2026, more than 20 states have enacted comprehensive data privacy laws — including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others. The specifics differ, but the direction is consistent: businesses are increasingly responsible for how they collect, store, and share personal data, regardless of where they're headquartered.
Idaho doesn't yet have a comprehensive consumer privacy law, but Idaho businesses operating across state lines are subject to the laws of the states where their customers and employees are located.
The question isn't whether privacy regulation is coming to your business. It's whether you're prepared when it arrives.
1 min read
In light of increasing cyber-threats over the past several years, governments, industries and individuals all over the world are turning their sights...
1 min read
Recently, it's become almost impossible for Manufacturers to purchase cyber insurance here in the US. At face value this seems odd; they rarely hold...
1 min read
Windows 10 end of life came and went on October 14, 2025. If you're reading this and your business still has machines running Windows 10, you're not...