Amid the California Consumer Privacy Act (CCPA), companies doing business in California — i.e., almost every enterprise in the country — are scrambling to implement procedures to comply with the new regulations. Anytime new privacy laws go into effect, it’s difficult to know whether or not your business is following the rules, what changes in your organization need to be made, etc. In most cases, these concerns boil down to three questions:
- What is the new law/act/regulation?
- How is it different from other laws/acts/regulations already in effect?
- How will this affect my company?
Answering these three questions will give you a better understanding of the current state of data security laws, and also the confidence to begin moving forward with changes to your business structure. Thus, we turn to the first concern: What exactly is the CCPA?
What is CCPA?
At its base, CCPA strives to move the U.S. in a direction similar to the E.U. and its General Data Protection Regulation (GDPR), which mandates many of the same data protection initiatives as CCPA. It’s a lighter version of GDPR with a looser structure and less dramatic fines for not noncompliance. And, given that California is home to some of the world’s most prominent tech leaders (and fifth-largest economy), it’s no surprise they’re following the E.U. to provide data protection laws.
Anyhow, there are the main components of CCPA:
- Right of Californians to know what personal information is being collected about them,
- Right of Californians to know if personal information about them was being sold or disclosed and to whom,
- Right of Californians to say no to the sale of personal information,
- Right of Californians to access their personal information, and;
- Right of Californians to equal service and price even if they exercise their privacy rights.
- Fines and Punishment:
- Noncompliance
- $2500 per unintentional violation
- $7500 per intentional violation
- Data Exposure via Breach/Hack
- Consumers can sue a company for $100-$750 per incident (if damages exceed $750, they can sue for more)
- Noncompliance
- Although the law went into effect on January 1, 2020, the California Attorney General’s Office will not be enforcing the regulation until July 1, 2020.
CCPA aims to guarantee Californian consumers control over their data, much in the same way GDPR works to give data control to their citizens.
How is CCPA different from GDPR?
One of the most significant differences between GDPR and CCPA is that the E.U. fully endorses the GDPR, while regulations under CCPA are not federally supported. However, CCPA could be the ignition switch for a national law to go into effect. As more states begin to erect pillars of law in the field of personal information security and data protection, there could be a ripple of consideration that goes past state law and into federal law.
Getting into the nitty-gritty of these regulations, here are the primary differences between CCPA and GDPR.
- Range of Protection
- CCPA: Protects the data of C.A. residents. Any company doing business in C.A. and a) makes $25 million gross revenue annually, b) collects data from 50K+individuals a year, or c) makes half its revenue via selling personal data.
- GDPR: Protects consumers in the E.U., and applies to any company selling products/services to customers inside the E.U. Regardless of size or the company’s data activities (i.e., whether or not they sell customer data), anyone processing/controlling data collection from/in the E.U. is under the jurisdiction of GDPR.
- Data/Information Focus
- CCPA: Concerns any information that could be reasonably linked (directly or indirectly) to a C.A. consumer.
- GDPR: Primary focus is “personal data,” which is defined as “any information relating to an identified or identifiable natural person (‘data subject’).”
- Right to Be Forgotten (Data Erasure/Deletion)
- CCPA: Applies solely to information collected directly from the consumer (consumer data collected via a third-party does not apply), and can be deleted so long as it isn’t necessary for the following:
- Completing a transaction
- Security assessments (protecting against fraud and other illegal activity)
- Identifying and repairing errors in service functionality
- Exercising free speech or other U.S. citizen rights
- Complying with legal obligations
- Using the consumer’s data as it complies with the company’s terms of use
- GDPR: Applies to any information concerning the “data subject.” Personal data must be erased upon request when data retention is longer necessary (regarding the initial purpose of collection), processing was consensual, and no further processing is required, or data has been unlawfully processed or collected.
- On the other hand, data controllers aren’t required to delete data if it’s necessary for the following:
- Exercising their right to free speech/freedom of expression
- Complying with an E.U. law or other legal obligation
- Reasons connected to medicine/public health
- Archiving scientific, historical, or statistical purposes (i.e., consensual surveys or polls)
- CCPA: Applies solely to information collected directly from the consumer (consumer data collected via a third-party does not apply), and can be deleted so long as it isn’t necessary for the following:
- Data Access and Disclosure
- CCPA: At or before collection, businesses are required to inform consumers what categories of data they collect, why, and how that data will be used. If a consumer requests to see all that information, businesses have 45 days to respond with full disclosure (covering data collected 12 months prior to request) to their request (with one 45-day extension per request).
- GDPR: When data is collected, businesses must inform the data subject of their privacy rights, and the subject can request access to said data at any time. If data is public, there are other stipulations. When a request is made, businesses have one month to respond and have a two-month extension if they inform the subject.
- Data Portability
- CCPA: The CCPA does not explicitly promote the right to data portability; however, consumers can request for the information to be sent electronically or through the mail. If the request is returned electronically, it must be portable.
- GDPR: In the event of a subject requesting their data, the data processor/controller must return the information in a portable, easily readable form. In other circumstances, there are further extensions of this law.
- Opting Out Requirement
- CCPA: C.A. consumers can opt-out of the sale of their data, but they cannot opt-out of the collection of their data. Any organization conducting business in C.A. must inform site visitors of this in some form or another.
- GDPR: Any data processing can be restricted upon request if data subject disputes the accuracy of the data collected, data is processed unlawfully, or the processing is completed, and there is no more use for retention.
- Data Protection Impact Assessment
- CCPA: Currently, CCPA has no DPIA required by any collector/processor of personal data. However, it does maintain that companies implement security procedures and best practices regarding information collection.
- GDPR: Any company that is processing E.U. data subject information that could risk the subject’s rights requires DPIAs.
What does the CCPA mean for your company?
The reality of these laws and regulations is that as long as your company already follows data privacy guidelines (like NIST or GDPR), you’ll position your business for CCPA, trust with your customers, and better business. In 2019, the Capgemini Research Institute surveyed compliant vs. non-compliant businesses after GDPR went into effect, and found that 81% said GDPR had a positive impact on the organization’s reputation/brand image, which helped with leads for marketing. They also learned the following:
Moving Forward
Privacy is not just a matter of putting a checkmark in a box about regulation. It revolves around creating a culture of care and consideration for personal information, customer data, and security. A company that complies with security procedures is one that adheres their organization to a culture of privacy, and by doing so, they gain the trust of their customers, their employees, and will stand out as leaders in their industry.
The CCPA has made a significant step toward data privacy in the U.S., and more than half the country has followed suit with proposed bills of their own. One thing we could see in the coming years is federal regulations that expand across all states, which would align with Europe and the GDPR. Whatever the future holds, it’s important that a steady stream of concern and consideration continues to grow in the minds of companies to keep consumer data safe.
- Data/Information Focus