The GDPR, which went into effect in May 2018, is one of the most comprehensive data protection laws in the world.
The CCPA’s impact is expected to be huge, given California’s status as the fifth largest global economy.
The CCPA will take effect on 1 January 2020, however, organizations have to provide consumers with information regarding the preceding 12-month period. Therefore, some actions may need to be done before the launch date.
Both GDPR and CCPA have the same definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.
However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.
The California Consumer Privacy Act is the most comprehensive privacy law in the country. Targeted at companies that collect and/or sell personal information, it is designed to give Californians more control over their own data.
The following are among the major new data protections CCPA introduces:
• Right to access information – Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a digestible format:
• Which categories of information were collected and sold
• From whom this information was collected, with whom it was shared, and to whom it was sold
• Why it was collected
• Right to deletion – Consumers in California will be able to request that a company delete the personal information it has collected about them.
• Right to opt out – Consumers in California will be able to direct a company to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).
Businesses can expect California legislators to continue to clarify and amend CCPA leading up to the enforcement date. A number of amendments have already been passed, including the introduction of a six-month enforcement grace period to July 1, 2020.
With the deadline fast approaching, just 14% of companies admit to being CCPA compliant. The hope was that other American states would follow suit and implement similar compliance schemes.
Given the fact that so few businesses are taking the privacy law seriously, there are doubts about how many other states will actually follow suit.
Avoiding fines and limiting risk to reputations are the obvious benefits of compliance.
Hotel chain Marriott is facing a fine of £99 million over a data breach which is estimated to have affected around 339 million customers.
The Information Commissioner’s Office (ICO) fine relates to a data breach at the company believed to have originated in the systems of the Starwood hotels group in 2014.
British Airways is to be fined more than £183m by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers.
The ICO said its extensive investigation found that the incident involved customer details including login, payment card, name, address and travel booking information being harvested
after being diverted to a fraudulent website.
They clearly mean business, and it’s safe to assume California regulators will do the same once CCPA comes into force.
This is why organizations need to take steps now to comply with the consumers’ rights requirements imposed by these data privacy laws.
CPA will mark a fundamental shift in how U.S. companies do business and interact with their customer data.
The law will apply to certain controllers that “do business in the State of California,” regardless of where they are located. That is to say: if your company does business in California, or has customers that reside in California, you will need to be CCPA-compliant and that covers a lot of organizations.
Like GDPR, the CCPA aims to guarantee individuals greater control over their own data. Under the CCPA, Californians have the right to:
• Demand companies disclose how their personal data is being collected and used
• Access personal information that is collected, and request it to be deleted
• Find out whether their personal information is being shared, and if so, with whom
• Opt-out of the sale of their personal information
• Have equal service and price, whether or not they choose to exercise their privacy rights
Data controllers should also understand that, like GDPR, the CCPA expands the definition of what type of data companies must protect and account for.
The CCPA, for example, defines personal data as information that “identifies, relates to, describes, or is capable of being associated with a particular consumer or household.” That includes IP addresses, geolocation data, biometric data, and other unique identifiers such as, cookies and device IDs.
Just like GDPR, the CCPA will have the power to fine businesses that flout the law.
The state can also bring these charges to a company directly—imposing a $7,500 fine for any violation not addressed within 30 days. While GDPR fines are much higher, in theory, CCPA fines are potentially more far reaching in that there is no ceiling for CCPA penalties. (Under GDPR, penalties have a ceiling of $20M or 4% of global revenue, whichever is greater.)
The GDPR is being used as a model for privacy laws across the world and it will be interesting to monitor how the CCPA is received and whether any lessons have been learned and noted by companies wishing to avoid heavy penalties for non-compliance.