The California Consumer Protection (CCPA) act took effect on January 1, 2020, and companies across the globe are scrambling to get their act together to avoid non-compliance penalties.
Although enforcement of the CCPA doesn’t officially begin until July 2020, the California Attorney General’s office will still be able to penalize violations that occurred between implementation on January 1 and official enforcement in July. This is why it’s important to kick-start compliance preparations while you still have some breathing room.
As one of the first states in the USA to pass a data breach notification law and an online privacy protection act, the Golden State has always been the leader of the privacy bandwagon, so it comes as no surprise that it’s the first state in the country to implement a comprehensive consumer privacy act. However, given the size and breadth of California’s economy and, consequently, the number of companies that’ll have to comply with the regulation, the CCPA might soon be adopted as a federal law.
The implications of the CCPA
The good news is that the CCPA is not the first privacy regulation of its kind to be implemented; 2018 saw the General Data Protection Regulation (GDPR) come into effect, a groundbreaking law at its time of implementation that forced organizations to rethink the entire way they approach data management. Thanks to the overarching effect of the GDPR and the increasingly privacy-conscious consumer, data protection and privacy has essentially become table talk.
Following the GDPR, a slew of privacy regulations have cropped up across different regions. As a result, even if your company managed to escape the reach of the GDPR, it’s becoming extremely difficult to not give consumer privacy and data management serious consideration in your business operations. In today’s world, achieving regulatory compliance has become synonymous with the quality and trustworthiness of a brand.
Many companies are hoping to leverage the preparations they put in place for the GDPR towards their CCPA compliance efforts. However, even though GDPR prep will prove useful, the CCPA has many nuances and some major differences that organizations will need to address specifically.
Challenges posed by the CCPA
The CCPA poses some challenges that are significantly different from the GDPR. To start, companies need to add a “Do Not Sell My Personal Information” option on all their websites and mobile applications. Organizations also need to update and maintain a detailed list of all user data they’ve collected, and need to provide users with an easy way to request the deletion of this data.
This is easier said than done given the sheer volume of data that businesses collect these days, not to mention the set of challenges that come with validating the user identity when data deletion requests start coming in. In addition to this, companies risk facing additional penalties should consumers exercise their right to sue organizations for damages in the event of a data breach.
If the organization is found to be guilty of failing to implement appropriate controls to counter data breaches, it could potentially be fined anywhere from $100-$750 per user per incident. This amount may seem trivial, but can quickly add up to millions given that most data breaches impact tens of thousands of records.
The key differences between the CCPA and the GDPR
While the CCPA does resemble the GDPR in some aspects, organizations will need to invest in CCPA-specific policies, processes, and tools to achieve compliance.
|
|
GDPR |
CCPA |
|
Applicability |
Personal data of EU data subjects. |
Personal data of California residents. |
|
Scope |
Applicable to any organization, irrespective of size and whether their activity is for profit or not. |
Applicable only to for-profit businesses that have an annual gross revenue exceeding $25 million, collect the data of 50,000 or more consumers, or derive 50 percent or more of their annual revenues from selling consumers’ personal information. |
|
Legal basis |
Data controllers can only process personal data when there is legal ground for it. |
No provision for legal basis for collecting and processing personal information. |
|
Non-compliance penalties |
Four percent of global turnover or €20 million, whichever is higher. |
Up to $2,500 for each violation, or $7,500 for each intentional violation. |
|
Private right of action |
Data subjects may file a claim for damages. |
Up to $750 per consumer per violation. |
|
Consent |
Consumers must opt in before their data is collected. |
Businesses must allow users to opt out of data collection. |
|
Third-party data transfer |
Consumers must explicitly provide consent before third-party transfer or processing. |
Need to notify customers before the sale and transfer of their data so that they may opt out. |
|
Grace period |
None provided. |
30 days since breach notification. |
The bottom line is that companies need to clearly understand the differences between the GDPR and the CCPA, and will need to carefully assess their data management strategies to achieve compliance. But the good news is that this can have long-term payoffs in addition to the consumer trust and brand value that comes with it.
