California Consumer Privacy Act – Are you ready for January 2020?

The CCPA will take effect on January 1, 2020- Are you ready?

Like Europe, California has been trying to pass updated data protection for many years now. While the General Data Protection Regulation came into effect on May 27th, 2018, to a lot of media attention & speculation. The road to rolling out the California Consumer Protection Act (CCPA) has not been as smooth and attention-grabbing.

But finally, after many years of political in-fighting and pushback from tech companies, on January 1st, 2020, CCPA will come into effect.

This is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy

 

Similarities and differences to GDPR

GDPR has put data protection on the map and further paved the way for the next generation of privacy-first legislation, including the California Consumer Privacy Act (CCPA)

Given it was inspired by the GDPR, the CCPA shares many similarities with its European counterpart. Below we will outline the main similarities and differences between both acts.

Starting with Territorial Scope the territorial scope of GDPR and CCPA spreads well beyond the physical borders of each control. GDPR affects those companies that are established in the EU but also those that offer goods and services or monitor the behavior of individuals residing in the EU. Similar to CCPA- it applies to companies that do business in the ‘State of California’ regardless of where they are situated (where they are processing data of Californian residents).

The main difference here between GDPR and CCPA is that those companies that do not do business in California but monitor the behavior of its residents are not subject to CCPA.

Material Reach

Both GDPR and CCPA regulate the handling of personally identifiable information however again there are some differences in the material reach. Presently, CCPA is not limited to data that is automatically processed, unlike GDPR and other protection laws.

CCPA and GDPR also outline different roles of responsibility under each respective law, for GDPR there are 3 main roles, a controller (determines the purpose for which the data is processed), a processor (processes data on behalf of the controller) and a data subject (an EU resident that can be identified by an identifier i.e. name, ID number or even physical factors).  CCPA there are 4 roles – that are quite self-explanatory, businesses (profit controllers that hit certain criteria outlined in the act), service providers (a processor to a business), third parties (any entities that is not a business or service provider that receives data from a business) and consumers (Californian resident). The roles outlined in each respective law can be easily matched up, however, it is the qualifying criteria that makes them differ. For example, CCPA applies to for-profit businesses only whereas GDPR applies to profitable and non-profit organizations.

Determining what is personal data

CCPA certainly has a more extensive description of what is personal data- it states that personal data is ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1)- the list of identifiers is extensive, including IP addresses, cookie, and even tags.

Processing data

While both legislations have been set up to protect personal data, the CCPA differs from the GDPR in some significant ways, particularly about the scope of application; the nature and extent of collection limitations; and rules concerning accountability. One of the most prominent variances between CCPA and GDPR is that CCPA does not contain data processing principles on what a company can do internally when processing personal data.

Opting in and out

Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, such as the right to delete this information if they choose and the ability to ask and organization to stop selling or sharing their personal information.

Differences, however, see GDPR requiring consumer consent to collect data, with no such restrictions applying under the CCPA. In other words, the US legislation allows businesses to freely collect personally identifiable data, and consumers are then given a choice of whether the organization can sell what it’s gathered. CCPA requires companies to have a ‘do not sell my personal information’ link on the homepage of their website.

Penalties

Both the CCPA and GDPR provides for monetary penalties in case of non-compliance. Regarding CCPA, civil penalties can be issued by a court. Any violation of the CCPA is assessed and recovered in a civil action brought by the Attorney General. GDPR impose administrative fines can be directly issued by a data protection authority.

Due to the larger economy in California, the implications of financial penalties may be even more severe than that of the GDPR. Penalties under CCPA can fall anywhere between $2,500 and $7,500 depending on the type of breach however there is no maximum for the number of violations that can be issued, therefor the penalties can quickly mount up.

More data protection acts in the pipeline

Proposed NY Privacy Act

With CCPA set to go into effect on January 2020, New York State is hoping to follow suit with the introduction of the New York Privacy Act. While still yet to make its way through the New York legislators, many feel the proposed bill will be stricter than anything they have seen on that side of the Atlantic Ocean. This is a clear indication of the future of data protection and highlights the need by worldwide companies to be covered.

In summary

The CCPA is the first overarching U.S. data protection law to come into place but as we have described above it is significantly different from other data protection laws like the GDPR. It will require companies doing business in California to invest in compliance solutions. Nobody should assume that being GDPR compliant makes them CCPA compliant. Preparing and organization to comply with CCPA is not a small task, an effectiveness readiness program takes time and effort even to cover the following basic elements of CCPA:

  • Find all your data, including data hidden in unstructured sources,
  • Analyze how your organization processes personal data,
  • Determine how your organization would respond when a consumer exercises their rights to the deletion of their data,
  • Train the correct staff to help your company comply with CCPA
  • And develop a plan for maintaining compliance as your business changes.

 

The sooner your organization can assess the risk, identify gaps and start to put a plan in motion, the better off you will be starting January 2020. Waterford Technologies has more than 20 year’s experience in unstructured data compliance for email and file, by working with us we can set your organization on the path to unstructured data compliance, allowing you plenty of time to put the necessary controls in place.

If you have any questions about GDPR or CCPA regulations or if we can help in any way please, contact us today.