By passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the Golden State is taking a major step in the protection of consumer data. The new law gives consumers insight into and control of their personal information collected online. This follows a growing number of privacy concerns around corporate access to and sales of personal information with leading tech companies like Facebook and Google.
The bill was signed by Governor Jerry Brown hours after it was unanimously approved by the State Assembly and Senate. The law will ultimately result in strict control of consumer data usage from corporate entities, as well as major fines for tech companies that do not comply with it.
The CCPA is a strong step in the right direction for the U.S. However, it does not go as far as European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018.
The GDPR unifies data privacy laws across Europe while protecting and empowering EU citizens’ data privacy. It also impacts every company that processes or controls EU citizens’ data, regardless of location, which means that the GDPR is legally binding for U.S. businesses with global operations, international sites or even remote workers.
It remains to be seen what the final version of the CCPA will look like and how closely it may resemble the GDPR. With that said, it’s important for companies to be in complete compliance with both sets of laws.
Although the CCPA appears to be like the GDPR, there are four main differences between the two laws.
The businesses that must comply
The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is slightly narrower in its scope: it only applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information. (The latter criterion is a nod to the Facebook/Cambridge Analytical scandal.)
The GDPR mandates penalties for non-compliance and/or data breach, which can reach up to 4% of the company’s annual global turnover or 20 million euros (whichever amount is greater), with the commitment that administrative levies will be applied proportionately.
CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation), are uncapped and there are apparently no sanctions for non-compliance. The violation is only considered at the point of breach (many would say too late), whereas GDPR can apply a sanction where a company is deemed to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.
Both regulations endow the consumer with specific rights such as the right to have information deleted or accessed. The GDPR is specifically focused on all data related to the EU consumer/citizen whereas the CCPA considers both the consumer and household as identifiable entities and, in some cases, only considers data provided by the consumer as opposed to data sourced or purchased from third parties. It is important that businesses test their processes to ensure they can accommodate these rights.
Enactment and enforcement
Before the CCPA goes in effect in 2020, it may get more descriptive. In its current form, it looks like it was created in reaction to recently publicised instances of misuse of personal data. In comparison, the GDPR was adopted in April 2016 and became enforceable on May 25, 2018.
Although the California Consumer Data Privacy law is not as comprehensive as the GDPR, it’s the first step to protecting consumer data. California pioneered tech innovation and is now paving the way for consumer privacy. This new law gives consumers more protection and understanding of how their data is being collected and used, which ultimately gives them control of their data. Other states are expected to follow California’s lead and it will be interesting to see which state will be next.
The use of encryption is addressed in both laws
The good news is that both laws call for data encryption, making this an essential privacy protection component for businesses. If breached data is encrypted, companies have a level of protection against unauthorized access and some reduction in liability by default.
GDPR’s Article 32 is focused on encryption. The regulation doesn’t prescribe any specific technologies, and Article 32 is the first and only technical recommendation provided within the whole set of articles (99 in all).
Under both regulations, if a company suffers a breach but the data is encrypted (unintelligible to unauthorized users), some of the company’s obligations are reduced. For instance, in that case the organization is not required to notify everyone affected by the incident.