The California Consumer Privacy Act has been coined California’s GDPR, referring to the comprehensive data protection law that took effect in May 2018 in Europe, just one month before the CCPA was passed. The CCPA, which is set to take effect January 2020, creates new rights for Californians and other obligations for businesses handling their information. The CCPA is said to be a model of the GDPR, however, there are some clear differences between each legislation.
Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, but there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we are already seeing it influence federal legislation.
Understand the similarities and differences between the GDPR and CCPA.
|Who It Protects|
|‘Consumers’ who are California residents||‘Data Subjects’ in the European Union|
|Defined as any information that ‘identifies, relates to, describes, is capable of being associated with, or could reasonability be linked directly or indirectly, with a particular consumer or household.” This includes not only identifies like name or address, but extends to browsing history, behavioral data and more.||Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually mean data like address, license plate numbers, SSN, blood type, bank account information, and more.|
|Grants consumers five rights:
1. The right to disclosure
2. The right to deletion
3. The right to access
4. The right to opt-out
5. The right to non-discrimination
|Grants data subjects eight rights:
1 . The right to be informed
2. The right to access
3. The Right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated individual decision making, including profiling
|Right to Deletion|
|CCPA right to deletion applies to data collected from and about the consumer||GDPR right to deletion applies to all data collected about the consumer|
|Who Must Comply|
|“California businesses” of substantial size (with regards to revenue or number of consumers affected) that collect consumer personal data||Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.|
|Basis for Consent|
|Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.||Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.|
|Time allowed to respond to a request|
|Responsible parties have 30 days to respond to a request||Responsible parties have 40 days to respond to a request|
|Organizations in breach can be fines up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.||Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.|
While in many ways the GDPR and the CCPA align, there are notable differences between the two regulations. The GDPR’s definitions are often broader, while the CCPA has taken a more specific approach to its scope. That does not mean however that companies that are GDPR compliant don’t need to worry about the CCPA.
Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification. Stay tuned…
Just when you settled into a post GDPR routine, there is a new consumer privacy law looming. The California Consumer Privacy Act of 2018, also known as CCPA, goes into effect on January 1, 2020, and will have implications for marketing to consumers.
In a nutshell, CCPA will empower people to know the types of personal information businesses collect about them, and give them the right not to agree to the sale of their personal data to other parties. More specifically, CCPA introduces the following:
What Businesses Will Be Affected by the CCPA?
While the CCPA could be influential in shaping additional consumer data regulations, for now the law’s scope is limited to mid-to large-sized businesses that do business in California. Companies are subject to the terms of the CCPA when they meet one of the following conditions:
Are There Any Penalties?
Currently, penalties in the law can include up to $7,500 per incident. Meaning that a data breach involving 10,000 customers could end up costing a business as much as $75 million.
When Does the CCPA Go into Effect?
Technically, the CCPA went into effect when it was signed into law on June 28, 2018. However, the requirements will go into effect on January 1, 2020. That said, January 1 is not the end of the line. The California Attorney General has until July 2, 2020 to publish regulations. (Legislation is what the legislative body passes. Regulations are the standards for enforcing the law.) Also, the Attorney General cannot bring legal action against violators of the CCPA until either July 1, 2020 or six months after the final regulations are published, whichever comes first. More to come…