CCPA is the California Consumer Privacy Act and took effect on Jan. 1 2020. It gives consumers in California additional rights and protections regarding how businesses may use their personal information.
Like the GDPR, the CCPA gives rights to California Consumers:
- A right to know what personal data is collected, used, shared, or sold by businesses.
- A right to delete personal data.
- A right to prohibit the sale of personal data. Children under the age of 16 must give explicit consent to have their data eligible for sale, and a parent or guardian must give explicit consent for a child under the age of 13.
- A guarantee that consumers who exercise their rights under the CCPA will not be penalised with higher prices or lower levels of service than those who do not.
There are also obligations for Businesses:
- Notifying consumers in advance of the personal data being collected.
- Making it easy for consumers to exercise their rights under the act, such as by providing links on their websites and mobile apps to prohibit selling their data.
- Responding within specific time frames to requests made by consumers under the act.
- Verifying the identity of consumers making requests under the act.
- Disclosing any financial incentives offered in exchange for the retention or sale of personal data, as well as how the value of this data was calculated. Also, businesses must explain why they believe such incentives to be permitted under the CCPA.
- Keeping records of all requests made under the act and how they responded.
- Maintaining data inventories and mapping data flows.
- Disclosing data privacy policies and practices.
However, there are some key differences between the GDPR and the CCPA.
- The GDPR applies to all businesses that process data of EU Citizens, irrespective of location or size. The CCPA only applies to California-based businesses with revenue above $25 million USD or those whose primary business is the sale of personal information.
- The GDPR financial penalties are up to 4% of the company’s global turnover or 20 million euros. The CCPA fines are per violation, (up to $7,500, USD per Violation) and uncapped. The violation is only considered at the point of breach (many would say too late), whereas GDPR can apply a sanction where a company is deemed to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.
- The GDPR is specifically focused on all data related to the EU consumer/citizen whereas the CCPA considers both the consumer and household as identifiable entities and, in some cases, only considers data provided by the consumer as opposed to data sourced or purchased from third parties.
The use of encryption is addressed in both laws
The good news is that both laws call for data encryption, making this an essential privacy protection component for businesses. If breached data is encrypted, companies have a level of protection against unauthorised access and some reduction in liability by default.
Under both regulations, if a company suffers a breach but the data is encrypted (unintelligible to unauthorised users), some of the company’s obligations are reduced. For instance, in that case the organisation is not required to notify everyone affected by the incident.
California has taken the lead, but other states are expected to follow. It will be interesting to see which state will be next.