California, which has long set the national precedent for consumer protection in the digital era, has passed the far most reaching privacy protection law yet in the US. The California Consumer Privacy Act (“CCPA”) will grant California consumers control over their personal information and sets the stage for a fundamental realignment for how companies doing business in the State (and by extension, the U.S. as a whole) interact with their customer data.
The focus on consumer data rights has understandably drawn comparisons between the CCPA and the EU’s General Data Protection Regulation (“GDPR”). While there is clearly a high degree of overlap – and even in some crucial areas almost identical language – the CCPA shouldn’t be understood so much as California’s GDPR, but instead on its own terms: firstly, as an indication that privacy concerns have crossed the Atlantic Ocean, and secondly, that legislators understand that a stick is needed to take privacy protection seriously – in true American fashion, through both litigation and fines.
How to interpret and address CCPA between now and July 1, 2020, when the law goes into effect will likely be as much as a mad scramble as was the passage of GDPR for companies subject to the regulation. This blog and forthcoming white paper on putting CCPA into the context of policies and processes outlines the key changes introduced by the CCPA and provides a set of steps to prepare for what’s next.
GDPR vs CCPA
The comparison with GDPR is certainly instructive in terms of mapping where any existing CCPA compliance efforts can be repurposed for those already covered by the EU regulation – but also where additional, or even primary work is needed:
Like GDPR, CCPA puts data subject rights front and center – requiring companies to account for how they collect and sell customer information.
• Unlike GDPR, the CCPA provides the option provides for rules that allow businesses to offer financial incentives in exchange for user data in certain situations.
Like GDPR, CCPA expands the definition of what type of data needs to be protected and accounted for
• Under the Act, personal information includes information that “identifies, relates to, describes, or is capable of being associated with a particular consumer or household.”
• CCPA includes IP addresses, geolocation data, biometric information, and “unique identifiers” such as device and cookie IDs, Internet activity information.
Like GDPR, CCPA establishes significant penalties for non-compliance and violation of consumer privacy
• While the provision has already drawn fire, the law carves out for consumers a new “private right of action” and the ability to bring a class action suit for breaches that result from inadequate security precautions as well as “knowing and willful” violations. In addition, regulators will levy fines between $750 and $7,500 per violation – making breaches even more costly than before.
In line with the GDPR and existing California breach notification laws, companies are subject to a timeline to notify customers in the event of a breach – but will be liable for the breach itself, not just failure to report
• The CCPA includes a provision for California’s Attorney General to sue on behalf of consumers, for up to $7,500 per violation.
• By extending what is considered personal information, the CCPA effectively extends the scope of company data sources and data categories that are subject to notification requirements in the event of a breach.
Shared Goals: Know Your Data
The CCPA, like the GDPR, grants California residents similar data protection rights like the rights of access and deletion of one’s own information. These new rights will require companies to easily locate in scope personal data across a modern data landscape spanning databases, file shares, logs, Big Data, cloud etc.
For enterprises with complex data collection and processing, it will be important to get a picture of what personal data is collected and how it is used in a verifiable data-driven way. Moreover to meet personal data rights it will be necessary to identify what data qualifies as personal under CCPA, and to whom the data belongs so as to easily respond to access or deletion requests from individuals.
Shared Goals: Know Your Data Usage
While the CCPA has a narrower application of consent requirements compared to the GDPR, the Act’s provision for operationalizing opt-outs for selling personal information will still result in similar consent accountability and transparency requirements.
To prove compliance with the CCPA and to strengthen consumer trust around unauthorized data sharing businesses will want to consider GDPR like records of data processing to more easily audit data sharing while simultaneously implementing a consent governance framework to record sharing preferences and restrict unauthorized sharing.
Countdown to Compliance
Like the GDPR, the CCPA introduces a new set of consumer data protection rights as well as hefty fines for companies that violate those rights and a consumer right of action to sue for noncompliance. Therefore, covered organizations must ensure that they know where all personal information is stored within the organization’s IT environment in order to appropriately and timely respond to requests. They must also be able to easily identify or infer which individuals live in California which will require a higher degree of data intelligence tooling.
While the legislature will continue to make amendments to the CCPA before the January 1, 2020 enforcement date, covered businesses should start preparing now to achieve compliance with an examination of tooling to inventory, map, govern and control their personal data.