Data security and data privacy regulations are increasing in number, strictness and complexity year upon year. For many governing bodies, the necessity for data protection and the privacy of the individual is a major priority. Any organization that deals with sensitive information (Personally Identifiable Information or other confidential data) is likely to fall under one or more of these regulations.
Midway through last year, on the 25th May 2018, the EU introduced the General Data Protection Regulation (GDPR) to help increase the privacy of data and security of related to EU citizens. Soon afterwards, on 28th June 2018, California set into motion the California Consumer Privacy Act (CCPA), introducing some of the country’s most stringent data privacy regulations to date.
It’s likely that the CCPA was a direct result of the far-reaching influence of the GDPR and, as it comes into effect in 2020, it will be vital for organizations to understand why it is important, how to meet it and the differences with GDPR.
An Overview of the California Consumer Privacy Act (CCPA)
At a basic level, the CCPA exists to ensure that companies will protect the rights of California consumers and treat data with higher levels of security and transparency. The CCPA will put power back into the hands of consumers over how their data is stored, processed and handled – as well as being able to request that data is disclosed, deleted or not sold onto third parties.
Here is a quick summary on what a business must disclose to the consumer upon request:
- All categories of personal information the company has collected
- The source of where the personal information was collected from
- The purpose that the data was collected for
- The third parties that the organization has shared the data with
- The specific pieces of personal information that have been collected
There are also some more specific rules when it comes to the personal information of minors. 13 to 16-year old’s, for example, cannot have their data sold to third parties unless they specifically opt in. Anyone under the age of 13 requires consent from a parent or guardian.
Does the CCPA Apply to Your Business?
If you are a business in California that makes a profit and collects consumer personal data, then it’s likely the CCPA applies to you. There are, however, some specific caveats about what defines a business and what thresholds you must meet in order to be bound by the compliance mandate. A business is seen to be a for-profit entity that meets one or more of the following caveats:
- Had a gross revenue of over $25 million
- Buys, receives, sells or shares the personal information of over 50,000 consumers for profit annually
- Gets 50% or more of its annual revenue from selling the personal information of consumers
One important point to add is that the CCPA applies to any business, whether they are inside the state of California or not, that collects the personal data of California State residents.
CCPA vs. GDPR: What’s the Difference?
Anyone who is familiar with the ins and outs of GDPR will notice some stark similarities with that of the CCPA. The CCPA was modelled, to some extent, on the GDPR, but there are some important distinctions. It would be impossible to list them all here, but we have summarized some of the most important points below:
- The GPDR applies to citizens of the EU whereas the CCPA applies only to the citizens of the state of California.
- To comply with CCPA you must meet certain thresholds described above, whereas with the GDPR you simply have to store, process or handle the data of EU citizens.
- The GDPR has stronger opt-in laws than the CCPA, which allows you to collect and sell data if a consumer signs up or makes a purchase.
- CCPA fines are worked out differently to GDPR and are based per violation, with costs reaching up to $7,500 per violation.
If you’re looking to meet either the CCPA or the GDPR, you will need a Data Security Platform that enables you to increase data security and data privacy related to personal information. For more information, schedule a free data risk assessment with Lepide today.