Most of us are aware that California’s new consumer privacy law- CCPA – is set to take effect next January. While that might seem like eons away, it is not.
You might be forgiven for thinking that because you have twisted and strengthened your operation to comply with the EU’s General Data Protection Act, GDPR for short, you surely must be meeting the California privacy requirements.
Sadly – you are wrong. It’s time to roll up your sleeves and figure out first whether you are affected, and two, what you need to do about it.
When comparing GDPR and CCPA, there are of course some similarities. Individuals have the right to opt out of data selling, and can request data access and demand erasure.
Both privacy laws – GDPR and CCPA – do require that organizations review on its service-level agreements, with a view of strengthening where necessary.
And these two laws also have steep penalties for those who fail to comply with its laws. While GDPR has a 4% annual turnover cap, the CCPA has not ceiling, guidelines currently set at $7500/infraction, says this report. It would be an expensive oversight.
A big fundamental difference, according to Tech Bullion, is that GDPR is designed to protect the data and the privacy of its subjects – residents in the EU. The California Consumer Privacy Act CCPA is a different kettle of fish. It is targeting for-profit companies carrying out business in the state:
-entity must have a gross revenue of more than $25 USD
-entity receives more than 50 per cent of its annual revenue from trading consumer’s private information
-entity has personal info on more than 50,000 consumers, devices or households.
Also – and this gets a little murky – the law also applies, it seems, to “bodies that share or are subject to ‘common branding’ with a company that coincides with the above requirements.”
So could that mean that a non-profit in bed with an organization that fits within the CCPA remit could be impacted?
Another interesting difference is how each regulatory body defines personal information. The CCPA’s definition of personal information is broader because it also covers electronic network activity. For example, CCPA considers identifiable household, device or IP address information as personal information; GDPR does not.
However, where data principles are defined by GDPR, it seems the same cannot be said for CCPA. Unlike GDPR, the CCPA does not contain data processing principles. It imposes less restrictions on what an organization can do internally with personal data. The California Attorney General can issue guidelines on how it should be enforced, and we eagerly await those to see how it will impact affected firms.
It seems the big boys are sounding the alarm for CCPA-impacted data traders to get their skates on. At a recent panel of privacy exec at RSA 2019, UBER’S chief privacy officer Ruby Zefo said:
“This is not the time to take a wait-and-see approach. It’s here, it’s not going to change very much in my opinion, unless it’s to get more onerous for businesses, so you really should start prepping now.”
We’ve pulled together for you a handy table to help you better understand the differences between GDPR and CCPA.