W. Curtis Preston, Chief Technical Evangelist, Druva, discusses America’s version of GDPR, the California Consumer Protection Act (CCPA), and what this means for the UK in particular.
While a piece of US-based legislation such as the California Consumer Privacy Act (CCPA) may seem largely irrelevant to businesses based in the UK, it would be a mistake to ignore this impending legislation. Set to come into effect 1 January 2020, the CCPA will significantly improve the security and privacy of California residents and their personal information online.
Dubbed “America’s GDPR”, the CCPA is set to become one of the most comprehensive privacy laws in the US, and it shares many similarities with its European counterpart. Although UK businesses may feel prepared for these changes, having taken appropriate measures to meet the demands of GDPR, the scope of the CCPA is broader, bolder, and even more prescriptive.
With that in mind, executives and leaders of businesses marketing and doing business with California residents must prepare for the changes to be brought in by this law. Knowing that the CCPA will affect millions of potential prospects and customers – and understanding the impact it can have on your business – conforming to the CCPA is a necessity.
How does the CCPA work?
The CCPA is a set of regulations that come into effect on 1 January 2020 – intended to enhance the security and privacy of the personal information associated with people residing in California. It applies to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Including households is a major increase in scope compared to the GDPR, and it is defined as a group of people living in the same place. It includes information like IP addresses, account names, and email addresses that haven’t previously been covered under such regulations.
Who will be affected by the CCPA?
The CCPA covers fewer companies than the GDPR, in that it applies only to for-profit companies that collect such data, do business in California, and meet any of the following requirements:
- Have more than $25M in revenue
- Collect data on more than 50,000 subjects living in CA
- Make more than 50% of its revenue from collecting and selling personal information
Avoiding potential backlash
The regulations specify a fine of $7,500 per intentional violation and $2,500 per unintentional violation, along with $100-750 of damages payable to each victim. Note that each individual affected by a violation is counted as a violation, so if a company has an intentional breach of 100,000 people’s data, it could pay a fine of $750M, plus damages of $1M-$7.5M to the victims of the breach.
As with GDPR, the fines are not the point; they are to capture your attention. Regardless of avoiding fines, businesses failing to become compliant will be impacted from a public relations perspective.
An improved GDPR?
So, we know what GDPR means and we know what CCPA means – but it’s important to understand the key differences. Firstly, as already mentioned, CCPA includes data that can be used to identify a household, which makes it broader than the GDPR.
Whilst GDPR says that you must delete personal data you are asked to delete, unless you have a business or legal reason to keep it, the CCPA seems to go a bit further in specifying what those legal reasons might be. It defines nine different examples, such as data needed to complete a transaction, protect against malicious attacks, and debug your process. Any data not in keeping with those exceptions must be deleted.
The CCPA says you must notify the consumer at the front end what personal data you will be collecting, what you’re going to do with it – including how you will monetise it. It requires businesses to provide customers with the opportunity to opt-out of having their data sold. If you do not do all of that at the time of collecting the data -- you must consider them to have opted out of any processing or selling of their data. Processing or selling that data after the fact would likely be considered an intentional violation subject to the fines previously discussed.
Interestingly, beginning 1 January 2020, a consumer can request all data that a business has collected from them for the past 12 months. This effectively makes the regulation retroactive to 1 January 2019. In addition, businesses are required to satisfy any requests for information within 45-days.
Not only must a company comply with any access or deletion requests in a timely manner; it must offer multiple methods for consumers to make such requests. This means including a toll-free number and a website form.
Although the CCPA does not lack ambition in its aims and goals, much remains unclear. Firstly, whilst this legislation is set to come into effect on 1 January 2020, it may be amended for a further six months. This means that for some time, it will remain unclear as to what exactly CCPA will mean for businesses both in California, as well as for its international counterparts dealing in California personal data.
And while there are murmurs of the CCPA being “just another GDPR” – the CCPA highlights the important steps that we are taking towards greater data privacy and legislation. The GDPR can be an example as to how businesses prepare – but as to what happens next, we will have to wait and see. Either way, it is clear that businesses must comply – and it’s time to take steps towards this now.