It’s the second week of a new decade and there are already new regulatory changes that have major implications for corporate legal departments. On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) took effect requiring businesses to alter privacy policies to abide by new consumer regulations for 2020 and beyond. Piggybacking on Europe’s General Data Protection Regulation (GDPR), CCPA sets new rights and requirements for the distribution of California consumers’ personal information. Corporations across the country, and perhaps internationally as well, will be impacted by this new law.
Companies that adapted to GDPR, otherwise considered the new global standard for data privacy protection and undoubtedly the inspiration for CCPA, will inherently attempt to use similar protocols for CCPA compliance. Tech giants like Facebook and Google might come out unscathed using this method, because they have the means and resources to resolve issues as they arise. But other organizations, who do not have the same budget, may encounter a few hiccups at the onset. Because, while similar, there are distinctive differences between the two laws.
What is CCPA and why is it significant?
The purpose of CCPA is to enhance privacy rights and consumer protection for the residents of California. It gives California residents the right to access their personal information, request that a business delete their personal information, and opt out of having their personal information disclosed or sold.
This greatly impacts an organization’s privacy policy that does business in California and satisfies the required thresholds; the implementation of CCPA will affect the way these businesses collect and manage data. It creates a morass of new processes and technologies being put into place to abide by these new procedures.
Furthermore, it opens the door for other states to pass similar legislation in the years to come, perhaps even at the federal level. So the cost of not enforcing such procedures can cost a company more later down the line due to fines. Therefore, commiting to meet these requirements now, will save money in the long run. Businesses need to be prepared to respond and adhere to such regulations now and potentially in the future.
How does CCPA differ from GDPR?
There are a number of differences between CCPA and GDPR. While they both require detailed privacy notices, the content required to meet the criteria for each differs. A privacy policy that meets GDPR requirements will not likely satisfy CCPA requirements. Additionally, the requirements and general specifics of the law differ.
Concern |
CCPA |
GDPR |
---|---|---|
Business Requirements |
- 25 million in Revenue - Or 50% of Revenue Comes from Selling PI - Or Captures Data on 50K Residents |
- Established in the EU - Or Not Established and Offers Goods and Services to EU Residents - Or Not Established and Monitors an Individual’s EU Behavior |
Regulatory Oversight |
California Attorney General |
Acting Authority Within Each Member State |
Financial Penalty |
Fine of up to $7,500 Per Violation |
A Percentage of Gross Revenues |
Breach Notification Rule |
Notify As Soon as Possible |
Notify within 72 Hours After Being Aware of the Breach |
Grace Period |
30 Days After the Initial Notice |
None |
Private Right of Action |
May Initiate an Action to Recover Damages up to $750 per Incident or Actual Damages, Whichever is Greater |
EU Citizens Have the Right to Pursue Compensation Claims Against Controllers |
Setting Enabled to Deny the Selling of Personal Information |
Required |
Not Required |
Offer Incentives in Exchange for Data |
Permissible |
Permissible, but Must Proceed with Caution |
Requesting Access to Information |
Requires 2 Methods for (Telephone and Website) |
At Least One Method |
Consumer Access Request Time Period |
45 Days or More |
30 Days or More |
Similar to GDPR, CCPA grants individuals the right to opt-out of the disclosure and sale of their personal information. This means businesses are obligated to add the opt-out option when accessing their website or mobile apps. However, CCPA does not provide all of the same consumer rights as GDPR. One of the most significant differences being that legal basis is not required for processing personal data.
Concern |
CCPA |
GDPR |
---|---|---|
Consumers Can Opt Out of Third Party Data Selling |
✓ |
✓ |
Opt in Consent Required for Minors |
✓ |
✓ |
Access Data Rights |
✓ |
✓ |
Delete Data Rights |
✓ |
✓ |
Data Portability Rights |
✓ |
✓ |
Legal Basis Required |
✗ |
✓ |
Data Minimization Rights |
✗ |
✓ |
Data Rectification Rights |
✗ |
✓ |
Data Protection Officer Required |
✗ |
✓ |
Who will be most impacted by CCPA and how does this apply to the legal industry?
The implementation of CCPA will create a new and complicated world for data privacy. The biggest question is who will be the most impacted by CCPA? And the question everyone is dying to know – how does it apply to the legal industry? We will cover this and more in our next blog in this 3 part series. Stay tuned for the next blog!
Author
Vice President, Growth Enablement
Amit Dungarani has extensive experience playing critical roles in guiding large corporate and government enterprises with their digital and business process transformation objectives. He has been instrumental to the company's growth and organizational maturity at every organization he has been with. Over the past 23 years, he has held leadership…
Categories:
- CCPA, 
- data management