Just as US companies are starting to grasp the General Data Protection Regulation (GDPR) and how it affects their approach to data privacy, new state laws are preparing to come into effect that will place new burdens on enterprises. And even if your organization has already taken measures to comply with GDPR requirements, it doesn’t mean that you’re set and done when it comes to addressing the requirements of emerging legislation.
Specifically, California’s governor signed a new consumer privacy law—the California Consumer Privacy Act of 2018 (CCPA)—on June 28, which will take effect on January 1, 2020. This legislation is widely considered by legal experts to be the most aggressive and far-reaching privacy protection measure ever enacted in the US and will likely lead to other states—or even the federal government— to eventually following suit.
Just how similar, or how different, are these statutes, and how well does your company’s previous planning for GDPR compliance prepare your organization for the new mandate? Some early analysis comparing the two pieces of legislation termed CCPA, “the state’s version of GDPR” or “GDPR 2.0,” which might lead one to believe that there are wide similarities between them. However, these types of terms are misleading, in that CCPA and GDPR have significant differences.
What’s important for companies to note here is that GDPR compliance does not equal CCPA compliance. Corporate regulatory and compliance officers—as well as their external consultants in law firms—need to be aware of this fact and familiarize themselves with the differences between GDPR and the CCPA. To avoid major financial penalties, enterprises now must get ready to address both sets of rules separately, ensuring that they have done their due diligence when it comes to protecting consumer data.
Both statutes, GDPR and CCPA, have the same starting point: the premise that data privacy is a fundamental right. That means something to compliance officers, so it needs to mean something to enterprises as well. Beyond that premise, there are a few other specific areas in CCPA that are recognizable to those familiar with GDPR, which include the “right to be forgotten,” the “right to portability,” and the “right to access data.” After that, these statutes diverge significantly. Despite any similarities that the new California act has with GDPR or influence that the latter had in crafting the former, CCPA requires different compliance thresholds.
One major difference is how these rights are delivered, and the method of sanctions—in other words, who gets paid if a violation of a consumer’s data privacy is determined to have occurred. For instance, in California statute, the affected individual has a right to recover money. The California act includes an area called “presumed damages,” or the explicitly stated damages that consumers can be awarded if a data breach occurs that affects an individual’s personal data. In this far-reaching provision, California citizens are empowered to initiate a civil action to recover damages if they feel an organization hasn’t sufficiently protected their personal data, as in the event of a data breach.
Visit Innovation Enterprise's HR & Workforce Analytics Innovation Summit in Chicago on October 31–November 1, 2018
Under CCPA, the possible damages of a breach equal an amount of not less than $100 and not more than $750 per consumer per incident—or actual damages, whichever is greater. So if a breach occurs and consumer data is accessed—or even if it could have been accessed—CCPA presumes the data will be misused. Though fines in the hundreds of dollars may seem small, the result could end up in the millions of dollars for larger breaches depending on how many consumers were affected. The potential fines and penalties for GDPR may end up even higher since fines can be required for compliance failure that is 4% of global revenue or EUR 20m ($23.1m), whichever is higher.
Another major discrepancy between GDPR and CCPA is that the consumer has more rights via the California act than those in the EU, specifically as to the preemption of the sale of the third party data before it happens, and to know the purpose of why their data is being collected and sold. Specifically, CCPA will require that companies inform California residents what data the organization is collecting and how that information is being used. It also gives state residents the option to ask the company to delete the data or stop selling it. CCPA does not, however, prevent organizations from collecting people’s data or give consumers the option to request that a company stop collecting their personal data, which differentiates the language from GDPR.
There’s also the significant distinction of who is affected by each type of legislation. CCPA has in essence taken small businesses out of the requirement, since it is directed at businesses that have $25m or more in revenue, or trade in the data of 50,000 or more people or endpoints, or derive half or more of their revenue from selling personal information of consumers. (In the draft version of this statute, the requirement had been stated as $50m in revenue, so it was originally intended to cover only very large companies. With the figure now cut in half, the net is a lot wider as to who is impacted by this new law, and it’s still a very large universe of companies.) So the California law primarily affects medium to large businesses, unless an amendment changes that before 2020. GDPR, on the other hand, affects all businesses without limits on revenue size.
Even if you’ve already prepared for GDPR, enterprises collecting or in possession of California resident data can’t grow complacent now, since CCPA raises the bar for an even higher level of data security. Companies should plan to first focus on data consolidation and then security in light of this new environment, keeping in mind that it’s more efficient and easier to secure a single repository—plus perform search, review, production, and retention/disposition on the data—instead of trying to work with multiple application repositories with varying capabilities and rules.
The new California state law also will force companies to increase their awareness of exactly what consumer data they are collecting, and they’ll need to find a way to manage that data more granularly. As with the recently released GDPR requirements, it’s again time to ramp up and get prepared for the new California law. And don’t be surprised if this pattern repeats itself, adding to the compliance complications when other states enter the fray and consider adoption of their own consumer data privacy legislation down the road. While it’s possible that other states will decide to adopt California’s law, we also could end up with a patchwork of requirements if each state designs their own customized privacy regulation. (Which also begs the question – will this at some point progress towards federal regulation?)
While it will take enterprises a while to fully grasp the distinctions between these two important statutes in the consumer data privacy realm, it helps to keep one bottom-line fact in mind. If your company has taken the needed steps to become GDPR compliant, and your assumption was that your business is now also “California ready” when it comes to CCPA, that’s not accurate. Gear up, because it’s time for you to adjust your systems again to become compliant with California law, and to ensure that data security and information management take center stage.