California Consumer Privacy Act (CCPA): New Law Promises Data Privacy for Californians!
The EU’s General Data Protection Regulation (GDPR) has created a revolution in the technology industry in 2018, finding a way for data privacy of its citizens.
Exactly a year later and after two years of making, the State of California has also come up with one for its residents i.e., the California Consumer Privacy Act (CCPA).
CCPA, effective from January 01, 2020, offers the residents of California the right to know how companies deal with their data and act accordingly.
If you’re an IT firm looking for CCPA awareness, here are a few important things for your close consideration:
- With CCPA, Californians can now get their data deleted or protected from being sold
- CCPA covers all sorts of personal data including biodata, passwords, contact numbers, physical address, biometrics, and tracked online behaviors like browsing history, IPs, device identifiers and more. Government sites are excluded. Any company willing to have such data have to contact the government.
- CCPA has a high standard for differentiating consumer identity from information, thus eliminating the chances of re-identification through the same data
- CCPA violation can subject businesses to USD 2500 per violation and USD 7500 for intentional failure to act upon consumer request to disclose or delete particular data
- The right to take charge of probing companies violating the law lies with the California Attorney General
- Consumers can sue businesses if found responsible for loss of personal data through data breaches caused by their negligence
- Companies cannot turn away or charge users on lines of denying the sale of data and may instead offer a stripped-down version of their services; if they wish to charge the opted-out users, they have to disclose the worth of consumer data. The law mandates for-profit companies to describe in their privacy policies about the types of data they wish to collect from users.
CCPA Vs GDPR: What’s the Difference?
CCPA allows the companies to collect same personal data that GDPR allows. However, GDPR has some strict controls on companies’ approach in data collection.
GDPR requires companies to have proper reasoning and consent for collecting user data and also minimizes the quantity of data collected.
Whereas, CCPA doesn’t require companies to undergo this process to seek user information and here, individual users set limits on data collection.
|Data controllers are those who process data||Applies for all for-profit firms that has USD 25 million in gross revenue, acts on personal data of > 50,000 users and depends on earns 50% of its revenues by selling data|
|Applies to data subjects or any persons related to personal information||Applies to Californians and also those domiciled in the state, living elsewhere temporarily|
|Mostly similar to CCPA protocols in data protection||Extends to information traced back to households or devices|
|Doesn’t explicitly allow consumers to deny sale of their data||Allows users to express their consent to sale of their data|
|Consumers can restrict data processing||Consumers can’t restrict but can only opt out|
|Fines can go up to 4% of a company’s revenues||Depends on the offense, can go up to USD 7500 per affected individual|
Discussions Around CCPA
On the Attorney General’s ability to investigate violating companies, CCPA critics say the attorney will not have all the necessary resources to catch every violation.
“Will lead to a barrage of shakedown lawsuits, as companies facing such substantial liability will be leveraged into immediate settlement, regardless of the strength of their legal defense,” the California Chamber of Commerce said in a statement.
“As written, the law gives California consumers new rights but denies them the ability to… defend themselves in court,” California Attorney General Xavier Becerra said in a statement in February 2019.
Considering the consumer’s right to sue businesses on the loss of personal data breaches, experts expect a rise in a number of lawsuits in hack incidents.
What Surveys Say About CCPA?
A November 2019 survey that collected the opinions of top US security professionals concluded:
- 30% were compliant with CCPA as of the survey period
- 18% to be compliant by the end of 2019
- 27% to be compliant sometime in 2020
- 13% to be compliant post-2020
- 12% had no plans of being CCPA compliant
An August 2019 report lists top reasons that companies cite ‘for not being ready to become CCPA complaint’:
- 35% firms feel CCPA is too expensive
- 32% were waiting to see its enforcement
- 17% feel they aren’t that large to face fines
- 11% are not sure about CCPA requirements
- 5% think the law will not apply to them
An April 2019 survey collected timelines by various firms for becoming CCPA compliant:
- 5% said before July 01, 2019
- 50% before Jan 01, 2020
- 25% before July 01, 2020
- 4% after July 01, 2020
- 11% don’t have any timelines
- 4% still not sure
Now, CCPA is prompting other states of the United States to have similar ones for their citizens going forward. Microsoft and Mozilla have already clarified that they aren’t limiting the new rights to California users.
Inspired by CCPA, nine other states are pursuing similar laws, while Nevada and Maine have already announced the narrowed version of privacy legislation.
In the wake of CCPA announcement, major technology leaders have reportedly requested the USA Government to come up with one such law for the entire nation.
Towards this end, various legislators have presented their bills and the Senate Commerce Committee has reportedly held a hearing of top two competing bills in December 2019.
Various other aspects of a common federal bill are under debate, especially on the ability of consumers to directly sue firms upon violations and the level of authority to be given to regulators enforcing the law, and more.
CCPA vs GDPR Compliance, What’s Next? (Infographic)
A common ‘Federal Privacy Bill’ in the offing?