Just when you thought you could catch your breath, California, on June 28, 2018, enacted the strictest data privacy law in the United States—the California Consumer Privacy Act (“CCPA”). With striking resemblances to the GDPR, the new law will carry with it broad implications for businesses providing services to, or collecting data from, California consumers. By passing the bill, the California legislature secured time to review and amend the law before it becomes effective on January 1, 2020. The ink is far from dry on the new bill, and it will be the center of heated debates before it slams the streets of California.
The tab for non-compliance? Any business that intentionally violates the CCPA may be liable for a civil penalty of up to $7,500 per violation. To put that in context, Yahoo’s 2016 data breach of over 500 million accounts would have amounted in a fine north of 100 billion dollars.
Like the GDPR, the CCPA will require organizations to reassess how they are handling personal information, data retention policies, third-party processing contracts, and master privacy policies. To ensure compliance, businesses must take steps similar to those that the GDPR requires, such as data mapping, data inventory, gap analysis, and drafting new privacy policies and contracts.
California—with its roughly 39.5 million people—boasts the fifth largest economy in the world. Given that businesses across the globe contribute to California’s growing economy, the CCPA sets the new standard of privacy for anyone transacting business in the United States. In the modern digital world, the CCPA, like its influential digital counterpart—the GDPR, are here to stay and shift privacy rights back to the hands of consumers. Let us help you with this hurdle to CCPA compliance.
See chart below for a comparison of the CCPA and the GDPR.
General Data Protection Regulation (GDPR) | California Consumer Privacy Act 2018 (CCPA) | |
The basis for consent | Opt-in | Opt-out |
To whom it applies | Anyone processing or controlling the processing of personal data of individuals located in the EU. | For-profit businesses that process personal data of CA residents and satisfy one or more of the following thresholds:
A) Have annual gross revenue of $25 million or more; B) Collects, sells or shares for personal purposes the personal information of at least 50,000 consumers, households, or devices; or C) Derives 50% or more of its annual revenues from selling consumers’ personal information
The law also applies to affiliated, cobranded entities of businesses that meet the above criteria, even if the affiliate doesn’t do business in CA. |
Individual Rights | 1. Access
2. Rectification 3. Erasure 4. Restriction of processing 5. Object to processing 6. Data portability 7. Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
|
1. The right to know all data collected by a business on you.
2. The right to know whether their personal information is sold or disclosed and to whom. 3. The right to say no to the sale of personal information. 4. The right to access their personal information. 5. The right to delete your data. |
When does it come into effect? | May 25, 2018 | January 1, 2020 |
Potential Fines | Up to €20 million or up to 4% of the total worldwide annual turnover, whichever is higher. | A civil penalty up to $7,500 per violation
Private individual right up between $100 and $750 per consumer, per incident. |
Time allowed to respond to a request | One month | 45 days |