Critical Considerations for CCPA Compliance
It wasn’t long ago that businesses were in a frenzy trying to determine what steps they needed to take to reduce their risks in collecting and storing customers’ personally identifiable information (PII) in the face of Europe’s new General Data Protection Regulation (GDPR). But amid ever-growing privacy concerns, GDPR was just one of a series of new rules designed to protect personal data.
The next regulation businesses should prepare for is the California Consumer Privacy Act (CCPA)* which takes effect on January 1, 2020.
Who Is Affected by CCPA?
Like GDPR, CCPA compliance requires businesses to take steps to protect consumer data and grants consumers a series of rights regarding how their data may be stored and used. One key difference is who is protected under the regulations: while GDPR protects citizens of the EU, California’s new privacy regulations will apply to all California residents. CCPA compliance also extends to protect California households and devices, while GDPR encompasses the rights of individuals only.
There are also differences in which businesses must adhere to the CCPA rules. While GDPR’s scope broadly includes all businesses, whether public or private, for- or non-profit, CCPA compliance covers a narrower set of organizations. Non-profit organizations are exempt, and the rules apply to any for-profit organization that:
- Has annual gross revenues over $25 million
- Buys, receives, sells or shares data from 50,000 or more consumers, households or devices
- And/or derives 50 percent or more of its annual revenues from selling customers’ personal information.
In addition, GDPR applies to any business that handles the data of EU citizens, regardless of where that business is located. CCPA applies only to organizations that do business in California.
What Rights Does CCPA Grant Consumers?
Like GDPR, CCPA compliance requires businesses to proactively take steps to address how data is collected, processed and stored. Both sets of rules require businesses to disclose details about how data is collected, used and protected though there are also some key differences in the measures employed. For example, unlike GDPR, the CCPA does not specifically impose data security requirements, though it does establish a right of action should a business fail to maintain reasonable security measures.
Other key similarities include a right to data portability, requiring businesses to provide personal information in a useable format upon request (GDPR specifies a “machine readable” format, while CCPA states that information must only be “readily useable”), and the right to data deletion under certain circumstances. Under the new California regulations, consumers are entitled to request a copy of their information from the previous 12 months (known as the “look back” requirement), and businesses must provide this information within 45 days at no cost to the consumer.
Other key differences between the California and EU rules are that businesses subject to CCPA compliance must clearly allow consumers to opt out of the sale of their data, while EU citizens are granted the right to opt out of automated decision-making such as profile segmentation. And while the calculation of fines differs between CCPA and GDPR – in California, the Attorney General may seek civil penalties of $2,500 per violation ($7,500 for each individual violation if intentional), compared to GDPR’s fines of the greater of 20-million euros or four percent of annual global revenue – in both cases, violations can be extremely costly.
How Businesses Can Stay on the Right Side of CCPA Compliance
While you might think that the steep fines levied within just a few months of GDPR’s enactment would encourage people to get their data houses in order in the lead up to CCPA, this may not be the case.
But with undiscovered PII hiding within vast stores of unstructured content, waiting until the last minute to prepare for the California Consumer Privacy Act can increase your risk of violations. Instead, it’s crucial for businesses to take steps first to determine whether they are subject to the regulations based on the above criteria and, if they are, to implement processes that will allow them to meet the requirements of the so-called “California GDPR”.
- Identifying and classifying relevant data
- Assessing existing privacy controls and disclosures
- Developing and implementing processes for data protection and PII remediation
- Establishing ongoing CCPA compliance monitoring
Technology can help speed the path to readiness for “California GDPR” by enabling the automation of some of the most onerous tasks. For example, while it might be impossible to comb through massive volumes of unstructured data to identify and cordon off sources of PII and to get consumer information into an organized state to quickly respond to “look back” requests, automated data classification can ensure that the relevant data is efficiently identified and handled appropriately.
Just as GDPR before it, the upcoming California Consumer Privacy Act puts a hefty obligation on certain companies to employ consumer-friendly data protection measures. And the first step to protecting consumer data is understanding what data your business possesses – something that can be achieved far more efficiently with automated solutions.
1Reuters: The end of Libor: the biggest banking challenge you've never heard of