For more than two years, the GDPR has been one of the most pressing pieces of data protection legislation that organisations handling data on EU residents had to get to grips with. Its strict regulations meant that companies compliant with the GDPR would also be likely to comply with the data protection standards in any territory outside of the EU as well. The status quo changed in July however, when the California Consumer Protection Act (CCPA) began to be enforced.
While there are many similarities between CCPA and the GDPR, there are some subtle yet significant differences many of those planning to do business in California need to be aware of.
What and who is covered?
There are five key rights the CCPA provides to Californian consumers. These are that Californians have the rights to:
Know what personal information is being collected about them.
Know whether their personal information is sold or disclosed and to whom.
Say no to the sale of personal information.
Access their personal information.
Equal service and price, even if they exercise their privacy rights.
So far, so GDPR. However, the key difference with the CCPA is that it does not presently cover workers. Current and former employees will have to wait until January 2021 before they can start making the sort of data subject access requests we’ve seen here in the UK and the EU.
Also, while the GDPR applies to the data of even temporary residents, a person can only be defined as a Californian consumer if they have been living long enough in the state to register to pay taxes.
What are the deadlines?
Under the GDPR, organisations have one calendar month to respond to any data request, which can be extended up to three months if necessary. This can cause some confusion as months vary in length, meaning the time frame could be as little as 28 days or as many as 92 for an extended deadline. The CCPA dispenses with this and gives a clear 45-day initial response period, which can be doubled to 90 days, if the data subject is notified within the first month.
Timings are also different in terms of how far back a person can request information. The CCPA says only data from the last 12 months can be requested. By contrast, the GDPR does not set a time limit, meaning that businesses might have to expend considerable resources searching through records trying to find information relating to long-term customers and employees.
Size and location are important
The CCPA is only applicable to those organisations that have a physical presence in California. Further, businesses with a gross revenue of less than $25m annually are exempt, unless they trade data. Yet even here there are exceptions. Only those businesses that receive, buy, sell or share personal information of 50,000 or more individuals or households for commercial purposes must comply with the CCPA. So too must any business that makes more than half its annual revenue from selling personal data, regardless of how big they are.
What are the penalties?
Three penalties can be enforced by regulators for non-compliance with the CCPA. This includes the recovery of either damages of between $100 and $750 per consumer per incident or the actual damages, whichever is the greater. The regulator can also demand injunctive or declaratory relief and any other relief considered appropriate.
Given that a business needs to be handling the data of at least 50,000 consumers for the CCPA to apply, that’s a minimum fine of $5million, plus any other costs incurred. This is a different tack to the GDPR. While regulators can impose a fine of up to the greater of €20m or four percent of gross annual revenue, the actual amount is often less. For example, the average value of a fine given to violators, since May 2018 is €1.35 million.
Another difference in the fines handed out under each regulation is what happens to the money. In the UK for instance, the GDPR fines go to the Treasury with the purpose of being used to pay for future GDPR actions. Whereas under the CCPA, as much as possible of the penalty is given to the consumer as reparations. It remains to be seen how the emphasis on paying out to consumers will impact the number of CCPA cases being brought forward.
The six steps for CCPA compliance
Businesses that fall under the scope of the CCPA should do what they can to comply or face potentially crippling fines. Unfortunately, those who have put in place processes to ensure compliance with the GDPR will not necessarily be compliant with the CCPA.
The fact that, unlike most other regulations, the CCPA is non-prescriptive is a double-edged sword for businesses. On the one side it gives them a bit more flexibility in ensuring the “reasonable security” stipulated by the CCPA. Yet on the other it could create uncertainty within a business about how compliant it is. This could cause complications in trying to prove compliance in the event of a breach, as there isn’t a checklist that a business can say it has completed.
Nevertheless, completing the following six actions will go a long way to ensuring compliance with the CCPA:
Understand the personal information they collect and “sell”.
Understand/map where the personal information is stored so that it can be reported upon.
Have a data privacy and protection policy that is appropriate to the use(s) and the consumer(s).
Ensure that staff have appropriate training and awareness of the CCPA, and the rights provided to the consumer.
Ensure that there are adequate and free methods for consumers to exercise their rights, such as via their website.
Ensure that they have implemented and are maintaining adequate security.
On its own, California is the world’s fifth largest economy, making it an attractive place to do business and a potential market that cannot be ignored by organisations looking at global expansion. These businesses need to start putting in place processes to comply with the CCPA when the time comes to branch out into California. Even those organisations that have no plans in California would be wise to think about the CCPA, as experience has shown the state legislature can change its mind and it could well apply the act to businesses wherever they are based.
Ensuring alignment with the CCPA means that those falling under its scope now, or in the future, won’t be left with a compliance nightmare and can instead start California dreaming.