The groundbreaking California Consumer Privacy Act (CCPA) has been referred to as “California’s GDPR” largely because both laws force organizations to change the way they do business in order to satisfy customer concerns around their personal data. Both the CCPA and the EU’s General Data Protection Regulation (GDPR) give consumers the right to know what information is collected about them, what information is shared or sold, and who that information may be shared with or sold to.
Both the CCPA and GDPR share some key similarities, so organizations that have undertaken GDPR compliance will have an advantage in addressing CCPA. However, those efforts alone won’t suffice. There are nuanced differences that all organizations conducting business with California residents should be familiar with before January 1, 2020, when the CCPA officially becomes law. Here’s what you need to know about CCPA compliance.
The CCPA applies to certain businesses, regardless of location, that collect personal information about California residents, and, as of now, applies to personal information regarding customers (both individuals and entities), vendors, and employees.
The CCPA does not discriminate when it comes to which industries it impacts, but there are certain industries that should pay extra careful attention to compliance requirements. If your business is in the retail, media and entertainment, real estate or consumer software it is critical to understand this new privacy law.
While GDPR casts a wider net—any business who collects and/or processes the data of EU citizens or residents—under CCPA, organizations are obligated to comply if they conduct business with California residents and any of the following apply:
Understanding how these two laws impact your organization’s data privacy operations is key to maintaining compliance and avoiding penalties. While not an exhaustive list, several of the key similarities and differences are explained below:
Chances are that as a consumer you’re already used to this after seeing a pop-up notice on many of the sites you frequent. While both the CCPA and GDPR require detailed privacy notices to consumers, the required language of those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA’s requirement.
Under GDPR, an individual does not necessarily have to give consent for an organization to collect and use data, in which case the individual does not have a general opt-out right. In contrast, the CCPA will require that “at or before the point of collection” covered organizations provide notice to consumers informing them of the categories of personal information the organization collects and for what purpose the information is used.
The GDPR requires that parents provide consent for the processing of their children’s (under 16) personal information in an online environment – but only where the legal basis for processing is consent.
The CCPA does not address consent for all processing of a child’s (under 13; teens 13-15 can provide their own consent) personal information. CCPA-compliant organizations are required to obtain opt-in consent only before the sale of a child’s personal information.
Under the GDPR, personal data is any information relating to an identified or identifiable data subject.
The CCPA definition is largely similar but broader in that it also includes information linked at the device or household level: “information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.”
Both the CCPA and GDPR do require that “reasonable security” measures be put in place when it comes to protecting personal information collected. However, the definition of what is considered reasonable under each regulation is vague.
The CCPA does not directly impose data security requirements but instead relies on existing California law to “establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.”
The GDPR, on the other hand, requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Under GDPR, your organization does not necessarily need consumers’ explicit consent to collect and use their personal data; firms have other lawful grounds that authorize data processing such as fulfilling contractual obligations and legitimate interests of the consumer. Therefore, under GDPR, individuals do not have a general opt-out right, nor a specific right to opt-out of personal data sales.
CCPA, however, grants individuals an absolute right to opt-out of the sale of their personal information. In order to meet CCPA compliance requirements organizations are obligated to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
Both the CCPA and GDPR establish broadly similar rights of disclosure/access. Individuals have the right to request disclosure of their personal information as well as additional details on the organization’s purpose in collecting that data, including any third-parties that also have access to that data.
The difference lies in the CCPA’s right is only to obtain a written disclosure of the information. Whereas, the GDPR allows broader access, which is not limited to a written disclosure.
Consumers have similar data deletion rights under both the CCPA and GDPR. The GDPR right only applies if the request meets one of six criteria (the right to be forgotten), whereas the CCPA right is broader and only subject to certain exceptions.
Organizations also have an obligation, under both the CCPA and GDPR, to inform downstream data recipients of the consumer’s deletion request. While the CCPA mandates that organizations must instruct any third parties to delete the data, the GDPR’s approach is broader in that organizations must take “reasonable steps” to inform third parties of the request.
The CCPA and GDPR are largely similar when it comes to responding to data subject access requests (DSARs). DSARs give individuals the right to discover what data an organization has on them, why the organization is holding that data, and which other organizations their information is disclosed or sold to.
As you can likely imagine, managing DSARs from consumers can quickly become a burden for organizations of all sizes. Even if your organization has already spent significant time and resources to build a secure infrastructure to store collected data, responding to a DSAR means that the data must be collected from siloed systems, moved out of the encrypted data stores into something else—likely email or a custom application—to get it to your customers, or to whoever is asking for the information. This presents a significant security challenge.
Not only is the security of personal data while fulfilling a DSAR a concern, but the sheer number of requests an organization receives is only going to rise. With CCPA set to go into effect on January 1, 2020, both B2B and B2C organizations should expect to face a surge in DSARs.
Organizations found to be in violation of the GDPR can be fined EUR20 million, or 4% of global annual revenue, whichever is higher. EU member states can also impose their own fines for infringements that are not covered by the administrative fine.
Under the CCPA, the stakes are raised in the event of a data breach by creating a class action right and statutory damages without having to prove actual losses. Organizations found to be in violation of the CCPA have 30 days to remedy the violation. If not, they face a fine of $2,500 per individual whose privacy rights were violated, and this fine jumps to $7,500 per individual if the violation is intentional. Statutory damages range from $100-750 per plaintiff.
As you can see, there is a ton of personal information flowing throughout organizations and GDPR and CCPA compliance workflows. The key challenge is preventing unauthorized access to, or exfiltration, theft or disclosure of consumer’s private data throughout data processing operations, and also when fulfilling the DSAR itself.
Protecting sensitive data with encryption is not an explicit requirement for CCPA or GDPR compliance, but it is encouraged. Under the CCPA, data that is encrypted may avoid fines in the event of a breach. This means that organizations must consider how to review data and deliver it back to the consumer in a safe and secure way.
For ultimate security, encryption should travel with the data so that it is protected end-to-end, regardless of where it is shared. In fact, consumers are probably better off not even submitting a DSAR in the first place if the organization they are requesting the data from doesn’t have data-centric encryption layered into their data management solution. This is where “reasonable security” considerations must be given.
Virtru helps organizations maintain CCPA compliance with end-to-end encryption, granular access controls, and key management capabilities that prevent unauthorized access to California residents’ private data, wherever it’s shared.
Implementing and maintaining reasonable security for CCPA compliance boils down to protecting California residents’ private data from unauthorized access. But multi-cloud environments, continuous data sharing, and even data subject access requests (DSARs) present risks that can lead to steep fines and civil suits that hit your bottom line and paralyze growth.
Virtru provides data-centric protection that prevents unauthorized access to help maintain CCPA compliance. End-to-end encryption and granular access controls protect consumer data as it’s collected, processed, and shared, ensuring consumer data privacy while allowing your organization to continue developing innovative data strategies to support growth.