California Consumer Privacy Act (CCPA) vs. GDPR

On June 28, 2018 the most sweeping personal privacy law (AB-375) was passed in California (the California Consumer Privacy Act of 2018) also known as CCPA. A GDPR-like bill, effective January 1, 2020, the law requires businesses collecting information about California consumers to appropriately and securely manage private data and manage the relationship with the consumer so that the consumer has control and visibility of their data.

The emphasis of this bill is to eliminate unauthorized use, or sale and transmission of private data to 3^rd parties. Additionally, the rights of consumers to know what data is collected and why, and also to have control of its use is mandated.

In an article we wrote April 19 on The Impact of GDPR on U.S. Companies, we outlined both what is GDPR and also how this type of privacy legislation would be enacted over time in the U.S. with profound impact.  A mere two months later California enacts their similar bill for Californians.

California Consumer Privacy Act (CCPA) Provisions

1. Provide Transparency in The Collection of Personal Information
   1. Disclose what personal information is collected about a consumer and the purposes for which that personal information is used
2. Deletion of Personal Information
   1. Delete a consumer’s personal information if requested to do so, unless it is necessary for the business to maintain that information for certain appropriate purposes
3. Right to Access Your Data
   1. Promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required
4. Right to Control Your Data
   1. Disclose what personal information is sold or shared for a business purpose, and to whom
   2. Right to Opt-Out of sale or transfer of  your personal information to 3rd parties
      • Stop selling a consumer’s information if requested to do so (“right to opt out”). If the consumer is under 16 years of age, the business is required to obtain affirmative authorization to sell the consumer’s data (“right to opt in”)
   3. Prohibition Against Discrimination for Exercising Your Rights
      • Cannot discriminate against a consumer for exercising any of the above rights, including by denying goods or services, charging different prices, or providing a different level or quality of goods or services, subject to certain exceptions.
   4. Data Breach Provisions (Rights of Consumers)
      1. The CCPA creates private rights of action, in the following case:
         • the CCPA expands California’s data security laws by providing, in certain cases, a private right of action to consumers “whose nonencrypted or nonredacted personal information” is subject to a breach “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures”
      2. Enforcement & Penalties
         1. Consumers may seek statutory damages of $100 to $750 per incident.
         2. The other rights embodied in the CCPA may be enforced only by the Attorney General—who may seek civil penalties up to $7,500 per violation.

Who is Affected by CCPA?

The California Consumer Privacy Act applies to any “business,” including any for-profit entity that collects consumers’ personal information, which does business in California, and which satisfies one or more of the following thresholds:

• Has annual gross revenues more than twenty-five million dollars ($25,000,000);
• Possesses the personal information of 50,000 or more consumers, households, or devices
• Earns more than half of its annual revenue from selling consumers’ personal information
• The CCPA also applies to any entity that controls or is controlled by such a business and shares common branding with the business.

The definition of “Personal Information” under the CCPA is extremely broad and includes things not considered “Personal Information” under other U.S. privacy laws, like location data, purchasing or consuming histories, browsing history, and inferences drawn from any of the consumer information.  As a result of the breadth of these definitions, the CCPA likely will apply to hundreds of thousands of companies, both inside and outside of California.

How does the CCPA Differ from GDPR?

While not as strict as the EU’s new General Data Protection Regulation (GDPR), the California Consumer Privacy Act is more stringent than most existing privacy laws in the United States.  GDPR affects virtually all companies that collect any EU private consumer data. It immediately requires strict compliance with private data management and data security with some level of detail on how to accomplish comliance.

CCPA is specific to California consumers and applies to established small companies and larger companies and seems to focus more on controlling use of the consumers private data and avoiding Facebook type privacy violations. Enforcement is much weaker than GDPR and the rules are not as well defined. That said, this law will evolve (likely before it takes effect) and fill in some of the holes. The categories of compliance are almost the same as GDPR with a similar intent overall. The California law is a bit more realistic, than GDPR, on what companies can realistically achieve and which companies need to be compliant ($25M+ revenue and above companies or data processing companies).

What Should Companies Do to Prepare for CCPA?

1. Review and define a strategy and plan for handling consumer private information
   • Review data collected and classify it, where it is stored, and which external parties have access
   • Delete private data that is not essential to your business relationship with the consumer
2. Website:
   • Add two methods for submitting consumer private information requests
   • Define and publish online privacy policies and update annually
   • Onsite prominent Opt Out Link (re: your ability to sell their data to others)
3. Form an internal privacy team that is responsible for consumer responses and privacy plan management
4. Data Security: Companies have a duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information
   • Data encryption or data minimization is recommended to protect against breach fines
   • Internal training on privacy rights and obligations
   • Limit internal access to collected private information
   • Implement policies for internal team and data processing
   • Control use of private data to comply with you CCPA compliance policies including 3^rd party relationships

Contact Us – eSecurity Solutions can help you secure your business and to ready your company for the California Consumer Privacy Act

• Assess your risks, prioritize your security gaps and define a compliance level cyber security strategy
• Define an Adaptive Ecosystem security strategy
• Become regulation compliant
• Implement and Manage your security