It was only a matter of time before the U.S. passed its version of GDPR: The California Consumer Privacy Act, AKA CCPA (because the industry definitely needs another acronym), will go into effect January 2020. But how similar is California’s take on privacy and will current GDPR protections comply with CCPA?
Motivated by recent, large scale breaches of consumers’ information, including the March 2018 incident with data-mining firm Cambridge Analytica that exposed the misuse of tens of millions of people’s personal data, the CCPA’s purpose is to take greater safeguards to protect consumers’ privacy against misuse stemming from carelessness, shadiness, and outright theft and fraudulent activities. The bill grants California residents grants greater privacy and control over their data while demanding more transparency and communication from businesses.
What is it?
Essentially, businesses must now provide explicit information on how and to whom personal data is being used, as well as honor requests for more information by consumers. Businesses must also clearly state if they engage in selling their customer data.
Under CCPA, businesses are required to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
As such, businesses are required to notify and request permission from customers before collecting data, state its purpose, use the data in a lawful manner, and comply with consumers’ requests for deletion.
When does it go into effect?
January 1, 2020 (confusing as it is called “The California Consumer Privacy Act of 2018.”). It becomes enforceable on July 1, 2020.
Who does it apply to?
The CCPA applies to any for-profit businesses (not nonprofits or governmental entities) in the state of California that collect consumers’ personal data and meets at least one of the following criteria:
- Has annual gross revenues in excess of $25 million
- Handles data of more than 50,000 people or devices
- Earns more than 50% of its annual revenue from selling consumers’ personal information.
Is it really California only?
California is an important state to set a privacy precedent. Not only does it hold the largest population in the United States (39.56 million in 2018), but it’s home to the hot bed incubator of tech powerhouses and cutting edge startups. Notable digital companies headquartered in California include Alphabet/Google, Apple, Facebook, and Oracle.
While the law only applies to customers that live in California, most companies will have to shift privacy policies to accommodate it. Other states will likely follow suit and use the CCPA as an example to set their own state-level privacy laws.
CCPA vs. GDPR
The good news is that CCPA and the European General Data Protection Regulation (GDPR) have many similarities, so companies that have adopted practices that comply with GDPR will be pretty well-prepared for CCPA. Both the CCPA and the GDPR adopt an expansive definition of personally identifiable information (PII) and value the customer’s right to choose and understand how their data is being used. There are some differences – overall, CCPA is more specific in their requirements, while GDPR is a bit broader.
PWC offers a great table comparing the two on main points, from scope to enforcement:
What about child data: CCPA vs. GDPR vs. COPPA?
The protection of child data is not new in the US: the Children’s Online Privacy Protection Act (COPPA) came into effect in 1998. (In Europe, child data was treated like every other piece of personal data until the GDPR set specific and stronger rules.) Now, the CCPA goes even further than COPPA in children’s data protection: While all consumers can opt-out of the sharing of their information, consumers under the age of 16 must opt-in. And if they’re under 13, their parents or guardians must opt-in (EdSurge, 2018).
What do consumers think?
67% of US online adults and 57% of European (EU-5) online adults are not comfortable with companies sharing and selling their data and online activities, according to Forrester research. And 51% of US online adults and 48% of EU-5 online adults report taking active measures to limit the collection of their data by apps and websites (“Tackle The California Consumer Privacy Act Now” Forrester Research, Inc., February 8, 2019).
55% of US privacy professionals plan to be CCPA-compliant prior to January 1, 2020. 25% plan to be ready for July 1, 2020, when the law becomes enforceable (International Association of Privacy Professionals (IAPP) and OneTrust via eMarketer).