Organizations across the U.S. are gearing up for the CCPA (California Consumer Privacy Act), a new law that takes effect next year governing the way they handle Californians’ personal data.
The strict requirements of the CCPA have naturally led to comparisons with the EU GDPR (General Data Protection Regulation), which has reshaped the way organizations handle Europeans’ personal data and made some U.S. organizations wary of collecting their information at all.
So, will the CCPA have the same effect? Let’s take a look.
Is the CCPA the beginning of ‘America’s GDPR’?
In short: probably not. The CCPA offers similarly strong requirements – and disciplinary powers – as the GDPR, but only when it comes to individuals’ rights.
Unlike the GDPR, which covers a broad set of business practices, the CCPA is limited to data privacy. Organizations are required to tell Californian data subjects when their personal data is being collected and what it’s being used for.
Likewise, they must give individuals the right to:
- Access the personal information that organizations collect or process about them
- Request that organizations delete their personal data under certain circumstances
- Request that organizations don’t sell their personal data to third parties
Although the scope of the CCPA is smaller than the GDPR, and will thus have less of an impact on the way organizations operate, the consequences of violations are comparable.
Under the CCPA, non-compliant organizations face civil penalties of up to $7,500 and civil suits that give affected customers the right to seek between $100 and $750 in damages.
Meanwhile, the GDPR gives supervisory authorities the power to fine non-compliant organizations up to €20 million (about $22 million) or 4% of their annual global turnover, whichever is greater.
The CCPA therefore places more emphasis on the number of people affected as opposed to the nature of the breach, but both it and the GDPR raise the bar significantly in terms of disciplinary powers.
Take last year’s British Airways data breach, in which 500,000 people’s information was compromised, as an example.
The ICO (Information Commissioner’s Office), the UK’s supervisory authority, recently stated its intention to fine the airline £183 million ($233 million), which would make it the largest fine levied under the GDPR.
If the fine was calculated using the CCPA’s rules, British Airways would be looking at a fine of somewhere between $50 million and $375 million.
Small organizations are exempt from the CCPA
One of the biggest misconceptions about the GDPR is that it only applies to corporations like Facebook and Google, but that couldn’t be further from the truth. There are some requirements where SMEs have an easier ride, but no organization that processes EU residents’ personal data is completely exempt.
The same isn’t true of the CCPA. The law only applies to organizations that do business in California (regardless of where they are based) and:
- Have a gross annual turnover of $25 million or more
- Buy, receive, sell, or share the personal data of 50,000 or more consumers, or
- Derive 50% of more of their annual revenue from selling consumers’ data
The bar is still low enough that many mid-sized organizations will be subject to the rules, but it does spare smaller companies that might struggle to find the resources to cover these requirements.
The definition of personal data
The CCPA has a broader definition of personal data than the GDPR, stating that any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device” is within its remit.
- Names, aliases, postal and email addresses, unique personal identifiers, account names, Social Security numbers, driver’s license numbers, passport numbers, etc.
- Biometric data
- Internet or other electronic network activity information
- Geolocation data
- Psychometric information
- Professional or employment-related information
Start preparing for the CCPA now
Although the CCPA doesn’t take effect until next year, there’s a lot of work you need to do by then. We’ve already seen many organizations neglect the GDPR until it was too late and get caught up with data subject complaints.
Understand the implementation path to ensure CCPA compliance with our California Consumer Privacy Act (CCPA) Foundation Online Training Course (also available in distance learning format).
Our book The California Consumer Privacy Act (CCPA): An implementation guide can also help you understand what is needed to comply.
This handbook, written by attorney and GRC consultant Preston Bukaty, explains the CCPA’s requirements in simple terms and how organizations can implement strategies to comply with its rules.