In May 2018 the European Union introduced the GDPR regulation across Europe, which comprehensively updated EU data privacy laws; at roughly the same time the US state of California introduced its own equivalent to GDPR – the California Consumer Privacy Act (CCPA). The impact of CCPA on the US data privacy landscape has been hugely significant, and is likely to become even more so.
All for-profit companies that do business in California and who meet certain thresholds are required to be compliant as the legislation comes into effect on January 1st, 2020.
What is CCPA?
The CCPA gives new privacy rights to Californian consumers i.e. any permanent resident of the state has the right to know what personal information about them and how it’s used, request its deletion and ultimately stop companies collecting any further data about them.
Sponsored by an advocacy group known as Californians for Consumer Privacy, the CCPA came about as an alternative to privacy legislation – the California Consumer Personal Information Disclosure and Sale Initiative.
The new law was introduced in late June of 2018, state assembly member, senator Robert Hertzberg who was instrumental in the legislation being approved, called the CCPA, “the most comprehensive privacy law in the country.”
The difference between CCPA and GDPR:
Although often referred to as the “American GDPR” or sometimes “California’s GDPR” the Californian legislation has a slightly different focus compared to its European Counterpart. With CCPA there is a greater focus on the commercial uses of data, as opposed to all forms of data processing, additionally it also functions on a ‘opt-out’ basis, where as GDPR consent requires a “opt-in” from the individual.
Deidentification within CCPA:
While Californians have greater privacy rights, the CCPA at present lacks clarity around methods of data protection and the concept of deidentification (making information no longer pertain to an individual consumer or their household).
Further, the law states that “personal information” excludes “publicly available” information which is lawfully made available by federal, state or local government records. How courts in the US interpret the definition of “personal information” to information that is “publicly available” remains to be seen.
The new age of data privacy awareness:
The GDPR and CCPA have marked a new age of heightened data privacy awareness for consumers both in the E.U and the U.S. After the Cambridge Data Analytical scandal in 2018 other states in the US have chosen to follow the CCPA lead with their own nuanced legislation such as Maryland’s more expansive deletion rights and North Dakota’s privacy bill deeming an individual guilty if they obtain or attempt to obtain personally identifiable information (PII) without the “express written consent” of the individual concerned.
In recent months with global businesses such as British Airways and Marriot Internationalfacing fines of a total of £300m, it is clear that organisations must now make sure that people’s personal data remains just that – personal.
Every business needs a data protection strategy that ensures their customers’ sensitive data is kept safe, whilst in use, in transit or at rest. Find out more in our Methods of Data Protection reference guide, which shows how a data-first approach to security can simplify compliance with multiple data protection regulations.