California passes Data Privacy Law on the heels of GDPR
Almost a month after the EU passed General Data Protection Regulation (GDPR) (May 25, 2018), California steps up and passes one of the toughest data privacy laws by any state in the US. California has a strong history of enacting privacy laws in various forms over the past decade. The economy of the State of California ranks in the top 10 globally and it’s no surprise that they also lead in the arena of data privacy initiatives.
On June 28th, 2018, the California Legislature adopted the California Consumer Privacy Act (“CCPA”), which is actually an addition of new sections to the existing California Civil Code. The new law goes into effect on Jan. 1, 2020.
Here are a couple of questions/answers around the CCPA that will help you determine if your company needs to start preparing for this new law in January 2020.
What does the CCPA cover?
- The act applies to any “business” that does business in California and collects California consumers’ “personal information”, and meets one or more of the following criteria;
- Annual gross revenues over $25 million.
- Buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices.
- Derives 50% or more of its revenues from selling consumers’ personal information.
Who has to comply?
It doesn’t matter where in the world your company is located; if they receive personal data from California residents, and if they meet one of the three criteria above, they must comply with the CCPA (just like GDPR).
How to comply?
Companies have a number of options when considering the new Act and how it may impact the way they conduct business in the state.
- Begin to take inventories and create data maps of all the California residents’ personal information that your company may have collected.
- Consider alternative methods of conducting business and collecting personal information within the State of California.
Penalties under the CCPA
If companies are caught up in a security breach and fall victim to data theft, they can be ordered to pay statutory damages between $100 and $750 per California resident. So, let’s say that your company is breached and loses approx. 50,000 California residents PII – you’re looking at a fine of $20 million if the fine assessed was in the $400 range (somewhere in the middle).
CCPA & GDPR Compared
This new California Consumer Privacy Act is being compared to what was recently instituted in the GDPR in May of this year, but the CCPA goes a few steps further.
With the passing on the GDPR initiative so fresh on everyone’s mind, don’t think you can simply check a box here for the CDPL. There are unique differences in how the CCPA differs from the GDPR, such as;
- The CCPA puts forth a more broad definition of “personal data” which also covers PII pertaining to both households and devices.
- Introduces communication channels and other concrete measures that are not required with GDPR.
- Imposes tough restrictions on data sharing for commercial purposes.
- Californians can opt out of data sharing and demand data deletion.
Companies that are global in nature and who do business with California residents have a year and a half to define the impact to their businesses and how they will handle data under the CCPA.
Look for more states in the US (and nations globally) to possibly enact their own privacy laws. Perhaps it’s time for a US Federal law, either way, it’s clear that Data Privacy is here to stay in these modern times.
Do you know how prepared your IT environment is to meet customer privacy requirements? Find out with our Technology Readiness Assessment. Learn more about how to manage and protect privacy throughout the lifecycle of data with Data Privacy Manager.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.