Are you ready for upcoming data privacy regulations? Assess your risks and how you can tackle them today.
CCPA is Coming! Be prepared.
We have identified that there are five key requirements you need to know about the California Consumer Privacy Act. Be sure to seek legal counsel and be aware that requirement violations include penalty thresholds that may expose large California-based businesses to substantial risk.
Both organizations with existing privacy capabilities, such as those developed for General Data Protection Regulation (GDPR) compliance, and those without any previous preparation may need the entire grace period before the deadline to deploy necessary capabilities.
Companies that employ or serve California residents may find these five CCPA requirements have the biggest impact on their business:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- New individual rights to data access and erasure
- New individual right to opt-out of data selling
- Updating service-level agreements with third-party data processors
- Remediation of information security gaps and system vulnerabilities
GDPR vs. CCPA
In many ways the CCPA is the “American” version of GDPR as it will require organizations to focus on user data and require transparency on how they’re collecting, sharing and using such data. In our research we have found that certain aspect of GDPR overlap with CCPA but there are still several policies, processes and systems that will need updating to address differences between the two laws.
Comparison Chart: What You Need to Know
GDPR |
CCPA |
|
Scope
|
EU personal data processed |
California residents’ personal data collect (narrower) |
Right to access
|
Right to access all EU personal data processed |
Right to access California personal data collected in last 12 months, delineated between sold and transferred (narrower) |
Right to portability
|
Must export and import certain EU personal data in a user-friendly format |
All access requests must be exported in user-friendly format, but there is no import requirement (narrower) |
Right to correction
|
Right to correct errors in EU personal data processed |
Not included in CCPA |
Right to stop processing
|
Right to withdraw consent or otherwise stop processing of EU personal data |
Right to opt-out of selling personal data only; must include opt-out link on website |
Right to stop automated decision making
|
Right to require a human to make decisions that have a legal effect |
Not included in CCPA |
Right to stop third-party transfer
|
Right to withdraw consent for data transfers involving second purposes of special categories of data |
Right to opt-out of selling personal data to third parties |
Right to erasure
|
Right to erase EU personal data, under certain conditions |
Right to erase personal data collected, under certain conditions |
Right to equal services and price
|
At most, implicitly required |
Explicitly required |
Private right of action damages
|
No floor or ceiling |
Floor of $100 and ceiling of $750 per consumer per incident |
Regulator enforcement penalties
|
Ceiling of 4% of global annual revenues
|
No ceiling – $7,500 per violation
|
Data Covered Under CCPA
CCPA is about the control, protection, and insight of personal data. In other words, the consumer must be aware—at the point of data collection—that information is being collected, informed as to how the data will be used and then given the option to opt-out from sharing or selling that personal data.
CCPA defines “personal information” as:
- Name
- Address
- Personal identifiers
- IP address
- Email address
- Social security number
- Drivers license number
- Passport number and similar identifiers
Additionally, there are restrictions on collecting data pertaining to class information, personal property, products and services purchased, purchasing history, browsing history, geodata, biometric data, profiling, employment, and education-related data. Basically, if data can be tied back to a person or identifies an individual, it’s considered “personal data” and is protected by CCPA.
Note that personal information does not include publicly-available information from state, federal or local governments, but the caution here is how you intend to use that data and if that purpose is compatible with the other criteria of CCPA.
Need to assess if you have the right programs, systems, and processes in place to ensure CCPA (or GDPR) compliance? Contact us to determine how you can minimize your risk before it’s too late!
Sources:
https://www.irmi.com/articles/expert-commentary/a-summary-of-ccpa-of-2018
Comments
No comment yet.