It’s the second week of a new decade and there are already new regulatory changes that have major implications for corporate legal departments. On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) took effect requiring businesses to alter privacy policies to abide by new consumer regulations for 2020 and beyond. Piggybacking on Europe’s General Data Protection Regulation (GDPR), CCPA sets new rights and requirements for the distribution of California consumers’ personal information. Corporations across the country, and perhaps internationally as well, will be impacted by this new law.
Companies that adapted to GDPR, otherwise considered the new global standard for data privacy protection and undoubtedly the inspiration for CCPA, will inherently attempt to use similar protocols for CCPA compliance. Tech giants like Facebook and Google might come out unscathed using this method, because they have the means and resources to resolve issues as they arise. But other organizations, who do not have the same budget, may encounter a few hiccups at the onset. Because, while similar, there are distinctive differences between the two laws.
What is CCPA and why is it significant?
The purpose of CCPA is to enhance privacy rights and consumer protection for the residents of California. It gives California residents the right to access their personal information, request that a business delete their personal information, and opt out of having their personal information disclosed or sold.
Furthermore, it opens the door for other states to pass similar legislation in the years to come, perhaps even at the federal level. So the cost of not enforcing such procedures can cost a company more later down the line due to fines. Therefore, commiting to meet these requirements now, will save money in the long run. Businesses need to be prepared to respond and adhere to such regulations now and potentially in the future.
How does CCPA differ from GDPR?
- 25 million in Revenue
- Or 50% of Revenue Comes from Selling PI
- Or Captures Data on 50K Residents
- Established in the EU
- Or Not Established and Offers Goods and Services to EU Residents
- Or Not Established and Monitors an Individual’s EU Behavior
California Attorney General
Acting Authority Within Each Member State
Fine of up to $7,500 Per Violation
A Percentage of Gross Revenues
Breach Notification Rule
Notify As Soon as Possible
Notify within 72 Hours After Being Aware of the Breach
30 Days After the Initial Notice
Private Right of Action
May Initiate an Action to Recover Damages up to $750 per Incident or Actual Damages, Whichever is Greater
EU Citizens Have the Right to Pursue Compensation Claims Against Controllers
Setting Enabled to Deny the Selling of Personal Information
Offer Incentives in Exchange for Data
Permissible, but Must Proceed with Caution
Requesting Access to Information
Requires 2 Methods for (Telephone and Website)
At Least One Method
Consumer Access Request Time Period
45 Days or More
30 Days or More
Similar to GDPR, CCPA grants individuals the right to opt-out of the disclosure and sale of their personal information. This means businesses are obligated to add the opt-out option when accessing their website or mobile apps. However, CCPA does not provide all of the same consumer rights as GDPR. One of the most significant differences being that legal basis is not required for processing personal data.
Consumers Can Opt Out of Third Party Data Selling
Opt in Consent Required for Minors
Access Data Rights
Delete Data Rights
Data Portability Rights
Legal Basis Required
Data Minimization Rights
Data Rectification Rights
Data Protection Officer Required
Who will be most impacted by CCPA and how does this apply to the legal industry?
The implementation of CCPA will create a new and complicated world for data privacy. The biggest question is who will be the most impacted by CCPA? And the question everyone is dying to know – how does it apply to the legal industry? We will cover this and more in our next blog in this 3 part series. Stay tuned for the next blog!