California Consumer Privacy Act, Did the GDPR Cross the Atlantic?
There’s been a lot of chatter about California passing a new law on June, 28th 2018 called the “California Consumer Privacy Act, A.B. 375”, but with this introduction of the new California data privacy law comes a wave of possibility that the new law could set the tone for similar legislation in other states.
The new legislation is being compared to the GDPR regulations recently introduced in the European Union that you may or may not remember that came into effect on May 25, 2018. Companies that conduct any business with customers in the EU will be required to comply with a new set of rigid regulations regarding the way they handle customer data.
GDPR violators can face fines of up to 4% of annual revenue or €20 million, whichever is greater and the new legislation calls for companies to receive explicit “unambiguous consent” from website and app users before they can track their behavior or collect data.
The CCPA is set to go into effect in 2020 and may force significant changes on companies that deal in personal data — and especially those operating in the digital space. Not only is the timing of it very interesting but it’s especially interesting that the law is being passed in California, the Silicon Valley “tech hub”.
What Does the Law Entail?
After seeing lots of action on social media about the new law over the past few months and it coming more and more prominent, I found some details on the three major components of the CCPA and what it entails that I wanted to share:
- It gives consumers the ability to ask companies to disclose what data has been collected and sold about them.
- It gives consumers the right to request that companies stop selling their data.
- It sets more stringent standards for data security.
To fall under the scope of this new law, the company needs to have a minimum of USD$25m (£19.5m) in annual revenue, or sell the information of a minimum 50,000 consumers.
The new law only applies to companies doing business in the state of California that are for-profit and who can determine the means and the purposes of its processing (this is the equivalent of the ‘controller’ under GDPR), and of course that collect consumer personal information, but it does not impact everyone.
The CCPA creates four basic rights:
- The right to know what personal information a business has about you.
- The right to delete personal information that a business has collected about you.
- The right to opt out of the sale of your personal information.
- The right to receive equal service and pricing from a business (with some important exceptions).
As for penalties, although the numbers don’t seem as high as the €20m or 4% of annual global turnover (whichever is greater) in the GDPR, the fines are cited per individual, and are mainly linked to data breaches, and failure to comply with consumers’ requests (not data subjects). For example, businesses that fail to correct alleged violations within 30 days will be subject to a fine of USD $7,500 per violation. And for data breaches, it can be up to USD $750 per user.
The GDPR is broader than the CPPA in many aspects, but there are a lot of similarities and overlaps. This means that companies that went through the process of complying with GDPR will find it easier to comply with the CCPA. When you read the 31-page legislation, there’s been a lot of speculation that it feels very ‘GDPR-esque’.
But also, there are many differences too:
- CCPA does not focus so much on consent and consent mechanisms, but rather offers financial incentives for the consumer for the collection and sale of their personal information, and imposes more rigid restrictions on data sharing for commercial purposes.
What Does it Mean for Businesses?
In a previous interview that my colleague Laura Myers did, she had the chance to interview George Parapadakis, Director, Business Solutions Strategy, EMEA at Alfresco. George shared his thoughts on what he sees as a positive outcome with regulations such as these that have come into effect and what it means for businesses in the future:
“It’s quite ironic, that companies that have been talking for years about ‘customer centricity’ and ‘design thinking’ (putting the customer at the center of solutions design) have paid so little attention to the protection of customers’ and employees’ data privacy. Data Privacy regulations have been in force for quite some time now, but this is the first time that companies are threatened with significant enough consequences, to take it seriously. The next couple of years will see dramatic changes in the way personal data is collected and used. Digital Marketing will probably be the function that is hit the hardest, since it relies almost exclusively on monitoring individual consumer behavior, for segmentation and targeting. With GDPR, that approach is no longer legal, so marketing will need to have a radical re-think of the way they personalize advertising and messaging.
Beyond marketing, most organizations will need to introduce new policies and systems for giving individuals control over their own data, since self-service management of that data will be by far the most cost-effective way of preserving accuracy and consent. Finally, we are already seeing new projects emerging that make use of decentralized methods (like blockchain) to allow individuals to control who accesses their personal information, for what purposes, and how long for. I believe we will get to a point where companies will no longer hold any personal data, they will need to subscribe to services that allows them to request access to that data on-demand, allowing individuals to have full (and exclusive) control.
A few days ago, Facebook Inc. was fined £500,000 ($645,000) over the Cambridge Analytica sase but in an interview with Information Commissioner, Elizabeth Denham she said the fine would have been much higher had the EU’s new GDPR rules been in force at the time of the offence. If it had, Facebook would have been fined $1.6bn (£1.24bn)” instead, Business Insider reported.
Apparently, Facebook is even looking to appeal their fine said a spokesperson “We are currently reviewing the ICO’s decision. While we respectfully disagree with some of their findings, we have said before that we should have done more to investigate claims about Cambridge Analytica and taken action in 2015.”
That being said, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. If you have any questions regarding any of the current regulations, please do not hesitate to reach out to us and let us help you navigate these daunting waters!