Type to SearchView Tags

Is the California Consumer Privacy Act (CCPA) a Closer Cousin to EU GDPR?
Smruti Pradhan GRC Consultant | November 12, 2019
345 Views

Co-authored by: Suhas Krishnamoorthy

Why do we need another regulation for data privacy?

Data privacy regulations are popping up across various geographies and countries are concerned about their citizens’ data. The user data not being judiciously used by organizations that collect and process them has resulted in a sudden surge in the number of privacy laws. Data is being collected and sold for a benefit or stolen by other attackers for purposes other than those intended. This practice leads to a compromise in the personal data of the citizens of a country.

Data privacy becomes even more concerning when it concerns personally identifiable information (PII) or protected health information (PHI). Using PHI or PII data, various unauthorized organizations can misuse this data for their benefit. Keeping all these threats in mind, the Californian government has passed an act to protect Californian citizen data. Under California privacy law, the California Consumer Privacy Act requires businesses to be transparent in the way they handle customer's personal information. The primary goal of the California Consumer Privacy Act (CCPA) is to give control to the citizens of California in managing their data and to give more details on how companies around the world utilize their data.

In today's digital economy, data is more valuable than ever. Therefore, the CCPA has hit the right chord by defining the way companies should treat personal consumer data, which is fundamental in driving their business. One of the significant highlights to be addressed is the power shift from companies controlling consumer data to the way consumers want their data to be handled. Either the companies need to reform their entire existing infrastructure of security processes according to the CCPA or institute a specifically tailored process only for the customers of California.

Do you need to be concerned about CCPA?

While it is essential to focus on the several onerous requirements of CCPA, it also becomes crucial to know the applicability of this regulation on various businesses under California privacy law. Is it applicable to every company operating in and out of California dealing with the data of local citizens? Or are there any exceptions to the scope of this regulation. Ultimately in this era of significant data collection risk, this data protection law is going to empower the citizens of California in what information about them is collected and who has access to this data. Since the enactment is only a few weeks away, businesses fulfilling the below criteria need to be CCPA compliant:

  • For profit-making companies that may or may not have physical operations in California but are involved in marketing or selling of personal data of residents of California
  • Must have a gross annual revenue of over $25 million
  • Generating at least 50 % of annual revenue from selling California consumer personal information

Implementation complications may arise as and when businesses evolve their existing data privacy practices and revisit their relationships with third parties that handle personal information of customers on their behalf. It is crucial to draw a few valid assumptions from the scope of CCPA and apply it across businesses. As CCPA takes effect from January 1, 2020, the following assumptions can be considered:

  • The gross annual revenue threshold of $25 million applies to the overall business, regardless of the total revenue generated in California.
  • The CCPA is likely to be revised again, and the current version of the law amended.
  • Currently, the law does not provide clarity on whether California employees or other business individuals can be termed as consumers under the rule of CCPA.

You’re EU GDPR Compliant. Do you need additional measures to comply with CCPA?

While it's obvious to state that both are data protection laws aiming to safeguard citizens’ data, there are a few differences between the two that need attention. The table below pits CCPA vs GDPR as it compares a few critical discrepancies observed between them:

Factor CCPA EU GDPR

Region

The State of California, USA

European Union

Applicability

Organizations processing Californian citizens’ data Organizations processing the personal data of EU citizens

Penalty

Up to $7500 per violation

  • 2% of global annual turnover or €10 million, whichever is higher; or
  • 4% of global annual turnover or €20 million, whichever is higher.

Breach Notification Time

Within reasonable time. No clear time stipulated.

 Within 72 hours of identification of a breach

Response time for requested information

45 days

30 days

Right to Access

Yes

Yes

Right to request for deletion

Yes

Yes

Right to port data

Yes

Yes

Right to request data minimization

No

Yes

Right to opt out of sale of personal data

Yes

Yes

Since there is a common ground between CCPA and EU GDPR, the controls deployed to comply with GDPR can be leveraged to achieve compliance with CCPA. However, additional resources and efforts must be deployed to achieve the differential control requirements. Thus, the effort to comply with CCPA can be reduced cautiously if the existing system is analyzed and the requirements are gathered efficiently.

How do you approach CCPA compliance?

Research and Assess: 

Understand the existing scope of CCPA and do background work before January to interpret the relevance of regulation to their range of services.

Build Competency: 

Recognize the strengths and talents of existing employees who are already involved in data privacy projects and train them on upcoming CCPA compliance requirements through cybersecurity sessions.

Upskill the new joiners by informing them about the latest trends in cybersecurity and establish an organization-wide data security training program to create awareness on the most recent privacy regulations.

Analyze industry approach towards CCPA: 

As of now, only 14% of companies are fully compliant to CCPA globally, so it would be suggestive of any organization which is yet to implement CCPA to study and analyze the industry approach towards this compliance and strategize accordingly. By capitalizing on the second-mover advantage, companies can capture the nerve of this privacy regulation.

Plan and Execute:

It's time to act, once all the requirements are analyzed for your business. Since one can leverage GDPR controls implemented, the only part of being focused upon is the delta requirements. To meet compliance with CCPA without any deficiencies, the governance team of the organization must closely monitor the execution of the authorities. Post-execution monitoring of the controls is essential to ensure continuous compliance with the regulation.

What should you keep in mind for CCPA?

Even though CCPA has similarities with GDPR, one must focus on the differences between them so that the right set of compliance parameters are monitored and analyzed regularly. It is easier said than done. Businesses need to understand the below crucial focus areas to avoid duplication of both effort and resources. That said, companies also need to be careful about oversimplifying the process to achieve compliance, which can lead to slack in the process and slips in quality. A few key areas to focus on are:

Redundancies with the existing controls framework established for GDPR Complexities in renewal of privacy notices Lack of Clarity in existing scope for CCPA
While CCPA is similar to GDPR, it doesn't have the same visibility as that of GDPR. Both similarities and differences must be weighed for the regulations and suitable changes must be incorporated in the processes which may lead to duplication of efforts and longer time to achieve compliance Under the CCPA act, the privacy notices need to be clear and concise. As consent from consumers becomes an integral part of regulation, businesses could no longer rely on general statements of applicability like those made in current privacy notices As the CCPA is underway, it is still under the purview of various amendments and revisions. Due to this constant state of alteration, businesses need to identify whether they actually fall into the scope of CCPA or not.

CCPA, even though it is just another data protection regulation, has enormous potential to turn things around in an organization on how data is managed. Thus, organizations handling and processing personal data of Californian citizens must buckle up and proactively work towards achieving compliance. CCPA compliance will not only help organizations avoid penalties but also future proof themselves from any other upcoming state regulations, leading to the saving of considerable cost of implementation and operations.