Nearly two years from the introduction of the General Data Protection Regulation (GDPR) in Europe, California has become the first U.S. state to implement a similar legislation: The California Consumer Privacy Act (CCPA). The groundbreaking law, which gained significant legislative momentum on the heels of the Cambridge Analytica scandal and the U.S. congressional hearings on personal information misuse, is designed to protect personal information and data collected by companies. It will, no doubt, have significant implications for corporations and consumers alike. And, given that it applies to all companies wishing to do business in California, it is posed to impact tens of thousands of businesses worldwide.
The exact compliance expectations and implications of the CCPA are yet to be defined in companion regulations expected to be introduced by the California Attorney General in July. But, given that CCPA and GDPR touch upon many of the same topics, the EU legislation provides a very interesting reference for comparison. Below, we take a look at some of the key features of the CCPA, how they mirror or differ from the GDPR, and what it all might mean for businesses moving forward.
While both acts seek to protect the personal information of individuals within the territorial jurisdiction, the CCPA applies exclusively to for-profit companies that meet a certain minimum. Therefore, the CCPA is expected to have a far lower impact on small and medium-sized companies than its European counterpart. It also remains to be seen how lawmakers and companies will interpret the scope of “50% of revenues from information sales”. Given early pushback from some companies, that threshold is likely to be a source of ongoing debate the scope of the CCPA’s applicability is likely to be a source of ongoing debate. Despite the law’s current ambiguity, the CCPA does appear clear in its intent to place greater responsibility on companies that have a direct relationship with consumers for their own cybersecurity activities as well as those of their vendors and third-parties across the supply chain.
Under both laws, individuals are provided with the fundamental rights to know whether their personal data has been collected by a company, to view it, to object to it being sold (CCPA) or processed (GDPR), and to have it deleted upon request.
Defining what reasonable security measures means will likely be a key challenge for businesses given those same issues with the GDPR’s definition of appropriate information security. One new obligation created by the CCPA is the prevention of discrimination against consumers exercising their rights over their personal information. However, as has been previously noted, ambiguities in the CCPA’s definition of ‘discrimination’ means we likely won’t have a full picture of what forms it might take any time soon.
A key difference between the two laws is the amount that a company could face in fines for non-compliance, as the CCPA’s penalty limits fall well short of what the GDPR has set and already doled out. Whether, and to what extent, that might undermine the CCPA’s effectiveness once enforcement begins remains to be seen, as there is no upper limit on the potential damage a violation might inflict on a company’s reputation.
On the whole, the California law does not have as broad a scope as the GDPR and does not appear to have some of the GDPR’s most onerous requirements. However, it is the most extensive privacy law yet to be passed in the U.S. and experts believe that companies looking to trade in California will definitely have to treat consumer data with much more caution. As such, now is as good a time as any for companies to evaluate their cybersecurity system risks, including where companies might be most vulnerable: third-party vendors.
About the AuthorMore Content by Mike Toulch