California’s New Data Privacy Law Rivals EU’s GDPR
'CCPA' Will Be Enforceable In January 2020
Since May 25, 2018 and the rollout of the European Union’s General Data Protection Regulation (GDPR), and even before, data privacy has been top of mind. A part of that sentiment has carried over to the U.S. with the passing of California’s Consumer Privacy Act (CCPA).
The law provides protections for consumer privacy, and echoes GDPR in many ways. Its breadth is wide, as it will affect any business which collects personal information from those in the state, when it goes into effect in 2020.
A website for CCPA says that the law “gives Californians the most sweeping, comprehensive and empowering consumer privacy rights in the country.”
The CCPA may be emulated, too, as the nation currently has a “patchwork” system of laws and regulations that dictate data management.
The site continues: “In the coming months and years, we intend to continue to hold both the Legislature and the corporations accountable to ensure they uphold these powerful protections for consumers.”
What It Entails
After the 2020 rollout, consumers will earn the following protections, as listed on CAPrivacy.org:
- The right to know all data collected
- Right to say no to the sale of consumer information
- Right to delete consumer data
- Right to be informed of what categories of data will be collected and of any changes
- Mandated opt-in to be informed of any changes
- Mandated opt-in before the sale of children’s information (under the age of 16)
- Right to know the categories of third parties with whom the data is shared
- Right to know the categories of sources of information from whom the data was acquired
- Right to know the business or commercial purpose of collecting the information
- Enforcement by California’s Attorney General
- Private right of action when companies breach consumer data
Similar To GDPR?
IT Security Senior Program Manager, Jamal Hartenstein, told the Cyber Security Hub that, “Just as GDPR impacts countries outside of the EU, many companies in the U.S. outside of California will be impacted by CCPA. The similar way we evaluate whether a company processes or maintains EU data, as to whether they fall under the scope of GDPR, we must evaluate if data belonging to California consumers is being processed or maintained out of state.”
LMU Cyber Security Law Professor, Adriana Sanford, told the Cyber Security Hub: “Because of GDPR’s ripple effect around the world, many businesses have already revised their privacy policies and standards to ‘match up’ against the GDPR framework or the variations therefrom. It is expected that the CCPA will also have wide-ranging implications for companies located in the U.S. and abroad…”
“Since California is a significantly large economy on a global scale, we can imagine the magnitude of companies that may fall under the scope of CCPA, or have their attorneys help them find exceptions within the law (which there are a variety),” Hartenstein added.
The program manager commented on those exceptions: “Although CCPA grants consumers the right to request deletion of their personal information, the act focuses more on rights not to be proliferated. (It) gives nine different reasons why a business shall not be required to comply with a consumer’s right to request deletion of personal information. That’s nine bullets on how companies don’t have to comply compared to only the three preceding bullets in the section granting the right.”
The law allows consumers to request a full detailed list of all collected data within a company once per year. Hartenstein also said that CCPA fines differ widely. While GDPR fines up to 4% of annual turnover, CCPA fines up to $750 per California resident.
“CCPA does not attempt to spell out how privacy should be protected by organizations subject to the law like GDPR does,” Hartenstein commented. “Words such as ‘reasonable’ or ‘adequate’ when describing protections generally leave room for paydays for attorneys.”
What Enterprises May Need To Do
The program manager said that due to the law’s stipulations, companies may have to establish new websites or call centers to field requests for information (or add links to existing websites).
Companies will also need to have a good idea of their data flows and an understanding of data classifications down to field-level within their databases, Hartenstein said.
Commenting on the law overall, Hartenstein added, “What I find most troubling are all of the ways that a company can find an exception to CCPA, and escape the new requirements that are making headlines… The exceptions would allow a company not to stop sharing your data with third parties, or not send you a report of all the data they have on you upon your request.”
Long term, the program manager doesn’t see “great impact past 2020, unless residents of other states envy the rights of California residents and lobby for similar bills in their home states… Many states are proud not to be as progressive regarding privacy as California and New York are.”
However, Sanford added: “Because non-compliance with the CCPA could cost companies dearly, instituting stronger privacy protections at the federal level might be next or alternatively, California’s statute may likely spur other states to proactively pass similar legislation, regardless of federal action. This step would eliminate the current inconsistent patchwork of state laws and provide greater protection for all U.S. citizens.”
Be Sure To Check Out: 'No Security Through Obscurity': The Link Between Privacy & Visibility