California is considered the world’s 5th biggest economy, ranking higher than some European countries. This is not a surprise as it's home to Silicon Valley, the world’s premier innovation hub and headquarters of multiple tech giants, as well as secondary tech hubs like Silicon Beach.
Given the numerous data breaches and inappropriate use of customer’s information for targeted advertising, there is growing public concern regarding the misuse of personal information, security, and privacy.
Data privacy regulations are becoming a primary element in any data security conversation. In the case of the Union GDPR (2018), Brazilian LGPD (2020), and the California Consumer Privacy Act (2020), the ability to protect personal information is a top priority. For companies that base their operations around customer data, trust becomes an essential part of their business model.
In this article, we will explore some concepts of California's Consumer Privacy Act (CCPA), similarities and differences between CCPA and GDPR regulations, and the impacts generated by these regulations.
CCPA Overview
While the GDPR was created to protect citizens of the EU, CCPA is an outcome of the GDPR, changing government priorities, and making them more willing to protect individual privacy. Although the CCPA is relatively new, it’s important to be aware of the policies and processes necessary for compliance, and the future impact it will have in comparison to GDPR.
This California state law establishes new consumer rights relating to the access of personal information that is held by businesses. The meaning of Personal information is quite broad, the definition given in CCPA says:
Personal information is information that identifies, relates to, or could reasonably be linked with an individual or household._
Some examples of that are customer personal and private information, internet browsing history, geolocation data, fingerprints, IP addresses, etc. Personal information does not include available information from federal, state, or local government records.
Businesses have a track record of using personal information to benefit their agenda and the CCPA serves to protect California consumer rights and encourage stronger privacy, traceability, and transparency.
The CCPA allows consumers to have control, ownership, and gain security over their personal information. They also allow for the request that any business discloses and if necessary, delete any personal information collected.
This data protection gives consumers the right to:
- Know what personal information is collected.
- Access to and the option to delete any necessary personal information.
- Knowledge of who their personal information is being shared with and the option to deny such access.
- Have equal service, price, and privacy rights (right to non-discrimination).
It should also be noted that it is illegal to sell personal information of any consumers aged 13–16. without the consent of a parent or guardian.
Who does the CCPA apply to?
CCPA defines a business as a for-profit entity, that collects consumer personal data, and applies to all companies that serve California residents. Companies may be subject to compliance if it meets at least one of the following thresholds:
- A minimum of $25 million in annual revenue Annually buy, sell, receive, or share personal information of at least 50,000 consumers, homes, or devices for commercial purposes.
- Companies that derive 50% or more of their annual revenue from the sale of personal information.
CCPA vs GDPR: What are the differences?
The European General Data Protection Regulation is an evolution of the EU’s existing data rules and replaced the Data Protection Directive (DPD). It addresses many of the weaknesses in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization.
The GDPR protects similar private data as the CCPA recommends that companies provide a “reasonable” level of protection for personal information. It also mandates that the business explains to the customer how their information will be used and to explicitly ask for their permission to collect and process it.
No matter how influenced the CCPA may have been by the GDPR, there are some clear differences we should notice in each legislation. Although the two laws are quite similar, the CCPA differs from the GDPR in a few important ways:
- Impacted businesses: Businesses of any size must comply with the GDPR, the CCPA only impacts businesses that reach a certain size and process a certain amount of data from consumers.
- Penalties: GDPR penalties are capped based on a company’s annual revenue, on the other hand, CCPA penalties have no limit and are assessed per violation and the number of affected consumers.
- Opt-in/Opt-out: Under GDPR, businesses must have opt-in from consumers before collecting data. In the case of CCPA, consumers must opt-out of data collection.
- Third-party data sales: GDPR businesses must have consent from customers before any third-party processing or sales its data, while the CCPA requires businesses to simply notify the customer of a data sale or transfer, with the option to refuse.
In short, both regulations give more power to consumers and enable them to take action if they want their data to remain private. Besides that, businesses are required to adhere to their requests.
Does CCPA apply to my business?
Unbeknownst to some, CCPA doesn’t just apply to businesses based physically in California, but any business with customers who reside in the state.
Under the CCPA, businesses must be aware of what is considered private data, locate and treat customers information in a secure way, even addressing their vendors to ensure that they are compliant too.
To protect customer’s personal information, businesses need to know what data they have, where it resides, and how it is processed. In this way, they can set up the appropriate security measures to be compliant with this regulation.
Companies must realize that the impact of the CCPA is no trivial matter. They have to begin preparing now to become compliant, if they don’t, they will face reputation damage, fines, and loss of customer’s trust.
Being prepared for this kind of regulation will bring a smooth path for the future ones that will come and In other words, it will pay to be compliant, and consumers will value you for it.
How to be prepared for CCPA
As soon as you know that your business is subject to CCPA, you can start working to be compliant. The following steps can be useful to help get ready:
- Roadmap: Create a plan to help achieve compliance with CCPA.
- Learn: Know your obligations and be aware of any changing requirements.
- Data Map: Identity what personal information you collect from customers, why it is being collected, where it is stored, how secure it is, and who it is being shared with.
- Privacy policy: Update your privacy notices to comply with CCPA’s requirements. You can also provide your customers with a Do Not Sell My Information option.
- Consumer requests: Establish a system for processing consumer rights requests.
- Train: Educate your team on how to handle personal information and consumer requests.
- Security: Enforce the security of personal information with risk assessment, and an incident response plan.
- Check Providers: Evaluate your upstream and downstream contracts with third-party service providers and modify the underlying agreements for CCPA compliance. Think about your standard data-sharing practices, including relationships with data aggregators, data brokers, etc.
What about CCPA and HIPAA? (case scenario)
Despite its broad scope, CCPA creates certain exemptions designed around HIPAA and other laws. For example, CCPA does not apply to “Protected Health Information” (PHI) as defined in HIPAA. This is collected by a covered entity or business associate.
CCPA’s HIPAA exemption is designed to allow covered entities and business associates to continue following the privacy regulations laid out in HIPAA and without interference from an additional law. CCPA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA.
Healthcare providers and insurance agents may assume that the law’s HIPAA exemption will cover PHI and other customer information. So we have good news, if your business is HIPAA compliant, you are not required to apply extra measures to protect your patients' and customers’ information. Now let’s take a look at some examples where the exemption applies and not.
Case 1: Assume that you own a sportswear company that sells products in California and you have developed a step-counter app that users can download to their phones through Google Play and App Store.
The app tracks the number of steps a user takes each day and captures additional information, including the user's name, birthday, weight, calories burned, geolocation, and walking average. That company is probably not a covered entity or business associate under HIPAA and would not be able to apply to the CCPA's HIPAA exemption.
Case 2: Now consider a health care system "operating" in California that created an app with the same features as the previous case, yet made the app available only to its patients to monitor their health and treat medical conditions. That organization is a covered entity under HIPAA, the data is probably PHI, and the HIPAA exemption probably applies.
Final Thoughts
Data privacy regulations will demand a lot of work in the preparedness for compliance but being forced to optimize the data that a company collects, processes and stores could create efficiency. Companies need only store the necessary pieces of personal information to perform their services and reduce the time and resources (they have spent in the past) to store all of it. Compliance can be viewed as a company’s competitive advantage by offering consumers peace of mind that their data is protected and secure.
I believe that CCPA is a powerful law that will be a big win for both consumers and businesses, and will help to put the United States at the same level as Europe with GDPR in the global privacy discussion. This law is here to stay and leverages the rights between consumers and business, giving the former the chance to know what a company knows about them, decide whether or not they can keep that information, and prevent them from selling it.
Governments are beginning to take data privacy very seriously. For example, the European Union, Brazil, India, Japan, and other countries, the CCPA will have far more impact across state jurisdictions, reaching companies around the world. Achieving compliance is important and will save your company money, time, and a potentially negative reputation.
To comply with these regulations can be hard work, and you need to be able to identify content related to the data subject, classify and protect consumer data, and sometimes even delete upon request. But there is light at the end of the tunnel if you get your business prepared for this kind of regulation, you will get a competitive advantage and it will be easy to get ready for new regulations as there are many more on the horizon.
References
Privacy laws around the world - https://piwik.pro/blog/privacy-laws-around-globe/
State of California Department of Justice - https://oag.ca.gov/privacy/
General Data Protection Regulation - https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en