Updated: May 16, 2019
2018’s new consumer data privacy laws are business critical. Unfortunately, just when you thought you had the European Union's General Data Protection Regulation (GDPR) figured out, along comes the California Consumer Privacy Act (CCPA) to open up Pandora's box again. Well, we're here to help you sort out both laws. We decided to kill two birds with one stone: tackling the California Consumer Privacy Act & GDPR at the same time.
California Consumer Privacy Act (CCPA). Many global companies do business with California residents. In fact, California is now the world's fifth largest economy, larger than the UK's economy. So it makes sense that, effective January 1, 2020, CCPA requires companies worldwide to comply with consumer protections related to processing sensitive data collected from California residents. So how does the CCPA differ from GDPR and how can you comply with both?
CCPA protects all California residents. The law seeks to protect all California households and individuals in the roles they play in society. CCPA gives California consumers the right to:
opt-out of companies selling their data to third parties (minors must specifically "opt-in" with consent of their parents before companies can sell their personal data);
access consumer data collected about them;
delete consumer data collected about them;
know where their personal information was sold/disclosed and to whom; and
non-discriminatory service and pricing even after they opt out of data collection.
CCPA protection applies to a broad array of data. Examples of protected data include water/energy consumption, job titles and descriptions, IP addresses, and browser histories.
Who CCPA applies to: CCPA applies to all for-profit companies that receive personal data about California residents if they (or a subsidiary or parent) meet one of the following tests:
have annual revenue exceeding $25 million; or
obtain personal data on 50,000 or more California residents each year; or
receive 50% or more of its annual income from selling/disclosing the personal information collected about California residents.
CCPA does NOT apply to: Non-profits, small companies, and businesses that do not sell large amounts of personal data - and do not share a brand with an affiliate who sells large amounts of personal data.
The GDPR, on the other hand, applies to all business organizations that collect sensitive personal data from EU residents, including non-profit businesses and companies outside the EU.
CCPA Exceptions: There are limited exceptions to CCPA's reach:
consumer directed disclosures to third parties who do not sell the data;
sharing between service providers;
business transfers in bankruptcy, mergers and acquisitions, and the like; and
companies without a physical presence in California - and without an affiliate in California - that do not conduct business in California.
Penalties. The CCPA provides stiff penalties for violations. In addition, lawmakers provided funds to enforce the new law by creating a Consumer Privacy Fund. The Consumer Privacy Fund receives 20% of all penalties collected by California under the CCPA.
The new law provides the following penalties for violations of CCPA:
$7,500 for each intentional violation of CCPA;
$2,500 for each unintentional violation that remains uncured after 30 days.
Consumers may sue companies for data theft or security breaches in civil class action cases where courts may order them to pay the greater of actual damages for the incidents or $100 to $750 per California resident harmed in the incident. The California Attorney General has the option of prosecution instead of allowing civil suits.
Penalties under the GDPR include fines up to $22 million or, if greater, 4% of the previous year's global revenue. The law also includes penalties for failure to notify of a breach which means an $11 million fine or, if greater, 2% of global revenue.
Stay tuned...in the next post, we compare the GDPR and CCPA directly...