The main purpose of Cybersecurity Awareness training course is to minimize huma....
The California Consumer Privacy Act (CCPA) is now a reality
Information Security Management
2020-10-26
How will the so-called “GDPR-elite” law affect you or your business?
Last year, the state of California passed a crucial privacy law which gives consumers a lot more control of their data. This act gives residents all the rights to control what information companies obtain on them and how that information is used. The CCPA just came into effect on January 1, 2020, and it provides state residents with new tools of shielding their online personal information, hence, saddling businesses with a lot more responsibility.
What is the California Consumer Privacy Act (CCPA)?
The CCPA passed in 2018, and is considered to be one of the most comprehensive privacy legislations to be enacted in the US, according to the American Bar Association (ABA). Under this new legislation, residents of California are able to demand companies to reveal what information is obtained on them as well as the possibility of requesting a copy of that information.
Additionally, companies can be forced to also delete their consumer’s data upon request and they are forbidden from selling it, if the customer clicks the “do not sell” button on their company website. This will not have an effect on receiving equal service and price whether they exercise their privacy rights or not. Thus, companies are not allowed to treat a user differently because they have requested to have access to their personal data.
What data does the CCPA cover?
The CCPA takes into account a broader approach to what constitutes sensitive data compared to GDPR. The newly enacted law covers olfactory information, browsing history as well as records of a visitor’s interactions with a website or application. Here is a general round up of what CCPA classifies as personal information:
- - Real name, postal address, alias, unique personal identifier, IP address, account name, email address, driver’s license number, passport number, social security number and so forth
- - Characteristics of protected classifications under California or federal law
- - Personal property information, services purchased, services considered or obtained and other purchasing histories
- - Geolocation Data
- - Biometric information
- - Internet or any sort of electronic network activity, browsing history, search history, interactions with a website
- - Electronic, thermal, visual, audio or similar information
- - Employment information
- - Education information
- - Inferences that are drawn from information that is identified in this subdivision in creating a profile about a consumer which reflects their characteristics, preferences, predispositions, intelligence, and so forth.
What happens if companies don’t follow the CCPA law?
Companies will be required to comply with the CCPA law if:
- they have an annual gross revenue of $25m;
- generate 50% or more of their annual revenue from selling consumers’ personal information;
- annually buy, sell or receive as well as share the personal information of more than 50,000 consumers for commercial purposes.
According to the International Association of Privacy, this means that at least 500,000 businesses will be obliged to comply with the new law. Hence, the law will have a direct impact on more than half a million US companies and their operational business system.
Furthermore, companies have 30 days to comply with the law once regulators inform them of a data violation. Then, if the issue is not fixed, a fine of up to $7,500 per record is placed. "If you think about how many records are affected in a breach, it really increases very quickly," Debra Farber, senior director for privacy strategy at BigID adds.
How does the CCPA compare to other privacy laws?
CCPA is often being referred to as “GDPR-lite”, in terms of the similarity that this law has to the EU’s General Data Protection Regulation (GDPR), which was enacted in May 2018.
However, this newly enacted law differs from GDPR in terms of the scope of application, the nature and extent of collection limitations and also regarding the rules concerning accountability. The GDPR imposes the appointment of a Data Protection Officer (DPO), maintaining a register of processing activities and also stresses the need for a Data Protection Impact Assessment in certain circumstances. On the other hand, the CCPA does not focus a lot on accountability, even though such provisions exist. An example of such provisions can be the requirement for companies to train their employees that deal with requests from consumers.
GDPR has a broader scope, meaning that it affects all businesses that handle user data, whereas CCPA applies only to companies that have a gross revenue of over $25m, have more than 50,000 customers and a revenue of 50% or more based on user data.
Also, CCPA gives the chance to users who do not want their data to be sold for more explicit “opt out” options. Thus, companies must include a “Do Not Sell My Personal Information” link on their websites. On the other hand, under the GDPR, companies are not necessarily required to get user consent to collect and use their data as long as there are other valid "lawful basis" for processing.
Additionally, another difference lies in terms of collecting children’s data. Under the GDPR, parents must provide consent for data processing of children that are under the age of 16, whereas CCPA requires companies to get consent from parents of children ages 13 and under, while children that are older than 13 are able to give their own consent.
On a final note, considering the latest developments in data privacy management, it is inevitable that privacy laws and frameworks such as the GDPR, the CCPA, and others are enacted. Data mishandling, the lack of confidentiality, authorization are only some of the many concerns that consumers have regarding their personal information. With that being said, it is of utmost importance that companies follow these crucial laws and build secure frameworks so that consumers can feel safe in terms of the daily usage of online platforms.
About the author
Ardian Berisha is a Senior Product Marketing Manager for ISR at PECB. He is in charge of conducting market research while developing and providing information related to ISO standards. If you have any questions, please do not hesitate to contact him: marketing.ism@pecb.com.
