The California Consumer Privacy Act (CCPA), which came into force on 1 January 2020, enhances the data protection rights of residents in California, United States.
It joins an increasing number of laws around the world that follow the EU General Data Protection Regulation (GDPR), the latest of which is Brazil’s Lei Geral de Proteção de Dados (LGPD), all of which require organizations to better secure people’s personal data.
Like the GDPR, the CCPA gives Californian citizens the right to know what personal data is being collected and how it is being used; opt-out of the sale or sharing of their personal data; and request that their data is deleted.
But while the aims of the regulations are virtually identical, there are key differences when it comes to their application: compliance, right to data access, opt-in vs.opt-out, and penalties.
Let's dig in.
The CCPA versus the GDPR
While the GDPR applies to any organization that operates within the EU or has customers within it, the criteria in California is more specific, thereby reducing the number of businesses that need to comply.
The CCPA only applies to those that collect personal data and satisfy at least one of the following criteria: an annual gross revenue in excess of US$25 million; the purchase, receipt, or sale of the data of 50,000 or more consumers or households; or businesses that earn over half their annual revenue from selling consumer data.
Right to data
The GDPR offers individuals more rights to information on their personal data and how it is used than the CCPA.
The EU legislation gives individuals a say over data portability (the secure transfer of personal data from one IT environment to another) and the use of their data for automated decision making and profiling – California’s doesn’t.
Opt-in vs. opt-out
Under the GDPR, individuals are required to proactively opt-in to any form of communication. Under the CCPA, while people must be given the chance to opt-out, they can still automatically opt-in if they make a purchase or sign up for a service.
This is by far the biggest difference between the two regulations.
Under the GDPR, companies can be fined up to 4% of their annual global turnover, or €20 million – whichever is larger. So far this has resulted in significant penalties, including a £183 million fine for British Airways and a fine of over £99 million for hotel group Marriott.
Under the CCPA, businesses are subject to much smaller fines of up to US$2,500 per negligent violation and up to US$7,500 per intentional violation.
While it might not offer as much protection as the GDPR, the CCPA is still good news for citizens of California, as organizations are required to take new steps to ensure any data they hold on individuals is protected.
To mitigate the risk of a data breach, businesses must make sure that any data they store remains secure and storage systems don’t invite cyber attacks.
Businesses will need to employ encryption methods in both on-premises and cloud infrastructure environments.
This process limits access to an authorized party (which holds a key) so that even in the case of a breach sensitive data will remain protected.
This will require strong key management, which includes matching the key strength with the sensitivity of data, location of key storage, key lifespan, authorized key distribution, and the ability to destroy keys or take them offline.
Some businesses may turn to tokenization, whereby sensitive data is replaced with a non-sensitive equivalent, once again protecting the information in the event of a breach.
The CCPA is a positive step in the protection of individuals’ data, particularly in a country where only two other States – Nevada and Maine – offer state-level data protection legislation.
And at the very least, it pushes organizations to evaluate and strengthen their approach to data security.
Related content: The flow of data - sharing information responsibly