Data privacy laws are fast becoming a primary element in any data security conversation: from the EU’s GDPR to the California Consumer Privacy Act to Japan’s Act on the Protection of Personal Information, the ability to protect consumer data is top of mind. For companies that are built around consumer data, consumer trust becomes a vital part of their business model.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. And in the wake of the EU’s GDPR came another shift in data privacy — the California Consumer Privacy Act (CCPA). On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
With the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. 2017 was the year of the data breach with the magnitude of high-profile incidents at companies such as Equifax and Yahoo. Attacks like these make data breaches seem part of normal life— not just in the United States, but around the world.
While the GDPR was created to protect citizens of the EU, its impact spans much farther. The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. Although the CCPA does not go into effect until January 1, 2020, it’s important to be aware of the policies and processes necessary for compliance, and to analyze the current and future impact it will have in comparison to GDPR.
Businesses have a track record of using personal information to benefit their own agenda: the California Consumer Privacy Act (CCPA) will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control, and security over their personal information – and consumers will have the ability to request that any business disclose (and delete) the personal information that it collects, and request that their data not be sold to third parties.
These data protections give Californians the right to:
- Know what personal information is being collected
- Access the personal information that is collected, and request it be deleted
- Know whether their personal information is being shared, and if so, with whom
- Opt-out of the sale of their personal information
- Have equal service and price, whether or not they choose to exercise their privacy rights
Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the consumer opts-in). For consumers under the age of 13, consent from a parent or guardian will be required. These new protections not only affect California consumers but also California businesses.
Who Does the CCPA Apply to?
The California Consumer Privacy Act defines a business as a for-profit entity that collects consumer personal data. So, if you’re a business in the state of California that meets at least one of the following thresholds, you may be subject to compliance:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
Under the CCPA, California citizens will have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.
Why does California’s new law matter for everyone else? It’s part of a global trend pushing companies toward greater accountability with regard to protecting consumer data. Additionally, it has given other countries and states a push towards the importance of taking personal data and consumer rights to data privacy more seriously. Chief proponent of the CCPA Alastair Mactaggart stated that, “While this law just covers California currently, large companies will soon have to offer similar rights to Americans.”
CCPA vs. GDPR
The European General Data Protection Regulation is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization. People who are familiar with the GDPR will notice some strong similarities to the CCPA.
The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, many people have been wondering how it compares to the GDPR — with some even calling it the American version of the regulation. No matter how influenced the CCPA may have been by the GDPR, there are some clear differences worth noting in each legislation.
Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, however, there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we’re already seeing it influence federal legislation.
Check out our interactive Venn diagram below to better understand the similarities and differences between the GDPR and CCPA.
January 1, 2020
Who it protects
“Consumers” who are California residents.
Defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” This includes not only identifiers like name or address, but extends to browsing history, behavioral data, and more.
Grants consumers five rights:
- The right to disclosure.
- The right to deletion.
- The right to access.
- The right to opt-out.
- The right to non-discrimination.
Right to deletion
CCPA right to deletion applies to data collected from and about the consumer.
Who must comply
“California businesses” of substantial size (with regard to revenue or number of consumers affected) that collect consumer personal data.
Basis for consent
Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.
Time allowed to respond
to a request
Responsible parties have 30 days to respond to a request.
Organizations in breach can be fined up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.
- Encourage transparency in businesses/related entities.
- Require businesses/related entities to report data breaches to consumers/individuals.
- Look to better secure and protect the personal information of an individual.
- Define data processing as “any operations performed on personal data, automated or otherwise.”
May 25, 2018
Who it protects
“Data subjects” in the European Union.
Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually means data like address, license plate numbers, SSN, blood type, bank account information, and more.
Grants data subjects eight rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated individual decision making, including profiling.
Right to deletion
GDPR right to deletion applies to all data collected about the consumer.
Who must comply
Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.
Basis for consent
Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.
Time allowed to respond
to a request
Responsible parties have 40 days to respond to a request.
Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.
The Big Picture
Governments are beginning to take data privacy very seriously. Like the GDPR, the CCPA iwill have far-reaching impacts across state jurisdictions. And, although the CCPA does not go into effect for another 15 months, we’ve learned from the GDPR that a year and a half isn’t a lot of time to become compliant.
It’s important to start preparing now: being prepared will save your company a lot of headaches (and costly enforcement actions) in the future. Meeting subject access requests – whether for GDPR, CCPA, or another regulation – can be especially difficult to achieve: you need to be able to identify content related to a data subject, classify and protect consumer data, and sometimes even delete upon request.
Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.