California Consumer Privacy Act: America’s answer to GDPR
From the last few months, data privacy has become one of the most widely discussed topics. Compliance, rights & services around personal information and privacy have taken a tectonic shift in last one year due to implementation of GDPR in EU. If you are a software product vendor catering to EU, you know the pain of all-nighters you had to pull off to meet that 25th May deadline. It was obvious that America won’t be too far to catch up with privacy Compliance and now CCPA seems to be the answer.
California Consumer Privacy Act (CCPA) or AB375, which will be effective from Jan 1st, 2020, protects California residents from misuse of any identifiable personal information that can relate to them as a consumer. While it is only limited to the State of California as of now, CCPA can become a Federal Law if other states see its merits as well. The definition of consumer under CCPA is very broad and it consists of customers, employees, tenants, students etc.
So now that we know what the act is, let’s jump into some of the most pressing questions around it.
How does CCPA help consumers?
Simply put, the act gives the power of 3 W’s to a consumer,
- What personal information is being collected?
- Why is it being collected?
- To Whom this information is being sold?
If unsatisfied with the answers of above mentioned questions, the consumers can simply express their right for Data Erasure and also opt out from the sale of personal information.
Do all companies need to comply?
No. CCPA is applicable for businesses which are located in and out of California and are handling the personal data of California residents where,
- Annual gross revenues are at least $25 million.
- The organizations buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices.
- Majority of annual revenue is from selling consumers’ personal information.
What are the fines in case of breach or noncompliance?
An organization can be fined anywhere between 100-750 $ per violation per user.
What defines Personal Information under CCPA?
Interestingly, personal information in CCPA is not just limited to your usual Name, Age, Address, Sex etc. but also contains some key elements like,
- Commercial information (records of products or services purchased, obtained or considered).
- Internet activity (browsing, search history, interactions with advertisements)
- Inferences drawn from personal information to create profiles reflecting consumer preferences and attitudes.
How is CCPA different than GDPR?
Putting GDPR and CCPA in the same bucket is understandable as they both talk about the privacy of personal information. What essentially differentiates them is that one offers right to opt in and the other to opt out. GDPR requires sites & software to obtain consent before gathering personal information. CCPA, on the other hand, does not restrict gathering of personal information based on consumer consent but provides consumers a right to opt out of it. Apart from this. following are some of the key similarities and differences between GDPR and CCPA:
What your software or site needs to do to be CCPA compliant?
Following are some of the key things you as software or website provider should investigate:
- Data inventory to store all transactions:
- One of the major changes you will need to do is change or modify your data inventory to accommodate all transactions, logs, interactions against your consumers. While CCPA is only applicable for California residents, making these changes for all your consumers will be much easier than distinguishing California users to whom these rules can be applied. Plus, you remain ready in case CCPA becomes a Federal act in the U.S.
- Data Erasure ability:
- Well, if you are compliant with GDPR then you must already have this ready within your system. Consumers may demand deletion of all identifiable data from your database and your system should be ready for it. Since you may need some de-identifiable transactions to make sure your analytics and reports are not hampered, segregation of information which falls under CCPA and which doesn’t will be crucial.
- Export of collected personal information:
- You may be required to export the details around your consumers’ personal information if requested. While CCPA does not explicitly talk about any specific format in which this information should be provided, having this ‘Export’ feature in front-end to generate readable reports will remove your dependency from database engineer making the process easier and seamless.
- Addition of links & portals on website for consumers to express CCPA rights:
- You will require a complaint portal integrated with your software or site with the help of which your consumers can express their CCPA rights along with details of any help which your consumer may need.
And the last question,
Jan 2020 is too far away. Don’t we have enough time?
Agreed that the effective date is more than a year away but when you consider the magnitude of above mentioned changes which one needs to prepare for, we may already be out of time. There are too many wheels spinning around when it comes to CCPA and its component. America fast-tracking AB375 proves that they are equally serious about privacy as their EU allies. We at Harbinger Systems have already helped numerous Software Vendors with GDPR compliance by taking care of all the software necessities and will be able to provide similar services for CCPA. Making your systems bulletproof against privacy & security breaches is the need of the hour and taking a head start towards such protection-oriented compliance always helps.