If You’re GDPR Compliant, Are You California Ready?
GDPR was just the beginning. With the Data Care Act being the latest privacy bill to come into play in the U.S., governments are requiring companies to take a better handle on consumer data by updating their data practices and ramping up on compliance programs.
We take a closer look at two recent regulations, specifically the General Data Protection Regulation and the California Consumer Privacy Act, that brought about the most important changes to data privacy regulation in 20 years. While both encourage transparency within businesses and look to better secure and protect the personal information of consumers, nobody should assume that being GDPR compliant makes them CCPA compliant. Here’s why.
The GDPR, which went into effect in 2018, is one of the most comprehensive data privacy laws in the world to date. The scope and territorial reach is broad and applies to any individual or organization that obtains personal information on an EU citizen or an entity that processes data on behalf of the organization, regardless of the company’s location.
On the contrary, the CCPA effects organizations that simply conduct business with California residents and satisfy one of three thresholds:
- Has an annual gross revenue in excess of $25 million
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenue from selling
Key Definitions & Provisions
While GDPR defines personal data as information relating to an identified or identifiable person, the CCPA has a broader definition of what constitutes as sensitive data that applies to any data that is identifiable to an individual and household. That means, if you’re able to narrow down any personally identifiable information to a family through a data set, that’s considered sensitive data in California.
“Primarily and fundamentally, the CCPA is a transparency vehicle,” says Dominique Shelton Leipzig, partner, and co-chair ad tech privacy & data management at Perkins Coie. “It’s all about letting consumers know what data is being collected by the company, when it’s being sold and shared for a business purpose, and any third-party data is shared with or any sources of personal data has been used.
The CCPA grants consumers the following rights:
- Right to request a business to disclose the information collected, categories of information collected, categories of third parties with whom the information is shared, categories of sources of the information as well as business or commercial purpose for collecting or selling personal information.
- Right to deletion
- Right to opt-out of the sale of their data for any reason
- Right not to be subject to discrimination for the exercise of rights
- Right to data portability
Additionally, the CCPA also prohibits businesses from selling children’s information under the age of 16. While the GDPR and CCPA both allow similar privileges, individuals also have a right to rectify inaccuracies in their personal data and a right to have personal data erased only in certain cases under the GDPR.
Effective January 1, 2020, organizations have 45 days to respond to any verified consumer request under the CCPA. In the event that a business fails to address a violation within 30 days of notification, the California general attorney may impose a maximum penalty of up to $7,500 for each violation. If there is an unauthorized infiltration of data, consumers can assert a private right of action to recover damages up to $750 per violation.
In contrast, GDPR has a tiered approach to fines with the EU law on data protection and privacy. Depending on the violation occurred, the penalty may be either: 4 percent of the global annual turnover from the prior year or $20 million, whichever is greater, or 2 percent of global annual turnover or $10 million, which is greater.
Companies not in compliance are also subject to greater liability from a litigation perspective.
“California is a highly litigious state,” Shelton adds. “We have a hotbed of privacy litigations, especially around areas of behavioral tracking, which is very much one of the major impetus behind the CCPA. If you look into the initial proposition, Alastair Mactaggart and others were very concerned about the tracking and the profiles that were being developed around California consumers.”
Leveraging GDPR Compliance Measures for the CCPA
If an enterprise has put together a global GDPR program, the company should be in good shape to begin the extra steps that are required for the CCPA, Shelton explains. Inspired by the GDPR, businesses can take this construct of these six phases and apply it to the CCPA.
For example, if a company has already appointed a chief privacy officer or data protection officer for EU data, it might consider adding the pool of California data to the person’s function. If it’s not a possibility to have that same person handle the California flow, it might be worth broadening the team. That way, the data protection officer appointed for the GDPR can help train whoever is going to be the counterpart in California.
“If the company has an enterprise wide approach, where they all use a Salesforce, ADP and/or AWS, then they’ve got a jump start because they’ve already categorized the data flows by operation by the groups and divisions in the company,” Shelton says. “But you probably have not gone into the granularity of identifying which people in the cohorts might be California residents, and that’s work that must be done.”
Why Companies Must Act Now
The CCPA is the beginning of America’s GDPR. A new study by Cisco found only 59 percent of companies report meeting all or most of the GDPR’s requirements today with another 29% expecting to get there within a year.
“I think people learned a lot from the GDPR, which is why this is being discussed early and seriously,” Shelton explains. “Comes January 1, 2020, California residents can request specific pieces of data that were collected the year prior, which GDPR does not have in its law. Companies will need to know how to respond to the 12-month look back within 45 days and determine where their California data is.”
Data privacy and security will be the primary focus on every organization’s agenda in 2019 and beyond, so it’s critical to act now as regulators aggressively prepare to crack down on the largest and most comprehensive privacy and data security law in the country.
Where will your state of readiness be on January 1, 2020? Become CCPA compliant and meet your data privacy challenges with Delphix. Learn how you can achieve regulatory compliance with the Delphix Dynamic Data Platform, delivering your data securely and rapidly across the entire enterprise.