Why GDPR Compliance Does Not Mean You’re Ready for CCPA

By on

Click to learn more about author W. Curtis Preston.

The California Consumer Privacy Act (CCPA) is not GPDR. If you made sure your company complied with GDPR, the good news is you won’t have to start from scratch for CCPA. But they are very different laws with subtle (and some not so subtle) differences that could end up hurting your company’s reputation and bottom line if you don’t pay attention to them.

I am not a lawyer, nor am I a CCPA specialist. I’ve studied it and the GPDR and my first recommendation is that you immediately hire a CCPA specialist to ensure you’re doing all the right things. That person can give you legal advice specific to your company and its use of personal information. None of my guidance should be deemed a replacement for that legal advice.

What Does the CCPA Protect?

It is a set of regulations that go into effect on Jan 1, 2020, that are intended to enhance the security and privacy of the personal information associated with people residing in California. It applies to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

A household is defined as a group of people living in the same place. Protecting data that can be associated with a household makes this broader than the GDPR. Even things like IP addresses, account names, and email addresses are covered under these regulations.

What Companies Must Comply?

The CCPA applies only to for-profit companies that collect such data, do business in California, and meet one of the following requirements:

  • You have more than $25 million in revenue
  • You collect data on more than 50,000 subjects living in CA
  • You make more than 50% of your revenue from collecting and selling personal information

What Happens if You Don’t Comply?

The regulations specify a fine of $7,500 per intentional violation and $2,500 per un-intentional violation, along with $100 to$750 of damages payable to each victim. Note that each individual affected by a violation is counted as a violation, so if you had an intentional breach of 100,000 people’s data, your company could pay a fine of $750 million, plus damages of $1 to $7.5 million to the victims of the breach.

As with GDPR, I believe the fines are not the point; they are to get your attention. Even if you aren’t given a large fine, the public relations impact to your company could be large as well. If you are collecting data on California residents, you need to comply with this regulation.

De Facto Standard

California’s is so large that its regulations often end up being the de facto standard for other states. In this case, this may happen because it may be easier to comply with the CCPA for all data, instead of making sure you verify someone’s residency before collecting their data.

Other states may also just follow California’s lead and adopt similar laws. If nothing else, this law will definitely be used as a reference for other states, even to the point of becoming a de facto standard.

What are the Differences Between the CCPA and the GDPR?

There is not sufficient space in this article to cover all the differences between these two regulations. The following are highlights:

  • Households

The CCPA includes data that can be used to identify a household, which makes it broader than the GDPR.

  • Deletion rules are different

The GDPR says that you must delete personal data you are asked to delete unless you have a business or legal reason to keep it. The CCPA seems to go a bit further in specifying what those legal reasons might be. It defines nine different examples, such as data needed to complete a transaction, protect against malicious attacks, and debug your process.

  • Stricter notification

The CCPA says you must notify the consumer at the front end what personal data you will be collecting, what you’re going to do with it – including how you will make money with it. You must also give them the opportunity to opt-out of having their data sold. If you do not do all of that at the time of collecting the data, you must consider them to have opted out of any processing or selling of their data.

  • 12 months back

An interesting wrinkle is that from Jan 1, 2020, consumers can request all data you have collected from them for the past 12 months. This effectively makes the regulation retroactive to Jan 1, 2019.

  • 45-day window

You must satisfy any requests for information within 45-days. 

  • Multiple request methods

Not only must your company comply with any access or deletion requests in a timely manner, you must offer multiple methods for consumers to make such requests. They need to include a toll-free number and a form on your website.

Lingering Questions

There are many unanswered questions about the CCPA, starting with when it will be enforced. While it goes into law Jan 1, 2020, the required comment period on amendments seems to suggest that it will not be able to be enforced until about six months after that. Another question is, “what does it mean to do business in California?” Is it the usual standard of nexus, or something else?  Finally, how exactly will a CA law be enforced against non-California businesses?  This is similar to the challenges experienced by the GDPR when they started fining non-EU companies for violations.

Keep your Eyes Out

Keep your eyes on this regulation and its various amendments as it goes into effect. Your company’s reputation depends on it.

Leave a Reply