California's CCPA Brings EU Data Privacy to the US
By Rich Campagna, Chief Marketing Officer, Bitglass
Over the summer a new data privacy law, the California Consumer Privacy Act of 2018 (CCPA), was passed. Assembly Bill 375 is scheduled to go into effect on Jan 1, 2020, which means there will likely be a lot of change before we see the final, enforced version of the bill.
The net for now?
The US's most stringent data privacy law, CCPA, looks a lot like GDPR, and will likely have impact far beyond the State of California. It also means that companies in all industries are now what we used to refer to as "regulated." That means more focus on data protection tools like data leakage prevention, cloud access security brokers (CASB), encryption, and more.
CCPA: The US's most stringent data privacy law
According to the Bill, the following will be covered by the CCPA:
- Grants consumers the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
- Requires businesses to make disclosures about the information and the purposes for which it is used.
- Grants consumers the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
- Grants consumers the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
- Requires businesses to provide this information in response to a verifiable consumer request.
- Authorizes consumers to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- Authorize businesses to offer financial incentives for collection of personal information.
- Prohibits businesses from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to "opt in."
The first half of the list reads very similar to similar provisions in the EU GDPR. The second half includes some interesting new twists.
GDPR ... with a twist
The prohibition on discriminating against consumers that exercise their right to privacy, unless "the difference is reasonably related to value provided by the consumer's data," is a departure from GDPR regulations. That said, this clause seems far too vague to make it through to 2020 in its current form and will likely be heavily debated by lawmakers and lobbyists alike over the next 18 months.
Additionally, the authorization to offer financial incentives for collection of personal information is quite interesting as well, and it will be interesting to see how businesses make use of this. How does, "free 2-day shipping if we can sell your personal data to a third party" sound?
The cost of non-compliance? "Not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater." To put that into context, last year's Equifax breach of 145.5 million records would have amounted in a fine somewhere between $34 billion and $255 billion. Yikes!
All told, the scope of CCPA's protections look very similar to EU GDPR. For organizations that have applied GDPR globally, that'll make the path to CCPA compliance much easier. And keep in mind that, like the GDPR, CCPA applies to any business handling California resident data, so even if you don't have a physical presence in California, doing business in CA is enough to make you subject to the law.
Now what other states (and countries) do with their own privacy laws is a totally different story. It's wishful thinking to think that others will follow California and the EU without changes of their own. The result will be either amazingly complicated enforcement, or the restriction of services in markets that aren't nearly as large as California and the EU. If Congress were to step up and enact a national data privacy law it could go a long way towards simplifying this grim future picture. Bueller?