We’ve all heard of GDPR. In fact, rewind just six months and it’s all anyone was talking about. But, come January 1st – when you hear the terms data privacy, compliance and legislation, we can no longer simply assume the discussion is about GDPR. This is because, just across the pond, California will also begin taking steps to strengthen data privacy and legislation rules with the arrival of ‘America’s GDPR’. That’s right — as of the 1st January, thousands of businesses will be impacted by the California Consumer Privacy Act (‘America’s GDPR’) — the most comprehensive US privacy law to date. For those who already put in the hard work to ensure their legislation policies met the GDPR standards, there’s a lot less to do to prepare for the CCPA. But, for those who haven’t yet ripped of their bandage and dived right in – there’s a lot of work to be done.
With the arrival of CCPA timed perfectly with the arrival of the new year, it’s up to executives to ensure their businesses are prepared for what’s coming — and to take the appropriate measures now to avoid any penalties, learn from mistakes made in preparing for GDPR — and ensure their businesses start the new year off on the right foot.
The California Consumer Privacy Act vs. GDPR: what UK businesses need to know
’America’s GDPR’ vs GDPR: What’s the difference?
CCPA is commonly referred to as America’s GDPRand while there are some similarities — such as individual rights to request, access, and delete personal information — CCPA and GDPR vary in many important details.For starters, GDPR applies to all European data, but is a minimum requirement. Individual countries in the EU have their own laws that are often more restrictive. Alternatively, CCPA is applicable to California data only and excludes any data that is already covered by a federal law, such as HIPAA or GLBA.
Whilst GDPR protects personal information (PI) that could potentially identify a specific individual — including name, address, telephone number and SSN — CCPA goes beyond this to include product purchase history, social media activity, IP addresses, and household information. Under the CCPA, companies are required to include a single, clear and conspicuous “Do not sell my personal information” link on homepages. Whereas, GDPR offers various opt-out rights, each of which requires individual action.
Not only this, but under GDPR, administrative fines can reach 20 million euros or 4% of annual global revenue, whichever is greatest. For CCPA, the California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation. Note that each individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750 million, plus damages of $1M-$7.5 million to the victims. Businesses are granted a 30-day cure period for most violations, but CCPA and GDPR both provide for a private right of action in case of certain data breaches (i.e., an individual can sue the company directly).
The California Consumer Privacy Act: is the EU’s data privacy regulation having an international impact?
The countdown is on
CCPA is only the beginning of data privacy regulations in the US. To ensure businesses are ready to comply when the calendar turns, there are a few simple steps everyone ought to be putting in place now for handling California-based users, regardless of where you are based.
1. Establish a clear framework for data privacy
Determine how personal information — including categories outlined in the new definition — is collected, processed and stored. As data becomes more decentralised across mobile devices and apps, businesses need an information governance framework that establishes clear and structured policies for responsible data management.
Schedule routine check-ins. Data mapping is not a one-time practice and should be part of daily vendor management and data audit practices. And always have appropriate documentation and audit records in case questions arise.
2. Work with all your teams, collaboratively
Constant monitoring of processes, data inventories, and vendors dealing with data requires a lot of work and often occurs across a variety of teams, meaning it requires support from technical teams, lawyers, and management. Additionally, given how CCPA expanded the definition of PI and states companies must identify all recipients (shared and sold) of collected PI, lead generation and other marketing practices must also be re-examined that may not have been previously reviewed.
It is easy to put appropriate policies and processes in place — the challenge is enforcement. A highly functional team makes it that much easier to stay in compliance and rapidly respond to requests.
3. Remember to protect your network
When there is an inquiry or request made regarding PI, an intuitive, comprehensive data management system can be critical to locating and eliminating data efficiently. And it should go without saying, but a strong security posture, including strengthening your network edge, hardening systems against potential intrusion and employing encryption technologies, is critical to deterring malicious actors.
The new year is here and with it comes the deadline to comply to ‘America’s GDPR’. With that in mind, each and every organisation operating with Californian data needs to take the time out of their schedules to review current data policies and processes against the requirements of the legislation. If you’ve done this for GDPR, the good news is that there will be simple extra additions to make.
At the end of the day — this is a great opportunity to have an end of year clear out and get your data management processes up to scratch for a clean start in 2020. As the old cliché saying goes, ‘no pain, no gain’ and ultimately, a little bit of time spent getting this right now, will save businesses potentially millions in the future.