If GDPR is the unification of data privacy laws across Europe, could the California Consumer Privacy Act of 2018 (CCPA) serve the same role in the U.S.? While many privacy advocates hope it does, there’s no question that there is still much work to be done on CCPA before the new California law truly paves the way to a federal data privacy law.
What is CCPA?
CCPA was signed into law on June 28, 2018 and will go into effect January 1, 2020. Under California law, citizens can propose new laws and can incite a vote if they have enough signatures. That’s how CCPA was brought into play – and very quickly made into a reality. As it stands, the law currently provides California residents with four basic data privacy rights:
- The right to know which personal information a business is collecting about them, where it’s being sourced, what it’s being used for, whether it’s being disclosed/sold and if so, to whom
- The right to opt out of allowing a business to sell their personal information to third parties
- The right to have a business delete their personal information, with a few exceptions
- The right to receive equal service and pricing from a business even if they exercise their privacy rights
Unlike GDPR, CCPA comes with a narrower scope to whom the data privacy requirements apply. CCPA impacts any company that does business in the state and meets one of the following criteria:
- annual gross revenues over $25 million
- receives/discloses the personal information of 50,000 or more CA residents
- derives 50 percent or more of their annual revenues from selling CA residents information
Violation comes with a civil penalty of up to $7,500 per incident and gives consumers the ability to seek damages either individually or collectively.
CCPA in 2019
Starting in January 2019, the Attorney General (AG) of California has been holding forums across the state to gather comments from the interested public. The input gathered during this rulemaking process — which is set to end on March 8 — will then be considered as legislators draft CCPA rules in the coming months. The first draft of CCPA regulations is expected to be published this fall whereby another public comment period will be scheduled.
CCPA is by no means final, yet already several copycat laws are popping up across the country —Massachusetts, Rhode Island, Washington and New York have all introduced their own state laws too. Other state AGs have said they will take California’s lead on data privacy. Separately, a couple of data privacy bills have been introduced – one back in December by a group of 15 Senators and another by Florida Senator Marc Rubio last month.
The evolving patchwork of U.S. data privacy laws begs the question – when will federal lawmakers finally step in and address consumer privacy rights as was done in the EU with GDPR? Tech giants Cisco, Apple, Facebook and Google recently joined forces calling for this. CCPA and others like it are building awareness and driving momentum for the effort.
Regardless, it’s increasingly important to pay close attention to the legislative landscape as compliance fees continue to climb. Perhaps equally as important though, companies should be taking a stand on data privacy because it’s morally, ethically and legally the right thing to do. It also makes good business sense. Consumers want to do business with companies they trust. In California at least, they are the ones driving data privacy into law.
If you would like more information on how you can be sure your organization is doing what it can to protect the data in its care, download our new eBook The C-Suite’s Moral, Ethical, and Legal Responsibility to Protect PII.