The California Consumer Privacy Act (CCPA) is seen by many as the beginning of “America’s GDPR” movement. Established in June 2018, the law is effective from January 1, 2020, and it is being fully enforced from July 1, 2020. The CCPA is a result of the major data breach incidents in last few years, the Cambridge Analytica scandal being the most important one, that pushed the state of California to quickly develop and pass the CCPA policy and legislation.

While California is the first state to pass a data privacy law in the United States, this move is believed to become a precedent for other states in the US. Just like the GDPR, the main aim of the law is to give more control to California consumers over their private data collected by companies.

The CCPA gives Californians the right to:

  • Know what personal information is being collected

  • Access the personal information that is collected, and request it be deleted

  • Know whether their personal information is being shared, and if so, with whom

  • Opt-out of the sale of their personal information

  • Have equal service and price, whether or not they choose to exercise their privacy rights

GDPR vs CCPA: Know the difference

CCPA GDPR

Effective Date

Jan 1, 2020

May 25, 2015

Who is protected?

California residents (consumers) who are subject to California taxation.

  • Customers of household goods and services

  • Employees

  • Business-to-business transactions

Any person (data subjects) who resides in the EU

Which businesses are affected?

For or not-for profit organizations

  • Have an annual revenue of $25M +

  • Buy, sell, or share data from at least 50k California citizens

  • Earn more than 50% of revenue from the sale of personal data

For profit organizations

  • Any company that collects or stores data from EU citizens or residents.

  • Buy, sell, or share data from at least 50k California citizens

Personal Information

Defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” This includes not only identifiers like name or address, but extends to browsing history, behavioral data, and more.

Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually means data like address, license plate numbers, SSN, blood type, bank account information, and more.

Rights Granted

  • Right to be informed

  • Right to deletion

  • Right to access

  • Right to opt-out

  • Right to non-discrimination

  • Right to data portability

  • Right to be informed

  • Right to access

  • Right to rectification

  • Right to be forgotten

  • Right to restrict processing

  • Right to data portability

Responding to rights requests

A business must:

  • Comply with a verifiable consumer request (as defined in Cal. Civ. Code § 1798.140(y)).

  • Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification.

  • Inform the consumer of the reasons for not taking action.

  • Provide the information free of charge, unless the request is manifestly unfounded or excessive.

  • Consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limits on deletion and do not sell requests.

A data controller must:

  • Verify the identity of a data subject before responding to a request.

  • Respond to requests without undue delay and at the latest within one month., extendable for up to two more months if necessary after data subject notice.

  • Give reasons if the data controller does not comply with any requests.

  • Requests do not have to be free to data subjects.

Opt-out Rights

Businesses must provide a "Do Not Sell My Personal Information" option on websites and mobile apps. Customers can opt out from 3rd-party information sharing.

Businesses do not necessarily need the individual's consent to collect and use data, in which case the individual does not have a specific right to opt-out of personal sales data. However, they can opt out of processing data for marketing purposes.

Non-compliance penalties

$7,500 per violation if intentional, $2,500 for those lacking intent and $750 per affected user in civil damages

4% of global annual turnover or Euro 20 million, whichever is higher

Cure Period

Grants businesses a 30-day cure period for noticed violations.

No cure period.

CCPA and IT security

The CCPA does not demand much around security requirements and breach intimations when compared with the GDPR. However, the law takes a broader view of what constitutes private data.

The CCPA does not define specific technical requirements, besides encryption and redaction, on how to store and secure customer data. But, it does give customers the right to act for data breaches out of failure in securing their personal data by companies. To this effect, consumers can sue companies if the privacy guidelines are not met with, even if it did not result into a breach. However, both, the GDPR and the CCPA, mention that litigation applies only to unencrypted sensitive data that is disclosed or lost, for whatever reason, making data encryption an important privacy protection component for businesses.

As an award-winning, globally trusted IT security company, Sophos recommends that organizations must follow the below security best practices to stay within the safety realm of the CCPA compliance checklist.

purple-stripes

What are you waiting for?

Let our experts at Sophos help to build the right solution for your needs.

This is not an exhaustive review of all elements of the Regulation, nor is it legal advice. Please consult your own legal experts if required.