In 2017, The Economist published an article that claimed that data had surpassed oil as the world’s most valuable commodity. To Californians, this likely rings true perhaps more than in most other places, as the Golden State is home to a booming tech industry, Silicon Valley, and billions of dollars that are invested annually in a startup economy.
This entire sect of the economy depends on data to thrive, even to survive. Data is sensitive, and it can leave people vulnerable if it’s exposed to wrongdoers. That’s why it needs to be protected, and that’s why the California Consumer Privacy Act, or the CCPA law, is set to take effect on January 1, 2020.
What is the CCPA? To those who follow such things, the CCPA law is, basically, California’s version of the GDPR. What is the GDPR? It’s a law that was passed by the European Union Parliament that protects the data of its citizens. It went into effect in May of 2018, and its jurisdiction in many ways reaches across the globe, creating the need for businesses to obtain advice from GDPR lawyers.
Kam Law Firm works with clients to make sure that they are compliant both with the GDPR and the CCPA. Below you’ll find an overview of each.
The CCPA Law Briefly Explained
The CCPA law has a lot in common with its European counterpart, which is at least partially why it’s commonly known as the “California GDPR.” It was signed into law in June of 2018 and fully goes into effect next year. For both CCPA and GDPR, it isn’t just about updating your Privacy Policies to provide the appropriate disclosures, though that is an important part of it.
The way a company manages data internally and how it shares that information with third parties is a huge component if your company is subject to CCPA. Whether or not CCPA applies to your company, data protection laws are being implemented state to state, week to week, so being in the know isn’t an option if you are a web-based company or you collect consumer personal information.
The CCPA applies to companies doing business in California (including web-based companies that might touch California consumers) that meet or exceed one of the following thresholds:
- Annual gross revenues of $25 million;
- Obtaining personal information from 50,000 or more California residents, households, or devices annually; or
- 50% or more annual revenue is derived from selling California residents’ personal information
Some of the major requirements of the CCPA include:
- A right to know what data a company is collecting;
- Clearly disclose to a consumer on its Website that it collects personal information at or before collection;
- Upon consumer request, the specific consumer personal information collected about that consumer including:
- Categories of personal information;
- Specific data relating to that person;
- Categories of sources from which the personal information was collected; and
- The business or commercial purpose for collecting that information
- The categories of third parties with whom the business shares personal information.
- A right to opt-out of the sale (broadly defined so that any sharing of information with any third party, including affiliates, except in limited circumstances, constitutes a sale) of personal information; and
- A right to delete personal data.
Differences Between the CCPA and the GDPR
In many ways, the CCPA can be considered the California GDPR. However, there are three important differences between these laws to keep in mind:
- Jurisdiction – The GDPR asserts jurisdiction of any company that deals with personal data of EU citizens. The CCPA also governs companies dealing primarily with personal information, but otherwise only asserts jurisdiction over California companies who meet certain requirements as noted above.
- Consumer Rights – The GDPR covers all data concerning EU citizens, almost regardless of circumstance. Like GDPR, the CCPA governs the consumer data, but it reaches beyond GDPR, protecting the data that could be reasonably related to the household. While GDPR violations are handled by regulators, CCPA allows both the Attorney General’s office and individual consumers the right to pursue claims.
- Penalties – Penalties for violating the GDPR can reach €20 million or four percent of a business’ gross annual revenue. Under the CCPA, violators are fined on a per-violation basis. Violating companies can be fined up to $7,500 per violation, or per person whose data is compromised. This can add up to more $23 million, as there is no cap on these fines.
The Importance of Compliance
The emergence of these regulations is just another example of how business law continues to change at a break-neck pace. Fortunately, those companies that are already practicing GDPR compliance have taken substantial steps towards CCPA compliance, despite their differences. However, compliance with one does not mean compliance with the other, and in that sense, the “California GDPR” moniker is somewhat misleading and potentially risky for those who assume that there is nothing to worry about come January 1, 2020.
If you deal with consumers’ personal information and you’re concerned either about the GDPR, the CCPA or both, you need to take immediate steps to make sure that you’re in compliance. You can do so by seeking the advice of a business privacy attorney who understands how to handle this, both in terms of achieving compliance and in maintaining it. Contact Kam Law Firm today to schedule a complimentary initial consultation.