Last year, the world of privacy and security compliance was obsessed with one key date: May 25, 2018 — the day the European Union’s General Data Protection Regulation went into effect, mandating sweeping changes in the ways organizations handle personally identifiable information belonging to EU residents.
This year, we have a new date on the horizon. On Jan. 1, 2020, the California Consumer Privacy Act takes effect, enacting similar regulations on the ways organizations handle the personal information of California residents. The CCPA and GDPR are based on a common set of privacy principles, requiring many organizations to modify and expand the scope of their existing practices to cover both regulations.
Who and What Does the CCPA Cover?
The CCPA applies to any for-profit organization that handles personal information and satisfies at least one of the following criteria:
- Has annual gross revenue over $25 million
- Receives, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices
- Derives at least half of its revenue from selling consumers’ personal information
As a state law, the CCPA claims jurisdiction only over the personal information of California consumers, which it defines as anyone in California other than on a temporary basis, as well as anyone who permanently resides in California even when they are temporarily traveling outside the state.
Preparing for a New Compliance Obligation
Organizations that recently completed GDPR compliance efforts will find themselves well situated to begin their CCPA compliance programs. Both laws cover a range of similar topics, including the concepts of notice pertaining to privacy practices, regulation of data transfers, the right of consumers to review and object to the sale of their personal information, and the establishment of privacy governance practices.
While the GDPR and CCPA do share a common spirit, there are important nuances which distinguish the two laws. For example, the CCPA applies to a much narrower set of organizations than the GDPR and allows businesses a broader range of reasons for refusing a consumer’s request for data erasure. Organizations seeking to expand their existing GDPR compliance programs to cover CCPA compliance as well should consult with their attorneys and conduct a gap analysis specific to the organization’s business context. Thomson Reuters offers a convenient comparison chart that breaks down the differences between the two regulations.
If your organization does business in California and you haven’t begun your CCPA compliance program, you’re already behind schedule. Barring any action by the courts, the law goes into effect in a few months, and compliance requires a careful review of an organization’s privacy practices, as well as the implementation of procedures for data access and deletion requests. The intent behind the CCPA is to inspire organizational and cultural change; therefore, by design, there is no quick, easy fix.
When the GDPR was first rolled out, we saw a wave of enforcement actions as regulators got up to speed with the new law and attempted to send a message that they were serious about compliance. Expect to see similar actions in California when state regulators seek to underscore the importance of the new privacy regulation. Take action now to prevent your organization from becoming one of the first affected by CCPA regulations. Typically, in these cases, states like California set the tone for the country, so expect to see more localized consumer protection statutes until Congress acts on a broader national approach.