It’s clear data privacy laws are fast becoming a primary element in any data privacy conversation. In last year’s blog series, we discussed how the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. Shortly after GDPR came into effect, California passed their own privacy bill: the California Consumer Privacy Act (CCPA) which Governor Jerry Brown signed June 28, 2018. Given the timing, the passing of CCPA led a lot of organizations to believe if they were GDPR compliant, they would also be CCPA compliant. Unfortunately, with the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. This has led to somewhat different approaches in handling data privacy. While the CCPA and GDPR have a number of similarities, there are some important distinctions that organizations will have to prepare for in order to be CCPA ready. I’m hoping to highlight those differences which will most impact Return Path clients and email marketers around the world.
To start, let’s look at the applicability of the law. Like GDPR, the impact of the CCPA is expected to be global, however, the overall scope of the two laws is somewhat different. The table below outlines the types of businesses which will have to comply with each law:
Despite the applicability of the laws being somewhat different, because both laws only protect individuals that are either located or residents of specific areas, companies will now face a similar predicament when determining their CCPA compliance plan: implement the law across the board or create specific processing rules for data subjects in California. This will create many of the same logistical problems that organizations faced for GDPR. If they do decide to implement processing rules by region, companies will now have to identify data subjects by state and create different user experiences specific to those individuals. It’s also important to consider that the CCPA protections follow California residents, even when they’re outside of the state of California. This adds yet another layer of complexity when determining how to comply with the law.
Once organizations determine the logistics of complying with regional laws, it’s time to further understand the goals of the GDPR and the CCPA. The overall goal of both are well aligned – to ensure companies are handling individuals data responsibly and provide control and transparency to data subjects. To accomplish this goal, the CCPA and GDPR have very different approaches. The table below helps demonstrate the differences.
Throughout the CCPA text, readers will see many mentions of the sale of data. We see this as a fundamental difference between the two laws. Where GDPR focuses on processing of personal data regardless of the type of processing operation, the CCPA requires the explicit notice of sale of data and the ability to opt out. Prior to GDPR, organizations had to ensure they had an appropriate legal basis for processing individuals’ data. Much of this required updating consent and disclosure notices so organizations would inform individuals about what data was being collected and how it was being used prior to the subject providing that information. Under the CCPA, aside from understanding what is being done with individuals’ data, organizations that sell data will now have to prominently display a “Do Not Sell My Personal Information” link on their homepage. This is going to require a process separate from typical opt out requests which will now allow all California users to opt-out of the sale of their data to any third party company. Taking this one step further, CCPA broadly defines selling as “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration.” This means “selling” does not necessarily involve a payment to be made in exchange for personal information. While the GDPR does not make this distinction, data maps which were created as a result of the GDPR can prove instrumental in understanding where in your organization these practices might be taking place.
Now I’m sure you’re saying to yourself “I get there are differences, but I’m GDPR compliant, so does it really matter if I take a few extra steps to comply with CCPA? I’m mostly there”. YES, IT DOES! The final item I want to highlight are the penalties covered by each law:
Although the means of calculating the fines differ greatly, it’s clear that violating either law could result in significant economic liability for organizations.
With GDPR fines of up to €50M ($57M) already issued, it’s apparent that government bodies aren’t wasting time imposing huge penalties on organizations for infringing on privacy rights. But what about consumers? The CCPA now allows consumers, under certain circumstances, to bring suits where their non-encrypted or non-redacted personal information has been subjected to unauthorized access, exfiltration, theft, or disclosure. Let’s look at the Google breach under these circumstances. Google has over 500M users; even if only 2M of those users are residents of California, Google could see $200M – $1.5B in costs from consumers exercising their private right of action. On top of that, the California Attorney General could issue additional fines, costing Google even more.
We’re hoping this highlights the importance of preparing your organization for CCPA. Although the CCPA is not set to take effect until January 1, 2020, compliance with the law takes a significant amount of implementation time and cannot be left to the last minute. Despite their differences, GDPR has provided organizations with a great stepping stone to being prepared for CCPA. Let’s take advantage of all the hard work we put into preparing for GDPR and ensure we take the next steps to be fully prepared for the CCPA!
Stay tuned to the Return Path blog for more in our CCPA series to hear about