Following the precedent set by the European Union’s GDPR (General Data Protection Regulation), another landmark privacy regulation went into effect January 1, 2020.
The CCPA (California Consumer Privacy Act) aims to protect the privacy of consumers in the state, home to Silicon Valley and tech giants such as Google, Facebook, Apple and many others. This law paves the way for other US states to roll out similar legislation to protect consumer privacy, setting a precedent for stricter overall US data protection standards.
Indeed, it appears that the scope of the CCPA will create a stir, just like GDPR did, when we look at the law’s security and compliance requirements.
What is the CCPA and How is It Different from GDPR?
At its core, the CCPA is a data protection policy to ensure that the privacy rights of internet users in California are seriously enforced, and that consumers have the authority to control access to and usage of their private data. The central focus of this regulation is like that of GDPR.
Organizations that are GDPR compliant may also be compliant with most of the CCPA requirements. There are, however, very specific guidelines in the CCPA, so GDPR compliance is insufficient to claim adherence to CCPA, too.
Some of the instances where the CCPA differs from the GDPR:
- GDPR mandates the appointment of Data Protection Officers and solidifies accountability requirements for data protection measures. Conversely, the CCPA does not focus specifically on accountability-related obligations, although a few provisions exist (such as having trained staff to deal with consumer data requests).
- Unlike the GDPR, the CCPA demands more stringent transparency obligations over legal frameworks, such as requiring a ‘Do Not Sell My Personal Information’ link to be appended to the Home page of organizations that come under the law’s gambit.
- The CCPA also has clear provisions on data transfer obligations following mergers and acquisitions, and the right to opt out if any third party involved in the data transit flow alters any personal information and continues utilizing or selling it, which is not laid out in the GDPR.
How Does the CCPA Empower Consumers?
- Consumers can specifically request any details regarding the data collected by an organization, such as the exact personal information collected; techniques used to store the data; the organization’s justification to collect that data; and the third party services that have access to the data.
- Consumers can opt out of their data being sold to third parties, and businesses can’t retaliate by changing the price or level of service.
- Upon request, consumers can get their collected personal data deleted from an organization’s data stores with appropriate acknowledgement.
How Can Online Businesses Comply With the CCPA?
The CCPA regulations require all organizations falling under the above-mentioned criteria to adhere to the provisions mentioned in the final version of the Act. It is imperative for organizations to reform their current practices and policies to extend from the scope of the GDPR to the scope of the CCPA. Key changes include:
Reorganize the data collection process: As the Act permits consumers to freely place data requests, organizations should make the data collection process easily manageable to support such ad hoc requests. The action plan to quickly identify, compile and convey the requested information to consumers should be formalized.
Promote awareness of data protection rights: The CCPA has categorically stated specific data protection obligations including:
- Offering an evident and clearly visible link on the website’s homepage highlighting ‘Do Not Sell My Personal Information,’ directing state residents to a web page through which they (or their authorized representative) can opt out of the sale of their personal information.
- Strictly certifying that any person with access to process consumers’ personal information is fully aware of and understands all necessary regulations and protection standards.
- Implementing processes to verify the identity and authorization of persons making requests for data access, deletion, or portability.