The California Legislature passed a tough new consumer privacy bill earlier this summer. The question is whether the Golden State now leads the nation in instituting GDPR-type rules, and what compliance to the California law means for businesses in terms information governance and consumer relations.
Our perspective is that the legislation, called the California Consumer Privacy Act of 2018, is kind of like “GDPR lite.” Some of the rules are similar, but fines and enforcement are much less onerous than those found in Europe’s General Data Protection Regulations or GDPR.
It’s no surprise that California passed the Act, which takes effect January 1, 2020. The bill appears to have passed as a reaction to the controversies surrounding the sale or use of consumer data by many tech firms, including Facebook, which was roundly castigated for the “use” of 87 million member profiles by the political consulting firm Cambridge Analytica. See Facebook’s Failure and How it Relates to GDPR.
The Act, known by its acronym CCPA, establishes explicit privacy rights for California consumers. Californians will have a right to know what information a business has about them, and they can prohibit companies from selling that information. They also can ask businesses to delete information about themselves.
Consumers will be able to sue companies if a data breach leads to unencrypted information being exposed or stolen. Specifically, California residents will have:
This last point is somewhat nuanced as the Act does allow exceptions by companies to offer better services under certain circumstances to consumers who agree to share their data.
The law applies to businesses that collect consumers’ personal information and that do business in the state if that business also satisfies one or more of the three following conditions:
Interestingly, the California Legislature passed the Act to head off a similar ballot initiative, which had been fueled by some 629,000 citizen-signatures and would have provided broader rights for consumers to sue organizations. The rationale was that legislation would be easier to modify than a citizen-passed initiative to the state constitution.
Both the California Act and GDPR apply to companies located outside their borders, emphasize some of the same broad themes (such as the importance of access and transparency) and—most importantly—will require companies to expend a great deal of effort and resources to achieve compliance. See How to Make it Easier to Comply with GDPR.
However, the similarities between the two end there. Unlike GDPR, the California law doesn’t prevent organizations from collecting people’s information. Nor does it give consumers the option to ask a company to stop collecting personal data.
The fines in the California law are nowhere near as onerous as the maximum €20 million or four percent of annual revenue outlined in the GDPR regs. The CCPA, for its part, gives consumers the right to sue companies for between $100 and $750 per violation if there is an unauthorized breach. And the state attorney general can levy civil fines of up to $7500 per violation—a much, much lower amount than GDPR.
With lighter penalties, it becomes a business decision about the extent to which companies will comply with the Act. Indeed, for some organizations, the cost to comply may not be worth the potential fines.
GDPR is more stringent with regard to how companies must report breaches. There’s nothing quite like that in the California Act. A recent article in Digiday.com explained that the Act does not require companies to obtain user consent to the processing of personal information. But it does require businesses to offer consumers the opportunity to “opt out” of one specific use of their data: the sale of personal information
That’s different than GDPR. Indeed, the Act presents a potential quandary for companies subject to both laws. To comply with both the European and California laws a company that sells personal data to third parties may have to implement both opt-in and opt-out choices for consumers.
There are several important ramifications for organizations doing business in California. If a company hasn’t yet gotten its act together for GDPR, it may be high time to do it for CCPA, unless your business doesn’t fall under the Act’s requirements or you’ve decided that the cost of compliance is higher than the risk of getting fined.
Companies will need strong information governance policies and procedures that map data collection, storage and transfer processes. Many will need to (again) update privacy policies. And the companies that fall under the purview of the Act will have to initiate testing and verification procedures. Organizations also will have 45 days to respond to requests for how personal information is being used, and they’ll be obligated to deliver that information twice a year.
I predict that other states will begin to follow California’s lead. There even seems to be a bi-partisan push for great privacy protections in the US Congress, although the likelihood of a federal privacy law like GDPR still seems far off. See my earlier post: Is GDPR Even Needed in the United States?
Whether or not you’re subject to European or Californian law (or both), good information governance practices still make sense for most organizations. Getting rid of information you no longer need makes protecting really important information that much easier. And it also makes compliance with regulations like GDPR and CCPA easier.
You might be interested in the services that Doculabs provides that help you build an Information Governance (IG 2.0) framework. We also can help with overall Program Governance and Global Information Governance.
Want to keep up with Doculabs’ news about GDPR, the CCPA, and other information governance, management and security matters? Subscribe to our every-other-month newsletter.