Data protection laws are fast becoming a primary element in any data security conversation: from the EU’s General Data Protection Regulation (GDPR) to the California Consumers Privacy Act (CCPA) to the Protection of Personal Information (POPI), the South African law on the Protection of Personal Information, the ability to protect consumer data is top of mind. For companies that are built around consumer data, consumer trust becomes a vital part of their business model.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. And in the wake of the EU’s GDPR came another shift in data privacy — the California Consumer Privacy Act (CCPA). On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.
With the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. 2017 was the year of the data breach with the magnitude of high-profile incidents at companies such as Equifax and Yahoo. Attacks like these make data breaches seem part of normal life— not just in the United States but around the world.
While the GDPR was created to protect residents of the EU, its impact spans much further. The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. Now that the CCPA has been enacted, it’s important to be aware of the policies and processes necessary for compliance and to analyze the current and future impact it will have in comparison to GDPR.
An overview of CCPA
Businesses have a track record of using personal information to benefit their own agenda: the California Consumer Privacy Act (CCPA) will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control, and security over their personal information – and consumers will have the ability to request that any business disclose (and delete) the personal information that it collects and request that their data not be sold to third parties.
These data protections give Californian Residents the right to:
- Know what personal information is being collected
- Access the personal information that is collected, and request it be deleted
- Know whether their personal information is being shared, and if so, with whom
- Opt-out of the sale of their personal information
- Have equal service and price, whether or not they choose to exercise their privacy rights
Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the consumer opts in). For consumers under the age of 13, consent from a parent or guardian will be required. These new protections not only affect California consumers but also California businesses.
CookieScan has a new feature on the pop-up / Banner which will allow your website users to select the option to opt out of you selling their personal data, request the data you hold on them, and request any of the other rights they have under CCPA and GDPR. CookieScan makes your website completely compliant with the CCPA and offers the site using an easy way to communicate its CCPA rights to the website owner.
Website owners should be proud to show their users that they are complying with the requirements of CCPA and GDPR. They have nothing to fear about the customers asking for their rights under the CCPA or GDPR to be enacted. This will give the site user confidence in the site’s ability to protect their personal data and deal with the site. It could be the difference in making a sale or not.
Who does the CCPA apply to?
The California Consumer Privacy Act defines a business as a for-profit entity that collects consumer personal data. So, if you’re a business in the state of California that meets at least one of the following thresholds, you may be subject to compliance:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- A business that derives 50% or more of its annual revenue from selling consumer personal information
Under the CCPA, California citizens will have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.
Why does California’s new law matter to everyone else? It’s part of a global trend pushing companies toward greater accountability concerning protecting consumer data. Additionally, it has given other countries and states a push towards the importance of taking personal data and consumer rights to data privacy more seriously. The chief proponent of the CCPA, Alastair Mactaggart, stated that “While this law just covers California currently, large companies will soon have to offer similar rights to Americans.”
All American states have lodged a bill, are in the process of debating it, or are just about to enact it to protect the privacy of individuals they deal with. GDPR started the ball rolling concerning data privacy and individual rights to have their personal information not only protected but to have control over it. The CCPA and GDPR laws give individuals control back and allow them to choose what they want to be done with their information.
CookieScan is on the side of the individual. It is not only a cookie management system; it not builds data privacy rights into its portfolio and allows site owners an easy way to communicate their choice directly to the website owner. The CCPA and GDPR are here to stay and will be the foundations for other States and Countries to build their own data privacy laws and protect their residents.
Does this affect Non-American companies?
Like Article 3.2 of GDPR, the territorial scope of the CCPA is similar. We have explained above how the CCPA helps citizens of California when they are dealing with American Businesses, but if you offer Goods and Services to citizens of California, you must also comply with the requirements. You cannot just say, well, my business is not American, so I don’t have to worry. You will be fined in the same way as American businesses.
CookieScan helps you with this. The Geo-Location feature of CookieScan, available to Standard Account holders, will display the correct pop-up/banner for the country in which the site is being used. So, what does this mean in practice? Your site is being used in the United Kingdom, California, and Jersey, Channel Islands, not New York. All three jurisdictions have completely different rules covering Cookies and different requirements.
CookieScan is your complete cookie management system.
CCPA vs GDPR
The European General Data Protection Regulation is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization. People who are familiar with the GDPR will notice some strong similarities to the CCPA.
The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, many people have been wondering how it compares to the GDPR — with some even calling it the American version of the regulation. No matter how influenced the CCPA may have been by the GDPR, there are some clear differences worth noting in each legislation.
Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used. However, there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR.
What other American Privacy Laws do I need to know about?
With no federal answer to GDPR on the horizon, several other states are taking a page from California’s book by drafting their regulations to give citizens increased control over their personal data. While most of these bills use CCPA as a framework, there are differences. We’ve even put together a cheat sheet at the end to compare the different proposed state laws. Let’s first look at two tough privacy proposals coming out of New York and Massachusetts
Massachusetts Data Privacy Law
The proposed Data Privacy Law (S-120) shares a lot of the CCPA language. Consumer access to personal information? Check. Right to Delete? Check. Explicit notification of privacy rights, and a chance to opt-out of third-party sales of data? Check. A broad definition of personal information including probabilistic identifiers? Check.
There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action.
Attorneys point out that there’s an enormous potential exposure of Massachusetts companies to class-action lawsuits: plaintiffs can recover up to $750 per consumer. For example, in 2017, almost 400,000 Mass. residents were affected by data breaches, leading to possible exposure, if the law had been in effect, of almost $300 million for that year.
New York Privacy Act
New York’s proposed S5642 (currently on hold) contains some of the hallmarks of CCPA. There’s a right to delete and request personal information. The definition of personal information — “any information related to an identified or identifiable person” — includes a very extensive list of identifiers: biometric, email addresses, network information, and more.
Unlike California and similar to Massachusetts, New York’s act has a private right of action for any violation of the law! And the law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed NY law quite strict.
The NY bill, though, only requires businesses to disclose to consumers the broad categories of information shared to third parties. Under some circumstances, consumers would have the right to request copies of specific information shared.
Another key difference is the proposed NY law imposes the role of data fiduciary”, forcing all NYS businesses to be legally responsible for the consumer data they hold. The NY act takes a very expansive view: “exercise the duty of care, loyalty and confidentiality expected of a fiduciary concerning securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”. In short: consumers own the data.
The NY act also gives consumers the ability to correct inaccurate information, making it closer in spirit to the EU GPDR. None of the other clones, including California, go that far!
Hawaii Consumer Privacy Protection Act
Hawaii’s SB 418 is similar to the CCPA, offering all of the same major rights and protections (potentially more, based on the current wording of the bill). While CCPA explicitly applies to websites that conduct business in the state of California, Hawaii’s SB 418 bill has no similar clause. In theory, websites based anywhere in the world could violate the law if they don’t offer adequate protection as outlined in the bill. However, the bill is likely to be amended in a later draft to focus solely on Hawaiian-based websites.
Maryland Online Consumer Protection Act
Maryland’s SB 613 is another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, though, to a lesser degree than under CCPA. And like California and Massachusetts, there’s also the use of a “probabilistic identifier” to refer to a certain type of personal information. Go Maryland!
However, this bill goes beyond the scope of CCPA when it comes to disclosing third-party involvement. Under CCPA, companies only have to disclose if consumer information is being sold to a third party, but in accordance with Maryland’s SB 613, companies would have to disclose any information that is passed on to third parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.
North Dakota’s HB 1485, which is currently in the state’s House of Representatives, is the most lightweight bill on this list. The only significant clause of HB 1485 would completely restrict websites from passing on any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.
Read the original article that we used for the content of this article.
To learn more about U.S. data privacy laws, check out this article by www.cloudwards.net.