Data breaches have become a common topic in the news. During the first six months of 2018, an average of 291 records were stolen or exposed every second. Despite the fact that data breaches have increased, the amount of consumer data that is being collected has also continued to increase. This increased data collection could be due, in part, to the fact that global digital advertising sales reached a record $251 billion in 2018 and are on track to represent over 50 percent of all global advertising sales by the end of 2019. Companies have struggled to responsibly collect and protect consumer data on their own which is why governments have started to take a more active role in trying to put their own regulations in place.
California has recently signed a new consumer privacy law that has the potential to drastically change how companies in the United States handle customer information. The new law, called the California Consumer Privacy Act (CCPA), was signed in June of 2018 and will go into effect in January of 2020, with some exceptions. This new law gives consumers control over data collected on themselves and the ability to find out what companies are actually doing with that data. The CCPA puts forth a number of new regulations and rights:
- Right to request from companies: what data is being collected about you, where data is collected, what is being done with the data, other entities the data is being shared with, and whether it is being sold or shared with third parties
- Access to the information collected in a readable and downloadable format
- Right to ask companies to delete any data collected in the last 12 months, with some exceptions
- Right to opt-out of data collection and still receive the same quality of service
- Right for those under 16 years old to give their consent or their parent’s consent to opt-in to data collection
- Right to collect statutory damages from data breaches, without having to prove actual damages
- Fines of $7,500 for each intentional violation and $2,500 for each unintentional violation
Companies that must comply with Europe’s GDPR have extended some of the rights granted by that law to countries not covered by GDPR for various reasons. It is highly likely that California’s new law will have a similar effect on the rest of the United States or that other states will begin to implement their own data privacy laws.
GDPR v. CCPA
GDPR and CCPA have a number of similarities but when you look at the specifics they are very different laws. Being in compliance with GDPR does not directly translate into compliance with CCPA or vice-versa. Both regulations have an expanded definition for what kinds of data are protected but the CCPA takes a broader view by including households and devices. Other similarities between the CCPA and GDPR include the right to access data collected by companies and the right to ask for the deletion of that data.
GDPR is much more comprehensive due to the fact that it regulates areas that the CCPA does not and it applies to almost any company that processes EU data, where as California’s privacy act only applies to for-profit entities which have revenue over $25 million, receive/sell/share personal information on 50,000 consumers/households/devices, or that receive 50 percent of their revenue from selling personal information. Another major difference, which may make it challenging for companies to comply with both laws, has to do with consumer consent. GDPR requires users to opt-in to allowing companies to collect and process their personal information while the CCPA requires users to opt-out in order to prevent the sale of their personal information. These two conflicting requirements may require companies to implement different procedures depending on where the user is located and where the data is being processed.
Turning Challenges into Opportunities
Giving users the right to request all information from the past year that a company has collected from them and the right to have that information deleted presents a very real challenge. Many companies do not have a holistic view of the different types of data they collect about consumers and may not know exactly where that data that is being stored or which systems are being used to process it. The CCPA requires that a company respond to consumer requests in 45 days, while also allowing time extensions in some cases, which means processes must be in place to quickly resolve these requests while keeping an audit trail of any data that is deleted.
With less than a year until this law goes into effect, companies will soon start scrambling to create and enforce these new policies. This presents an opportunity for companies to evaluate their own data collection practices and make improvements.
For another resource from Capgemini about the CCPA, visit the link below: