The California Legislature passed a tough new consumer privacy bill earlier this summer. The question is whether the Golden State now leads the nation in instituting GDPR-type rules, and what compliance to the California law means for businesses in terms information governance and consumer relations.
How California's new privacy act differs from GDPR.
Our perspective is that the legislation, called the California Consumer Privacy Act of 2018, is kind of like “GDPR lite.” Some of the rules are similar, but fines and enforcement are much less onerous than those found in Europe’s General Data Protection Regulations or GDPR.
It’s no surprise that California passed the Act, which takes effect January 1, 2020. The bill appears to have passed as a reaction to the controversies surrounding the sale or use of consumer data by many tech firms, including Facebook, which was roundly castigated for the “use” of 87 million member profiles by the political consulting firm Cambridge Analytica. See Facebook’s Failure and How it Relates to GDPR.
The new California privacy establishes explicit privacy rights.
The Act, known by its acronym CCPA, establishes explicit privacy rights for California consumers. Californians will have a right to know what information a business has about them, and they can prohibit companies from selling that information. They also can ask businesses to delete information about themselves.
What California consumers can ask of companies.
Consumers will be able to sue companies if a data breach leads to unencrypted information being exposed or stolen. Specifically, California residents will have:
- The right to know what personal information is being collected about them;
- The right to know whether that personal information is sold or disclosed and to whom;
- The right to delete and to say “no” to the sale of personal information;
- The right to access personal information; and
- The right to receive equal service and price from the organization that held the data, even if privacy rights created by the CCPA are exercised by the consumer.
This last point is somewhat nuanced as the Act does allow exceptions by companies to offer better services under certain circumstances to consumers who agree to share their data.
The California Consumer Privacy Act applies to specific businesses.
The law applies to businesses that collect consumers’ personal information and that do business in the state if that business also satisfies one or more of the three following conditions:
- Annual gross revenues in excess of $25 million;
- Buys, receives for commercial purposes, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or
- Derives half or more of its annual revenue from selling consumers’ personal information.
Interestingly, the California Legislature passed the Act to head off a similar ballot initiative, which had been fueled by some 629,000 citizen-signatures and would have provided broader rights for consumers to sue organizations. The rationale was that legislation would be easier to modify than a citizen-passed initiative to the state constitution.
How the California privacy legislation differs from GDPR.
Both the California Act and GDPR apply to companies located outside their borders, emphasize some of the same broad themes (such as the importance of access and transparency) and—most importantly—will require companies to expend a great deal of effort and resources to achieve compliance. See How to Make it Easier to Comply with GDPR.
However, the similarities between the two end there. Unlike GDPR, the California law doesn’t prevent organizations from collecting people’s information. Nor does it give consumers the option to ask a company to stop collecting personal data.
The fines in the California law are nowhere near as onerous as the maximum €20 million or four percent of annual revenue outlined in the GDPR regs. The CCPA, for its part, gives consumers the right to sue companies for between $100 and $750 per violation if there is an unauthorized breach. And the state attorney general can levy civil fines of up to $7500 per violation—a much, much lower amount than GDPR.
It's a business decision about whether to comply with the new California privacy law.
With lighter penalties, it becomes a business decision about the extent to which companies will comply with the Act. Indeed, for some organizations, the cost to comply may not be worth the potential fines.
GDPR is more stringent with regard to how companies must report breaches. There’s nothing quite like that in the California Act. A recent article in Digiday.com explained that the Act does not require companies to obtain user consent to the processing of personal information. But it does require businesses to offer consumers the opportunity to “opt out” of one specific use of their data: the sale of personal information
That’s different than GDPR. Indeed, the Act presents a potential quandary for companies subject to both laws. To comply with both the European and California laws a company that sells personal data to third parties may have to implement both opt-in and opt-out choices for consumers.
Because of the California privacy legislation, good information governance becomes more important than ever.
There are several important ramifications for organizations doing business in California. If a company hasn’t yet gotten its act together for GDPR, it may be high time to do it for CCPA, unless your business doesn’t fall under the Act’s requirements or you’ve decided that the cost of compliance is higher than the risk of getting fined.
Companies will need strong information governance policies and procedures that map data collection, storage and transfer processes. Many will need to (again) update privacy policies. And the companies that fall under the purview of the Act will have to initiate testing and verification procedures. Organizations also will have 45 days to respond to requests for how personal information is being used, and they’ll be obligated to deliver that information twice a year.
Should there should be a 50-state United States privacy law like GDPR?
I predict that other states will begin to follow California’s lead. There even seems to be a bi-partisan push for great privacy protections in the US Congress, although the likelihood of a federal privacy law like GDPR still seems far off. See my earlier post: Does the US Need GDPR?
Whether or not you’re subject to European or Californian law (or both), good information governance practices still make sense for most organizations. Getting rid of information you no longer need makes protecting really important information that much easier. And it also makes compliance with regulations like GDPR and CCPA easier