How GDPR and the CCPA will define the future of data privacy in the U.S.
The California Legislature recently returned from its summer recess and is busy working on pending amendments to the landmark California Consumer Privacy Act, which will soon go into effect.
As of January 2020, businesses that process data on California residents will have to comply with the CCPA. The state is following in the footsteps of the European Union (EU), which established the General Data Protection Regulation (GDPR) in 2018.
A recent study on the current state of CCPA compliance by TrustArc found that 16 percent of respondents have not started efforts yet, 70 percent have started efforts and only 14 percent are fully compliant. Top reasons for investing in CCPA compliance are to meet partner and customer requirements, meet internal reporting requirements, support company values and protection from fines and class action lawsuits.
California’s privacy law is already spurring other states to develop new legislation. Hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia.
California’s bill, which is the most comprehensive state-level legislation yet may likely be a model for the federal government in years to come. According to a recent survey, some 80 percent of CEOs surveyed by the Business Roundtable, which represents the 200 biggest U.S. businesses with a combined payroll of 15 million people, say a federal statute is important.
As more regulations are passed at the state level and eventually the federal level, it’s helpful for businesses to understand the law’s implications - and how it compares to GDPR - to properly prepare.
GDPR vs. CCPA
Businesses that are already GDPR-compliant will enjoy an advantage when meeting CCPA regulatory needs, but they’ll have to apply themselves towards fulfilling the law’s unique requirements.
These unique requirements may form the foundation of what will define future US data privacy law. Comparing the differences between GDPR and CCPA can offer insight into the kinds of regulations other states may pass.
Both the GDPR and CCPA give individuals the right to access and delete personal information collected by service providers.
What’s less stringent?
In some cases, CCPA requirements are not as stringent as their European counterparts:
- CCPA regulation doesn’t require businesses to justify a legal basis for collecting users’ personal data.
- There are no CCPA restrictions on transferring personal data outside of the United States.
- Businesses that collect data on California residents do not need to appoint a data protection officer or conduct impact assessments.
- California residents have the right to access the last 12 months of personal data.
- CCPA places fewer obligations on service providers than GDPR does.
These differences should make CCPA compliance easier to accommodate than GDPR. In particular, the fact that organizations do not need to appoint specialized data protection officers or keep more than 12 months of data will help small businesses maintain compliance.
What’s more stringent?
In some areas, however, CCPA regulation is more stringent than GDPR:
- CCPA regulation specifically defines personal data to include household information, whereas GDPR does not.
- CCPA grants individuals a unilateral right to opt out of the sale of personal data, obliging organizations to add a “Do Not Sell My Personal Information” link on their websites and mobile apps.
- GDPR charges parents with providing consent for the collection and processing of children’s data, relying on the law’s regulatory need for a legal basis. CCPA does not share this legal basis requirement, but it specifically addresses the sale of children’s data, requiring parental consent for children under the age of 13.
From this point of view, it seems clear Californian lawmakers are interested in guaranteeing a more individual-oriented sense of data protection. In Europe, most of the responsibility for data protection falls on service providers, while in America, that responsibility falls on citizens.
CCPA regulation sets a level playing field for citizens to choose what happens with their data and obliges service providers to follow through. CCPA appears to be geared towards helping small businesses successfully manage user data, but they will still need to rely on expert consultants to ensure compliance.
How to establish and maintain CCPA compliance
Organizations that collect, process, or purchase data on California residents will need to implement a broad range of changes to their business processes. Many of these changes will have both external, user-facing elements and internal, systemic elements.
For example, CCPA requires websites to allow individual users to opt-out of all data collection and processing. The process of implementing this change requires websites to offer two parallel paths for user input – one in which they collect data, and one in which data passes through unimpeded.
While CCPA doesn’t require businesses to appoint specialist compliance officers, most mid-sized organizations and enterprises will have to. Implementing CCPA will be a data-intensive process that benefits from expert help.
Some organizations will have a harder time than others. Businesses that have not yet undergone digital transformation may find that some of their manual processes simply do not work in the CCPA structure. The pressure for digital transformation will mount among businesses that need to automate their processes to ensure compliance.
It’s currently unclear how CCPA regulation will fit into a nationwide context, particularly for companies that operate across larger territories. Many states including Washington, New Jersey, and Texas have all proposed their own data protection laws, and it is only a matter of time before the number of data protection regulations that large enterprises need to adhere to multiplies.
Eventually, it’s possible that every state passes its own data protection law. This would place a great regulatory burden on multi-state enterprises.
Instead of complying with a single law in a single territory, they’ll now have to contend with fifty different data protection structures in fifty territories – until a sweeping, federal-level data protection law finally comes along. By understanding and using the CCPA as a model now, businesses will be well-prepared when a national law comes into play.