Last week, California passed the California Consumer Privacy Act (CCPA) of 2018. It is the toughest consumer privacy controls to date in the United States. The act has been hailed as California’s own version of GDPR, a set of consumer privacy protection laws that recently came into effect in the European Union, and it is easy to see why. Although the bills are not exactly the same, this legislation makes it clear that GDPR is having a lasting effect on the global economy.
The bill, AB 375, was passed June 29th by the California state legislature and signed by Governor Jerry Brown. The law was the result of a last-minute attempt to circumvent a stricter citizen initiative that was destined for the November ballot. This was done because ballot initiatives are extremely difficult to amend once approved. On the other hand, the legislative process is built to handle comments and improvements for legislation.
The CCPA affects all companies that do business in California and collect data. According to AB 375, consumers will now have the right to request from businesses the types of data being collected about them. Consumers can request that the data not be sold to third parties, the data be given to them in a portable format, and the data be deleted. Consumers can also initiate civil action if they believe an organization has failed to protect their personal data under the new law. All these mandates mirror similar requirements under GDPR.
Nevertheless, there are key differences between CCPA and GDPR. Businesses will be able to offer financial incentives for the ability to collect consumer data in California, which is not mandated in GDPR. CCPA safeguards consumers—a natural person who is a California resident—while GDPR safeguards persons. GDPR also speaks to Data Controllers and Data Processors while CCPA targets businesses. CCPA forces businesses to add a link to their homepage that says, “Do Not Sell My Personal Information,” and takes them to a page where consumers can opt in or out of the sale of their personal information. GDPR, in contrast, states that subjects must be provided with a clear and understandable explanation about how their data will be used. Regardless of these differences, CCPA, along with GDPR, will have a lasting effect on many businesses.
The CCPA will dramatically change how businesses handle consumer data in California. Big tech companies such as Google and Facebook will have to make major adjustments to how they handle their consumer’s data; otherwise, they risk facing sizable penalties for noncompliance. Many in the tech industry worry that the law will impact their ability to innovate on the behalf of consumers. Others argue that they should be able to without collecting massive amounts of consumer data.
Over the next 18 months, many tech companies will have to change their protocols to meet AB 375 requirements. Since some of these requirements are similar to those required by GDPR, many companies will not have to start their compliance measures from scratch. Microsoft, for example, has promised to comply with GDPR everywhere in the world they do business. This means GDPR is already having a global impact on business operations.
Other organizations have responded to GDPR much differently. Some media outlets, for example, blocked European Union consumers from viewing their websites in response to GDPR. This means they will have to either do the same in California or find a suitable response to comply with consumer data privacy laws.
Consumer privacy is here to stay. GDPR started it all and is already having a lasting effect on the global economy after being in effect for a little over a month. It is clear with GDPR and CCPA that governments are taking data privacy very seriously. Companies either must get on board with privacy measures, or risk huge fines. Even worse, they could risk destroying their businesses by not cooperating with these consumer-minded initiatives.
Click here to find out more about how IDMERIT meets GDPR compliance.