From Jan 2020, the CCPA will affect companies based in, or conducting business with, firms or individual in California. Here's what organisations needs to know.
Due to the state’s economic significance, California has always been significant in navigating the international regulatory agenda. In the months ahead, it looks set to affirm this role again.
Signed into law on 28th June 2018, from 1st January 2020 the California Consumer Protection Act (CCPA) will affect companies based in, or conducting business with, firms or individual in California.
Will the CCPA apply to your organisation?
The CCPA is applicable to three distinctive business categories.
It applies to a wide range of “for profit” businesses – this includes any organisation “doing business” with Californian residents and turning over more than $25m per year.
It also applies to smaller organisations that buy, sell or share the details of more than 50,000 records of individuals per year (this includes data from the smart devices they use). So, if you have the sales records of 50,000 smart appliances you’ve sold (e.g cars, fridges, phones etc), the CCPA will apply to your organisation.
Finally, the CCPA applies to any organisations that make more than 50% of their revenue from data sales.
It’s fair to say that most global businesses will fall into one of these categories, and these organisations should be concerned as the penalties for non-compliance can be severe.
Both the civil penalties and individual damage claims are supported within the CCPA, and the individual damage claims can be up to $750 per individual affected. So, if your organisation suffers a data breach which leaks a million individual records, you could be looking to pay out $750,000,000.
Plus, it’s important to consider the global damage to trust an organisation will suffer should they indicate non-compliance. Many other US States and national legislatures are implementing new data privacy laws, which are leading to a complex worldwide set of regulations that global organisations must manage effectively. The CCPA is just another example. Navigating this complex and differing set of privacy rules is likely to be a significant and ongoing challenge for organisations.
How to mitigate the risks
The CCPA presents businesses with a series of conditions, and under these conditions they must seek and manage consent from individuals. Meanwhile, it also provides those individuals with a range of rights - this includes the right to erasure, the right to access and the right to information.
To manage the risk, the organisation must firstly identify and understand the personal data it processes, and could have processed in the preceding 12 months.
It must then examine the controls it has in place to ensure it meets the conditions required. This includes security systems, lifecycle management and third-party relationships.
We often find that businesses fall at this “first hurdle” by failing to have a robust and in-depth process for the on-going documentation and management of the organisation’s personal data assets. Frankly - they are often unaware of the data that they are responsible for.
GDPR vs CCPA – what can we learn from the enforcement of European privacy laws?
The GDPR was a wake-up call for organisations in Europe.
Penalties have a different structure to the repercussions in the CCPA, and are only just starting to be applied. However, in some cases, the proposed penalties that have been issued to date are severe; British Airways and Marriot International have both been proposed penalties of over £100m for breaches under GDPR.
Yet even with these eye-watering fines, we’ve still seen evidence that many organisations have treated the implementation of the GDPR as a one-off, tick-box activity. They have not built business processes in a way that ensures they stay consistently compliant and on top of the ever-evolving regulatory landscape. Certainly, they have not implemented the “Privacy by Design and Default” approach which the GDPR stipulates.
This is evident in DQM GRC’s 2019 research report “Privacy, Value and Ethics: Coping with the cautious consumer”, which examined the current attitudes to the GDPR one year on from both businesses and consumers.
Over 60% of the organisations interviewed felt that they were compliant with the GDPR. However, only 1.8% had actually completed a Data Protection Impact Assessment.
This contradicts the core principle of “Privacy by Design and Default”, and suggests that, in reality, there still a fair way to go – especially given the complex and ever-changing ways organisations use and manage data over time. It’s likely that now, over a year from implementing the GDPR changes, many organisations will have become uncompliant.
There is also a misconception that being GDPR compliant ensures your organisation is also CCPA compliant - this is not the case. Businesses should definitely coordinate their GDPR and CCPA compliance efforts, but also be aware of the differences.
Global privacy laws: further regulatory advances in data protection are expected
Data science is continuing to advance and technologies such as machine-learning and AI can give businesses a huge competitive advantage. As the demand grows and usage evolves, we expect regulation to also advance so it can continue to provide the adequate and necessary protection for individuals.
Individuals will also start to recognise the value in their data, in fact – according the DQM GRC research report - the rise in awareness of data protection laws has been remarkable. 45% of consumers have said they now know all about the GDPR, while nearly one quarter (22.7%) are reasonably aware but have yet to absorb the detail.
This will result in a new consumer mindset of “how can I make my data work for me?”, and their data value exchange with organisations will become more overt. Legislation will also need to evolve to include this.
Eventually, we could start to see a global alignment of privacy rules and practices (GDPR is now being used as the basis for many new data laws). However, until that happens global businesses will have a complex job of managing privacy across their customer domains.
For more information on business topics in the United States, please take a look at the latest edition of Business Chief USA.