As one of my learned contacts recently stated – “a rising tide lifts all boats” – and this is the effect we are starting to see since the introduction of the GDPR last year.
GDPR was a paradigm shift for data protection, in that its geographic application extended well beyond its origin. There are several laws now being passed which have a similarly global reach – this means we all need to be aware of and comply with them.
One such piece of legislation is the California Consumer Privacy Act (CCPA) coming into force in January 2020.
California’s population and economic size are significant – if California were a country, it would be the fifth largest economy in the world, so it is a marketplace that many global companies interact with. If you collect and disclose or sell information about US citizens, you will likely have to comply with the CCPA. If you are already complying with the GDPR, the impact should be minor.
CCPA has many similarities to the GDPR, for example having greater levels of protection for the handling (and selling) of information about children.
CCPA also bestows several individual rights for Californian residents, including the right of access, the right to be informed, the right to deletion and the right to say ‘No’ to their information being sold.
However, there are also some key differences. CCPA does not put the same level of onus on accountability and governance as the GDPR does, which mandates the Data Protection Officer role and Data Protection Impact Assessments. Conversely, CCPA does specify the obligation for companies to train their staff, which is not explicitly spelled out in the GDPR.
One of the specific requirements for CCPA is that any company that sells information about Californian residents must provide a ‘clear and conspicuous’ link on their website home page titled: “Do Not Sell My Personal Information” to enable individuals to opt-out. This will therefore be an important and visible compliance action if you collect and sell US citizen data.
It is a fascinating balance to strike, that as the value of data continues to significantly increase, so do the risks and liabilities.
The data protection revolution is still unfolding and the business case for becoming a highly trusted data processor continues to gain strength.