When the GDPR was launched almost a year and a half ago, it forced companies to take a look at their data practices. And though some might say enforcement has been pretty lax so far, it has changed the way companies deal with their data. And it has inspired a new major regulation in the US: the California Consumer Privacy Act, or CCPA.
The CCPA was signed into law about a month after the GDPR went into effect, though the idea was first introduced in January 2018. The law goes into effect starting Jan. 1, 2020.
According to Scott Pink, special counsel at Los Angeles-based law firm O’Melveny & Myers, the CCPA mirrors the GDPR in many ways, but it isn’t as extensive. “It’s sort of a GDPR lite,” he said.
The CCPA provides three of the same rights that the GDPR provides, including 1) the right to know what data is collected about you, 2) the right to access that data, and 3) the right to request deletion, Pink explained. But in addition, the CCPA provides the right to say no to the sale of personal information and the right to not be discriminated against, he said.
According to Pink, in order for a company to be subject to the CCPA, they must be doing business in California. This doesn’t necessarily mean they are headquartered or incorporated there. Having employees there or selling products there counts. Then, they must meet one of the following three criteria:
- Have an annual revenue of $25 million or more
- Have collected data from 50,000 California consumers
- Derive 50% or more of revenue from the sale of personal information
Unlike the GDPR, which imposed a fine based on the level of violation, CCPA allows individuals to pursue a lawsuit against the company. But under CCPA, companies could be liable for up to $2,500 per violation under the regulation.
The path to compliance
Adrian Moir, lead technology evangelist at Quest Software, believes that the first step towards compliance is for companies to take a look at what’s in the regulations and determine how they should adjust their business accordingly. O’Melveny’s Pink agrees that this is a good first step, and believes that next, companies should begin doing an inventory of their data that is subject to the law.
Sovan Bin, CEO and founder of data governance tool provider Odaseva, added that discovery and documentation of how personal information is used should be a company’s first step.
GDPR sets a precedent
One factor that will impact how companies respond to the CCPA is that there is already a precedent with the GDPR. While GDPR certainly wasn’t the first privacy law to ever come into play, it was unique due to its massive scale. And with GDPR still fresh in people’s minds, it gives them a model for how compliance and enforcement play out.
And because the CCPA is less extensive than the GDPR, those companies who already had to comply with GDPR will have an easier time with compliance this time around. “Companies who have been preparing for compliance of GDPR for the European consumers, would be already ready for the most part for CCPA,” said Bin.
One criticism of the GDPR is that enforcement was pretty slow at first. By February 2019, eight months after it went into effect, only 91 fines had been issued by the GDPR. “[With GDPR,] it was a while before the first case came in and the first case didn’t get the full fine and everyone was going ‘oh, well that wasn’t so bad,’” said Moir.
Moir predicts that the first case of the CCPA will set the trend for the outcome of the law as a whole. “I think maybe it’ll be the first case that tips it over the edge and you’ll start seeing people saying ‘yes, I really need to do this,’” he said.
Moir also predicts that there will be a range of responses to the CCPA. Some organizations will accept the risk of CCPA and keep doing business as usual, while others will work to become complaint.