There are rising concerns about the privacy of consumer data. The increase in the number of internet users and cashless payments has a role in the collection of consumer data. The California Consumer Privacy Act (CCPA) is a bill that will take effect on 1st January 2020. CCPA seeks to protect consumer data from distribution without the consent of the consumer. Some companies generate revenue by selling consumer data collected on the internet. Sometimes the sale results in the breach of privacy of the consumers by hackers and other cybercriminals. It is, therefore, the high time to create an act that genuinely protects the consumer data companies collect.
What is CCPA?
CCPA is about consumer data protection and ensuring collecting companies responsible for any breach and misuse. CCPA targets big tech companies, data brokers, and medium businesses. Consumers are facing privacy breaches because of data sold. Most consumers do not know who or where the data goes. They have no idea what or how much data collection goes on from their devices. CCPA seeks to remove the veil that protects companies who collect massive data and use it; however, they want. It aims to give a consumer the option to opt-out of data collection.
CCPA aims to establish governance, risk, and compliance over personal data like the General Data Protection Regulation (GDPR). However, CCPA is for California resident, but other states are following suit. The GDRP made significant changes in how organizations process, store, and deal with breaches of personal data. However, the GDPR is organizations in the European Union (EU) or businesses that collect data in the EU.
How does CCPA affect businesses?
CCPA establishes penalties and fines that arise whenever consumer data sold is used in cybercrime. Companies that collect massive amounts of data like Facebook, Netflix, Apple Music, Google, and others need to disclose any data sales to the consumer. Consumers have the right to view where firms are selling personal data. A consumer can opt-out of data collection and still enjoy the service. Lack of disclosure can result in penalties for the company of up to $7,500 per violation. A consumer also has the right to request the deletion of his or her data from the company records.
Businesses that fall under the ACT but are not compliant attract a fine of $2,500 per violation. Consumers can sue for breach of privacy as individuals or as a class action. The penalties and fines were initially per person per event. However, large tech companies and lobbyist are trying to get penalties to be on an event basis. The hefty fines and penalties are meant to inspire compliance from the organization since penalties for non-compliance can impact the bottom line.
The business that will feel the impact are those making $25 million or more as gross revenue, companies that make 50% or more of income from selling data or companies collecting data from more than 50,000 California residents, households or devices.
What is the Difference Between CCPA and GDPR?
- GDPR applies to entities that process data in the EU, while CCPA covers businesses that collect and store personal data in California.
- GDPR targets all entities that process, collect, and store personal data while CCPA aims businesses only.
- CCPA has a broader definition of personal data but more restrictions for sharing personal data by businesses entities.
- CCPA doesn’t have a clause to stop automatic decision making while GDPR requires a human or company directors to decide personal data usage.
- CCPA states a floor and ceiling for fines per person per event of $100-$750 while GDPR has no restriction for damages for a single action lawsuit against the people responsible for a breach.
- GDPR sets a penalty ceiling of 4% of annual revenue for violations or non-compliance while CCPA doesn’t have a cap for penalties.
What Should Companies do in Preparation for the Implementation of the Act?
The CCPA bill became law in June 2018. It will be useful in January 2020. However, the compliance will require statements stating from the previous year, which will be from 1st January 2019. It is, therefore, in the best interest of an organization to start the compliance process as soon as possible. A firm needs to establish a team of CCPA officer to work in the company. All companies need to update consent notices on the websites, social media pages, and other sources of personal data. The data storage and management need to meet the act’s requirements. Consumers need to consent for data collection, storage, and distribution.
Establishing a breach procedure should be a priority. The breach procedure should have several options for stopping the breach. It should also include disclosures to the necessary authorities and consumers. All employees and relevant parties in an organization need training on the new act. Instructors should also cover the latest procedures and how compliance will prevent cybercrime.