Data privacy laws are fast becoming a primary element in any data security conversation: from the EU’s GDPR to the California Consumer Privacy Act to Japan’s Act on the Protection of Personal Information, the ability to protect consumer data is top of mind. For companies that are built around consumer data, consumer trust becomes a vital part of their business model.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. And in the wake of the EU’s GDPR came another shift in data privacy — the California Consumer Privacy Act (CCPA). On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
With the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. 2017 was the year of the data breach with the magnitude of high-profile incidents at companies such as Equifax and Yahoo. Attacks like these make data breaches seem part of normal life— not just in the United States, but around the world.
While the GDPR was created to protect citizens of the EU, its impact spans much farther. The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. Although the CCPA does not go into effect until January 1, 2020, it’s important to be aware of the policies and processes necessary for compliance, and to analyze the current and future impact it will have in comparison to GDPR.
CCPA Overview
Businesses have a track record of using personal information to benefit their own agenda: the California Consumer Privacy Act (CCPA) will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control, and security over their personal information – and consumers will have the ability to request that any business disclose (and delete) the personal information that it collects, and request that their data not be sold to third parties.
These data protections give Californians the right to:
- Know what personal information is being collected
- Access the personal information that is collected, and request it be deleted
- Know whether their personal information is being shared, and if so, with whom
- Opt-out of the sale of their personal information
- Have equal service and price, whether or not they choose to exercise their privacy rights
Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the consumer opts-in). For consumers under the age of 13, consent from a parent or guardian will be required. These new protections not only affect California consumers but also California businesses.
Who Does the CCPA Apply to?
The California Consumer Privacy Act defines a business as a for-profit entity that collects consumer personal data. So, if you’re a business in the state of California that meets at least one of the following thresholds, you may be subject to compliance:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
Under the CCPA, California citizens will have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.
Why does California’s new law matter for everyone else? It’s part of a global trend pushing companies toward greater accountability with regard to protecting consumer data. Additionally, it has given other countries and states a push towards the importance of taking personal data and consumer rights to data privacy more seriously. Chief proponent of the CCPA Alastair Mactaggart stated that, “While this law just covers California currently, large companies will soon have to offer similar rights to Americans.”
CCPA vs. GDPR
The European General Data Protection Regulation is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization. People who are familiar with the GDPR will notice some strong similarities to the CCPA.
The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, many people have been wondering how it compares to the GDPR — with some even calling it the American version of the regulation. No matter how influenced the CCPA may have been by the GDPR, there are some clear differences worth noting in each legislation.
Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, however, there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we’re already seeing it influence federal legislation.
Check out our interactive Venn diagram below to better understand the similarities and differences between the GDPR and CCPA.
CCPA
Effective date
January 1, 2020
CCPA
Who it protects
“Consumers” who are California residents.
CCPA
Personal information
Defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” This includes not only identifiers like name or address, but extends to browsing history, behavioral data, and more.
CCPA
Rights granted
Grants consumers five rights:
- The right to disclosure.
- The right to deletion.
- The right to access.
- The right to opt-out.
- The right to non-discrimination.
CCPA
Right to deletion
CCPA right to deletion applies to data collected from and about the consumer.
CCPA
Who must comply
“California businesses” of substantial size (with regard to revenue or number of consumers affected) that collect consumer personal data.
CCPA
Basis for consent
Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.
CCPA
Time allowed to respond
to a request
Responsible parties have 30 days to respond to a request.
CCPA
Financial penalties
Organizations in breach can be fined up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.
CCPA
GDPR
Similarities
- Encourage transparency in businesses/related entities.
- Require businesses/related entities to report data breaches to consumers/individuals.
- Look to better secure and protect the personal information of an individual.
- Define data processing as “any operations performed on personal data, automated or otherwise.”
GDPR
Effective date
May 25, 2018
GDPR
Who it protects
“Data subjects” in the European Union.
GDPR
Personal information
Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually means data like address, license plate numbers, SSN, blood type, bank account information, and more.
Rights granted
Grants data subjects eight rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated individual decision making, including profiling.
GDPR
Right to deletion
GDPR right to deletion applies to all data collected about the consumer.
GDPR
Who must comply
Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.
GDPR
Basis for consent
Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.
GDPR
Time allowed to respond
to a request
Responsible parties have 40 days to respond to a request.
GDPR
Financial penalties
Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.
The Big Picture
Governments are beginning to take data privacy very seriously. Like the GDPR, the CCPA iwill have far-reaching impacts across state jurisdictions. And, although the CCPA does not go into effect for another 15 months, we’ve learned from the GDPR that a year and a half isn’t a lot of time to become compliant.
It’s important to start preparing now: being prepared will save your company a lot of headaches (and costly enforcement actions) in the future. Meeting subject access requests – whether for GDPR, CCPA, or another regulation – can be especially difficult to achieve: you need to be able to identify content related to a data subject, classify and protect consumer data, and sometimes even delete upon request.
Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.