The California Consumer Privacy Act (CCPA) was signed into law in 2018 and will be enforced by the California Attorney General in July 2020 (although private plaintiffs will be able to bring claims under the CCPA in January).
The CCPA aims to increase the privacy rights of Californians and allow consumers to know how their personal information is being used by businesses. The bill comes just a year and a half after the European Union enacted the General Data Protection Regulation (GDPR), another major piece of legislation concerned with consumer privacy and data usage.
Both of these regulations are in response to increased anxiety regarding digital data breaches and misuse of information. The CCPA specifically mentions the Cambridge Analytica Off Site Link scandal in its text as one reason “our desire for privacy controls and transparency in data practices is heightened.”
We sat down with Sunrise Banks Director of Cybersecurity Eric Breece to help us understand the CCPA as well as the connections – and important differences – it has in relation to the GDPR.
Why is the CCPA important?
EB: From a consumer standpoint, it provides California residents significant rights related to information collected and used by businesses. This information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That is a mouthful and is significantly more detailed than other privacy regulation language.
Under the CCPA, California residents can not only ask to know what the business has, but also ask for information to be deleted and prohibit the business from selling their data. It also has provisions to prevent a business from discriminating against the individual after they have asked for access to their information. This not only applies to the business being asked for the data, but also extends to third parties the business shared the information with.
The CCPA is similar to the GDPR in that both laws aim to increase consumer privacy. Are there any noticeable differences between the two worth mentioning?
EB: While they both have a lot in common, there are a number of key differences. Some of these differences are minor items, like how long a business has to respond to a request for data by an individual (30 days for GDPR vs. 45 days for CCPA). While others can have a significant impact on what would be considered in scope and the financial ramifications if a breach occurs. Here are some of the other differences between the GDPR and CCPA:
- CCPA applies to for-profit businesses of a specific size or larger; GDPR applies to any “data controller” or “data processer” irrespective of business type or size.
- CCPA has an exemption for information already covered by federal regulations like Gramm-Leach-Bliley Act (GLBA); GDPR is more akin to a federal regulation and could supersede local regulations.
- CCPA allows people to opt out of their information being sold; GDPR, on the other hand, does not directly address the sale of information, but more broadly addresses opting out of commercial use of personal information.
- Under GDPR, companies can be fined for not complying with GDPR (i.e., if they are at risk of having a breach occur); Under the CCPA, California’s Attorney General would bring action against the business triggered by a breach.
- GDPR fines would be 4% of a business’s annual worldwide revenue or about $22 million dollars (whichever is higher); Under the CCPA, California’s Attorney General can assess a penalty of $2,500 per violation or $7,500 for willful violation (a violation is a single person’s rights being violated) and the business is still subject to private legal action.
Does the CCPA apply to companies outside of California?
EB: Yes, it can, as the regulation states that it applies to any business “doing business in California.” In practical, risk-adverse terms, this really means any business that has, collects, and/or uses data related to a resident of California. Some may argue that a business with a website hosted in Maryland isn’t a business in California, but based on what we’ve seen with changes to state tax laws (i.e., wanting to collect local sales tax for online sales), it isn’t hard to imagine that California would say that if they sell something to a California resident then it’s doing business in California.
How will the CCPA affect banks?
EB: As long as the bank is large enough (e.g., gross revenue greater than $25 million, annually buys/sells personal information of more than 50,000 individuals, OR derives 50% or more of annual revenue from selling personal information) and conducts business in California, then yes, banks are in scope.
There is an exception around data covered under the Gramm-Leach-Bliley Act (GLBA), but that is only a subset of data that is within scope for CCPA. So, while it means banks have different options when it comes to GLBA related data, banks will still have to know where that data is, what it is used for, and be able to show it is GLBA-related vs. CCPA. The trick is that the same data can fall into both requirements. For example, an IP address collected during the process of providing a financial service (e.g., online banking) is covered by GLBA, but if the IP address is also collected for marketing then it is not in scope for GLBA and in scope for CCPA.
The other long-term impact will be that banks (and other businesses) will have to adopt Privacy-by-Design principles in order to stay ahead of CCPA and other privacy regulations coming down the road.
Do you think more privacy legislation will be drafted in the US after the CCPA is enacted?
EB: Yes, and we are already seeing that happen. Nevada’s governor signed into law Senate Bill 220, which has clear parallels with CCPA. It also has significant differences, too. The biggest being that it is focused only on online services (i.e., owners of websites). We are also seeing New York work through building regulation similar to CCPA. While the legislation didn’t pass this last session, we had Washington and Texas bring similar CCPA bills forward. So, from my perspective, this is the beginning.
Are there any pieces of the CCPA you wish were changed or different? Is there a piece of this law you find difficult to abide by or understand?
EB: One of the items under question is employee data, because this isn’t what most businesses think of as a typical business-to-consumer relationship. This also speaks to a fundamental difference between CCPA and GDPR: GDPR makes privacy a fundamental human right, while CCPA is more about regulating how businesses must handle data about an individual as part of a business transaction.
So, for now, employee data is exempt from the individuals being able to request access, deletion, and opt-out rights, but does include the disclosure and right to private action components of CCPA. With the rest of the world moving towards privacy as a fundamental human right, it would be nice to see California push the United States towards that approach. If we had that consistency, it would make it easier for businesses to comply.
Also, as with many regulations of this type, there are plenty of pieces of the law that could be difficult to abide by or clearly understand. Some of this, I fear, will just have to be worked out in the courts.