somchaij - Fotolia
Get ready for CCPA: Implications for UK businesses
The California Consumer Privacy Act, a wide-ranging data privacy and consumer protection law, comes into effect on 1 January 2020. How does CCPA differ from the EU GDPR regulations and what are the responsibilities for UK businesses operating in the US?
The bill for the California Consumer Privacy Act (CCPA) was passed by the California State Legislature and signed into law by governor Jerry Brown of California on 28 June 2018, to amend Part 4 of Division 3 of the California Civil Code. It is due to come into force on 1 January 2020. Although it is based in California, the CCPA will have a far more global reach.
Historically, the US has had a different approach to privacy to that taken in Europe. But this is now changing, due in part to several high-profile data breaches, such as the Equifax data breach. “There was a very different cultural attitude to privacy, and there’s a growing concern around data-driven businesses and what they’re doing with the information they collect,” says Cillian Kieran, CEO of Ethyca.
Frustrated by the lack of progress in any nationwide data protection law, certain US state legislators implemented their own data privacy legislation, following in the footsteps of the EU’s General Data Protection Regulation (GDPR). The CCPA is not the first of these, but it is the most stringent. “California is the tip of the iceberg as it relates to data privacy in the US, and it’s likely to become a states-wide issue over the next two years,” says Kieran.
The CCPA is designed to protect the rights of Californian consumers. Any company wanting to operate in California will need to abide by this law, regardless of its geographical location.
However, not all companies will be affected by the CCPA, which only applies to a company that meets one or more of these criteria:
- Annual gross revenues in excess of $25m (nearly £20m).
- Processes the information of more than 50,000 consumers, households or devices.
- Derives at least half of its annual revenue from the sale of personal information.
As well as being one of the most prosperous and populous states in the US, California is the home of Silicon Valley. A company operating in the US but excluding California would be missing out on a significant customer base.
Federal complexity
The CCPA is not the only state-level privacy law that is coming into effect, with Washington and Oregon both developing their own versions of the act. These state-level data protection laws could lead to a legislative minefield, with potentially conflicting requirements between the different state laws.
“It is rarely realistic for enterprises to segment their internal data use by region, so the default is often to set up standard procedures that adhere to the most restrictive regulation,” says Ellison Anne Williams, founder and CEO of Enveil. “One of the advantages of a broad regulation enacted at the federal level is that it provides consistency for companies operating in the space.”
The GDPR sets the expected requirements of the EU member states’ data protection laws and was enacted into UK law as the Data Protection Act 2018. However, the CCPA applies only to consumers in California. No nationwide, federal, data protection laws are currently being developed.
Should any federal-level data protection law come into effect, this could also potentially lead to conflicting regulations, such as has been seen with the net-neutrality laws. Following the Federal Communications Commission’s (FCC) decision to abandon net neutrality, California enacted its own version of net neutrality laws. “The FCC has been fighting that, saying you do not have the right to overarch above and beyond the federal law,” says David Harding, CTO of ImageWare Systems.
Make no assumptions
It would be a mistake to assume that a GDPR-compliant organisation is also compliant with the CCPA. Although the CCPA and the GDPR are broadly similar, they have distinct differences that organisations may need to be aware of.
“Offering a general opt-out button, like the ‘do not track’ button from the GDPR, won’t work,” says Mike Anderson, co-founder and CTO of Tealium. “Companies will need to clearly state what data is doing for the customer experience and be able to purge the data they are not allowed to keep.”
The CCPA’s legislative requirements can broadly be defined as the right of Californians to:
- Know what personal information is being collected about them and for it to be deleted.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
This latter point could be significantly detrimental if enough Californian consumers chose to opt out of their data being used by a company. There is also the challenge of how organisations extract an individual’s data following a request not to use that data for business purposes.
Key differences
One of the key differences between the GDPR and the CCPA is that while the GDPR focuses on the person, the CCPA focuses on the data itself. “CCPA covers a lot of the same things as GDPR, but there are some key distinctions,” says Harding. “The biggest one is how far-reaching it is.”
According to the CCPA, personal information of a user includes this information:
- Personal identifiers, including name, address, email, social security number, driver’s licence number and passport number.
- Biometric information.
- Geolocation data.
- Internet browsing history.
- Professional and employment-related information.
- Inferences from personal information to create a profile.
However, the CCPA does not consider any information that is publicly available as personal information.
Both the GDPR and the CCPA allow users, the identity of whom must be verified, the right to view all data that an organisation has collected about them and ask for it to be deleted. However, only the GDPR allows users to correct any false information that an organisation has about them.
Data breach? Fine
The way that fines are managed under the CCPA is also different. Under that law, there is a maximum fine of $7,500 (about £5,800). At first, this seems surprisingly low, but the fine is for every account breached. Therefore, if 50,000 accounts were breached, this would become a fine of $375m (£290m). The scalable nature of CCPA fines implies that these fines are far easier for authorities to wield than the more restrictive penalties under the GDPR.
The CCPA goes further than the GDPR in some cases, but not so far in others. A recent report by Ethyca revealed that only 12% of companies believed they had achieved an adequate state of compliance with the new privacy regulations.
How to get compliant
Creating an adequate data map is the first stage in becoming compliant with the CCPA. This is an inventory of all of the personal information the organisation has collected or inferred. A data map should clarify why it has that information, who (and what) has access and why, as well as how it was collected. Although this is not a regulatory requirement, it provides organisations with a baseline for meeting the other obligations.
As users can request a copy of all the personal data that an organisation holds on them, in a “human readable” format, it will mitigate costs if this system is automated. Although it could be done manually, this is only acceptable as a short-term solution, because it will be time-consuming and resource-intensive.
To prepare better for the CCPA, minimising data collection will reduce the threat surface and improve data security. This will also reduce the amount of damage that can occur in the event of a breach.
As breaches can occur because of failures in security credentials management, introducing access control will reduce the risk. Having such mechanisms in place demonstrates that an organisation is taking responsibility for the information it stores about its users.
Read more about data protection
- Cloud data protection software supplier Druva is looking at a comprehensive platform that will protect data generated by IoT workloads.
- Last year’s audit by the Dutch Ministry of Justice and Security got the attention of the European Data Protection Supervisor. Now Microsoft has reacted.
- See if a converged backup product will meet your needs by exploring the features you should consider before investing in this relatively new kind of data protection platform.
The final key aspect is impact assessments, in which organisations assess the risk that new processes pose to their users. This needs to exist as an auditable document trail that demonstrates that the organisation has taken due care to ensure it is operating in the best interests of its customers.
Those who may have hoped that the CCPA would be a temporary inconvenience will be disappointed, because it is here to stay and will come into effect in the new year. An amendment has recently been passed, stipulating that any future amendments cannot weaken the legislation. A revised version of the CCPA is currently being developed.
Technology- and data-driven businesses now underpin much of our society. The CCPA is part of a global shift in governments’ approaches to the internet, as it sets out regulations governing what is, and is not, permitted online.
“The reality is that data-driven businesses are shifting towards being a heavily regulated industry,” says Ethyca’s Kieran. “I think lessons are to be learned from other regulated industries, whether it be banking or pharmaceuticals, that not only will this not go away, but it will compound itself over time.”