As of January 2020, businesses that process data on California residents will have to comply with the California Consumer Privacy Act (CCPA). The state is following in the footsteps of the European Union (EU), which established the General Data Protection Regulation (GDPR) in 2018.
While there are points for comparison, the CCPA is not just a Californian version of the GDPR. Businesses that are already GDPR-compliant will enjoy an advantage when meeting CCPA regulatory needs, but they’ll have to apply themselves towards fulfilling the law’s unique requirements.
These unique requirements may form the foundation of what will define future US data privacy law. Comparing the differences between GDPR and CCPA can offer insight into the kinds of regulation other states may soon pass.
GDPR vs. CCPA: What’s Different?
Both the GDPR and CCPA give individuals the right to access and delete personal information collected by service providers. In some cases, CCPA requirements are not as stringent as their European counterparts:
- CCPA regulation doesn’t require businesses to justify a legal basis for collecting users’ personal data.
- There are no CCPA restrictions on transferring personal data outside of the United States.
- Businesses that collect data on California residents do not need to appoint a data protection officer or conduct impact assessments.
- California residents have the right to access the last 12 months of personal data.
- CCPA places fewer obligations on service providers than GDPR does.
These differences should make CCPA compliance easier to accommodate than GDPR. In particular, the fact that organizations do not need to appoint specialized data protection officers or keep more than 12 months of data will help small businesses maintain compliance.
In some areas, however, CCPA regulation is more stringent than GDPR:
- CCPA regulation specifically defines personal data to include household information, whereas GDPR does not.
- CCPA grants individuals a unilateral right to opt out of the sale of personal data, obliging organizations to add a “Do Not Sell My Personal Information” link on their websites and mobile apps.
- GDPR charges parents with providing consent for the collection and processing of children’s data, relying on the law’s regulatory need for a legal basis. CCPA does not share this legal basis requirement, but it specifically addresses the sale of children’s data, requiring parental consent for children under the age of 13.
From this point of view, it seems clear Californian lawmakers are interested in guaranteeing a more individual-oriented sense of data protection. In Europe, most of the responsibility for data protection falls on service providers, while in America, that responsibility falls on citizens.
CCPA regulation sets a level playing field for citizens to choose what happens with their data and obliges service providers to follow through. CCPA appears to be geared towards helping small businesses successfully manage user data, but they will still need to rely on expert consultants to ensure compliance.
How to Establish and Maintain CCPA Compliance
Organizations that collect, process, or purchase data on California residents will need to implement a broad range of changes to their business processes. Many of these changes will have both external, user-facing elements and internal, systemic elements.
For example, CCPA requires websites to allow individual users to opt-out of all data collection and processing. The process of implementing this change requires websites to offer two parallel paths for user input – one in which they collect data, and one in which data passes through unimpeded.
While CCPA doesn’t require businesses to appoint specialist compliance officers, most mid-sized organizations and enterprises will have to. Implementing CCPA will be a data-intensive process that benefits from expert help.
Some organizations will have a harder time than others. Businesses that have not yet undergone digital transformation may find that some of their manual processes simply do not work in the CCPA structure. The pressure for digital transformation will mount among small businesses that need to automate their processes to ensure compliance.
It’s also currently unclear how CCPA regulation will fit into a nationwide context, particularly for companies that operate across larger territories. Washington, New Jersey, and Texas have all proposed their own data protection laws, and it is only a matter of time before the number of data protection regulations that large enterprises need to adhere multiplies.
Eventually, it’s possible that every state passes its own data protection law. This would place a great regulatory burden on multi-state enterprises. Instead of complying with a single law in a single territory, they’ll now have to contend with fifty different data protection structures in fifty territories – until a sweeping, federal-level data protection law comes along.
Speak with a Ripcord expert on how to digitize all of your business documentation, to prepare for upcoming data privacy regulations. And click below for more in-depth discussion on how these new laws affect your business!