California Consumer Privacy Act (CCPA)
let’s have a look at the key points to better understand the California Consumer Privacy Act (CCPA).
Over the past couple of years, you may have heard about GDPR, the European Union’s General Data, and Protection Regulation, but do you know what CCPA is?
It stands for the California Consumer Privacy Act of 2018. Both GDPR and CCPA aim to guarantee protection for individuals regarding their personal data, and they apply to companies and organizations that collect, use, or share consumer data.
CCPA is due to take effect on January 1st, 2020, and is likely to have a global impact, just as GDPR did when it took effect in May 2018. There are some differences, one of which is the requirement under CCPA for organizations to provide consumers with the ability to look back at their data over the past 12 months.
So what are the other main differences? Well, the focus for CCPA is on transparency and limiting the ability of organizations to sell or share personal information, unless they have consent. So you should expect to see the phrase ‘Do not sell my personal information’ as a link on the homepage of websites.
The transparency is extendable if companies merge or acquire other businesses and will provide consumers the right to opt-out if it’s believed that the combined organization uses the data in an inconsistent way in which the consent was granted by the consumer.
CCPA does not require the appointment of a Data Protection Officer, the maintenance of a data register for processing activities, or the need for impact assessments. It also excludes some categories of personal information such as medical data, but that’s covered under other US federal laws such as HIPAA.
There is one other limitation to CCPA when compared with GDPR: the latter applies to all individuals located in the EU, even if temporarily, such as tourists, whereas CCPA really only applies to California residents regardless of where they are at the moment that data is potentially collected.
There are, of course, several other differences but there is one similarity that we as consumers should all celebrate: ‘the right to be forgotten’. Having legislation in place that
empowers a consumer to insist that a company moves any data it holds on them gives control back to the person the data is about.
CCPA applies to any business in California that has a gross revenue in excess of twenty-five million dollars, trades personal data of more than fifty thousand consumers or makes fifty percent of its revenue from selling consumers’ personal information. Again, there are unprecedented amounts of data being collected about every aspect: business, personal,
the environment just to name a few.
Any privacy legislation that limits a company’s ability to collect data without good reason or without explicit consent is a step in the right direction. Let’s hope that the US federal government raises the bar on privacy and follows California’s example.