Proteus® CCPAready™
One interface for multiple standard data requests

CCPA is here

1st of July 2020

The California Consumer Privacy Act (CCPA) is a US-based regulation that grants new rights to consumers regarding the collection and privacy of their personal data. In effect since January 1st, 2020, fines enforced from July 2020 for companies found to be out of CCPA compliance can reach $7,500 per incident.

Backgroud

Data Privacy is rapidly becoming a basic human right. The GDPR, established to protect the rights of EU citizens, came into force on May 25, 2018. On June 28, 2018, Governor of California, Jerry Brown, signed the CCPA, which enacted some of the country’s most powerful consumer data privacy protections into law. Currently there are some 15 other states introducing their own data protection regulations. In parallel with this some notable large businesses are lobbying for a Federal regulation in place of the different State regulations. The CCPA came into effect on January 1, 2020. The California attorney general, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020.

Overview of the CCPA

Just like the GDPR does for EU citizens, the CCPA will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. California’s citizens will have the right to:

• Know what personal information is being collected
• Access the personal information that is collected, and request it be deleted
• Know whether their personal information is being shared, and if so, with whom
• Opt-out of the sale of their personal information
• Have equal service and price, whether or not they choose to exercise their privacy rights
• Bring a civil action lawsuit against companies that do not abide by the law

The CCPA applies to businesses (“for-profit entities that collect consumer data”) that do any of the following:

• earn $25,000,000 or more a year in revenue
• annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
• derive 50% or more of their annual revenue from selling consumer personal information

Key differences between the CCPA and GDPR

• CCPA only applies to businesses with $25m+ revenues
• CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation), are uncapped and apply only in the event of a breach (rather than failure to comply with the regulation as is the case with the GDPR).
• CCPA considers personal data to relate to both the individual and the households
• CCPA only applies to data not covered by existing federal privacy laws (e.g. Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA)
• CCPA allows data subjects to ‘opt-out’ of the sale of their data and requires businesses to have a visible link at the top of their homepage for this purpose, whereas the GDPR requires organisations to secure ‘opt-in’ from data subjects for data processing and third-party access to their data.
• CCPA has a less stringent requirement on data portability, in that businesses are only required to provide consumers with the information electronically in a readily useable format, whereas the GDPR places an obligation to transfer a data subject’s information to another data controller upon request.
• CCPA is considered to be less comprehensive than the GDPR and is awaiting further definition.

How to manage multiple regulations

One of the challenges faced by multinational organisations is how they will address the plethora of privacy regulations applicable to them. Whilst no one can anticipate all of these and provide a software tool that guarantees to address them, a well thought out product can provide the platform for best practice data privacy management.

Proteus® CCPAready™ is an iteration of Proteus® NextGen Data Privacy™ and uses the same code set. If you are only interested in CCPA then we simply deliver Proteus® NextGen configured to show only the functionality required for CCPA.