CCPA: the Next legal framework for data protection after GDPR

Let’s start this blog with a short warning. This is not a detailed gap analysis for the GDPR versus the CCPA. You can find loads of good ones on the internet. I am not a privacy expert, but I am in the lucky position to work with passionate privacy experts on a daily basis in the field of data protection. So the topic CCPA, California Consumer Privacy Act is a hot topic these days.

The CCPA is the new privacy bill that becomes effective on January 1st 2020 in the state of California. This blog gives you a high level insight in the CCPA. To make it more easy to digest, the GDPR is used as a reference.  

In this factsheet you can find the main differences in GDPR versus CCPA for the Reach & Governance, Personal Data, Data Subject Rights and Accountability.

CCPA protects consumers from the selling of personal data

Whereas the GDPR and the CCPA are both considered to be privacy regulations that will cause turn arounds in the mindset about data protection; the actual scope of the CCPA is much more narrow than the scope of the GDPR, which is rather broad. The CCPA is centered around the right to Say No to the Sale of Personal Data.

The CCPA is restricted to organisations that collect consumers' personal data. It does only apply for organisations that collect consumers’ personal data with >25 million dollar turnover and the ones that collect a significant amount of personal data.

GDPR applies to all organisations located within the EU and organisations outside the EU that offer goods or services to EU data subjects, or residents. Not limited by company size or turnover.

Another big difference: the CCPA uses another definition of personal data as the GDPR, and the CCPA does not consider Publicly Available Information as personal data.

GDPR offers more rights for residents then CCPA

Under the GDPR, data processing can only be done based on a legitimate ground. Data subjects and protecting their data and privacy, results in a long list of data subject rights: the right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.

The CCPA offers no right to rectification, no right to object and no rights in relation to automated decision making and profiling. Under the CCPA, consumers can OPT OUT for trading their personal data and OPT OUT for marketing  purposes.

Both the CCPA and the GDPR offer the right to be informed, though with different timelines for follow up.

Good preparation for CCPA is half the battle

In our (Privacy Companies) broad experience with GDPR implementations, I can really recommend to start with a good preparation and in an early stage with preparing for a new legal framework. It definitely takes time to raise awareness, get the impact assessments done and implement all measures, on top of the running business.

After you have checked whether the CCPA applies for your organisation (scans are available), make sure you are prepared before the 1st of January 2020, by having the following in place:

  • Have basic awareness levels trained in your organisation, so everyone knows how to handle requests in their role in the organisation.
  • Have your record of data processing in place, to map the locations and processing activities that are done with personal data within your organisation.
  • Implement explicit Opt-out of personal data that is being sold.
  • Update your privacy notice with the newly required information.
  • Make sure you keep a register of data subject requests and their timely follow up.
  • And did you have your register of incidents and data breaches up to date already? Though it is covered in another law.

So although the scope and the data subject rights differ significantly. The operational implementation you need to do for CCPA can be quite similar to the one for the GDPR.

Do you want to know more about preparing your organisation for CCPA, or how you can prepare for CCPA with Privacy Nexus, please get in touch and let’s discuss.

Written by Renske Nouwens

November 14, 2019