Known as the “toughest data privacy law in the United States,” the California Consumer Privacy Act (CCPA) grants California residents greater rights over their data and expectations that organisations will protect their personal information. Likened to the GDPR in the EU, the CCPA offers potentially expensive punishments to those that fail to meet the requirements and has extra-territorial reach. It can apply to UK organisations that have operations in California or deal with the personal information of California residents.
What is the CCPA and to whom does it apply?
Passed in June 2018, the CCPA is a state law designed to provide enhanced privacy rights and data protection for California residents. Similar to the GDPR and Data Protection Act 2018 in the UK, it enables data subjects to know what personal data is being collected and whether it is being passed on to third parties, allows them the opportunity to opt-out of data collection, and provides the right to be forgotten.
Personal information under the CCPA includes;
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Commercial information including records of personal property, products or services purchased obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information, geolocation data, and electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Professional, education or employment-related information.
The regulation applies to companies that have an annual gross revenue in excess of $25 million; buy, receive or sell the personal information of 50,000 or more California consumers or households; or earn more than half of their annual revenue from selling California consumers' personal information. The bill requires organisations to “implement and maintain reasonable security procedures and practices” around collected personal data.
Companies have 30 days to comply with the law once regulators notify them of a violation, and companies can face a fine of up to $7,500 per record for non-compliance. It also grants individuals the right to sue and allows class action lawsuits for damages of up to $750 per consumer per incident, or actual damages, whichever is greater.
Does CCPA affect companies beyond California’s borders?
Like the GDPR, the CCPA is extra-territorial in scope and may apply to companies that engage in business in the state of California, regardless of whether that business has a physical presence in California. UK businesses with operations in California or that collect data on California residents could be subject to CCPA if they meet any of the previously mentioned thresholds. This could include, for example, shipping products to California, collecting cookie information from residents in California, or selling online services to residents of the state.
"The CCPA applies to all businesses that hold customer data of those residing in California and that meet the above criteria,” says Jean-Michel Franco, senior director data governance at Talend. “Therefore, even if your business is based in and operates out of the UK, if you meet the criteria and are dealing with consumer information from California you must be compliant with the CCPA."
The CCPA excludes consumer personal information collected "wholly outside of California.” It would not apply to data collected from California residents when they visit a website while physically in another country, for example.
How CCPA differs from GDPR/DPA 2018
The CCPA and GDPR are not the same and have some differences in requirements. “Businesses may be tempted to assume that the actions taken to ensure compliance with the GDPR will largely suffice for the CCPA,” says Gareth Oldale, head of data privacy and cybersecurity at law firm TLT. “While there is a degree of overlap between the CCPA and the GDPR, they do differ in some respects. Both laws give data subjects control over their personal data and require transparency about how personal data is being used, but the CCPA goes even further in its definition of personal data to include household information.”
The CCPA is focused on consumers rather than any individual’s privacy, meaning companies not operating for commercial purposes are exempt. It also has few restrictions around cross-territorial data flows. Information linked to a household falls under the scope of personal information with CCPA, while GDPR focuses on information relating to an individual. The CCPA also states that information that is “capable” of being associated with a person falls under its personal information definition. This means the range of data that could fall under the CCPA is much wider than it would be under GDPR.
“Many would argue that the GDPR is more robust than the CCPA, with a stronger and significantly more detailed set of regulations,” says Talend’s Franco. “The GDPR restricts personal data transfer outside the European Economic Area, something the CCPA does not cover with data leaving the US. The CCPA also includes a 12-month limitation on the timings for the data that can be requested by a consumer.”
“The most significant difference is that the CCPA has a stricter definition of personal data and UK businesses need to take note here. It includes household data, which is data not specific to an individual, therefore adding extra challenges to achieving compliance. The CCPA’s focus is the consumer, meaning B2B and employee data are not likely to be covered in the same way as under the GDPR. Additionally, the CCPA pushes businesses to include a 'do not sell my personal information' link as consumers have a definitive right to opt out. Finally, there are some differences in data rights for children with the GDPR requiring consent for processing, whereas the CCPA focuses more on consent for sale.”
How UK CISOs can comply with CCPA
As with GDPR, organisations should understand what data they have, what data they collect, how it is stored and processed, and what information may be passed on to partners or clients. From there the CISO can identify potential compliance issues with the CCPA and work to rectify them.
CISOs in the UK should understand whether CCPA applies to their organisation (or has the potential to in future), understand the requirements of the CCPA and how they differ from the GDPR, create processes to deal with specific aspects of CCPA such as opt-out options, ensure ongoing and audited compliance with the CCPA, and assess the potential risk to the organisation for failure to comply with the regulation.
“The first important thing to remember is that just because your organisation is meeting its obligations to the Data Protection Act 2018, it doesn’t mean that it is automatically compatible with the CCPA,” says Darren Wray, CTO at Guardum. “Check your privacy policies and make sure that they meet the CCPA’s requirements, remembering that data subjects are consumers and that there’s no such thing as a data controller or processor under CCPA.”
“Understand your California data, understand the types and classifications of data. Update your data privacy, data protection and breach notification controls, processes and procedures. Re-evaluate your organisation’s access request process. Finally, update your website to ensure that it is compliant with CCPA. It needs to tell consumers the ways in which they can exercise their rights and how they can access their personal information. This can be through an online form, an email address or an online portal, for example.”