On June 28th, 2018, California enacted the California Consumer Privacy Act (CCPA). It will go into effect on January 1, 2020. Guidelines must be followed for any company who wishes to collect data on California residents. Some of the law may be adapted before enactment.
While many states are working to create their own data protection acts, CCPA is probably the toughest law that any state has enacted. You can expect other states and possibly the federal government to follow this initiative.
Many US companies who were lukewarm about implementing GDPR standards will now be forced to come into compliance with CCPA since most of those companies collect data from California residents.
While CCPA is very similar to GDPR, it has some additional requirements that companies need to be aware of.
Personally Identifiable Information (PII Data)
GDPR has a well defined list of what is included in PII Data:
CCPA includes any information that identifies a “household” as protected information.
CCPA also includes:
CCPA also includes any inferences drawn about a consumer reflecting:
Data and Metadata
While GDPR talks about data and what needs to be disclosed to individuals, CCPA explicitly states that a consumer has the right to be informed about:
There is an emphasis on what those categories are, how they are defined and how data is categorized.
CCPA also requires disclosure (via privacy policies) to include any information that has been collected, sold or otherwise disclosed over the last 12 months.
As part of the CCPA, businesses have to provide a clear and conspicuous link on their homepage titled - “Do Not Sell My Personal Information” which will allow consumers to restrict the sales of their information.
GDPR penalties can reach the greater of 20M Euro or 4% of worldwide revenue. CCPA has penalties of $7500 for each intentional violation.
Additionally, CCPA provides that in the event of a data breach a business may have to compensate the consumer from $100 to $750 per record breached.
Data Protection Officers
GDPR states that you must have a Data Protection Officer identified for an organization. CCPA does not require this entity in an organization.
Right to be forgotten
While both regulations have clauses for consumers who wish for their information to be forgotten, they have slightly different stipulations on when information is retained.
GDPR states that obligations do not apply where the processing:
CCPA states that deletions requests do not apply to information necessary for:
As with all regulations, you should engage your legal team to ensure that your business is in compliance with the regulations that are applicable to you. This is a summary for your convenience and does not constitute any legal advice.
For more information about how IDERA’s SQL Security Suite can help you come into compliance with GDPR click here.
For more information about SQL Security Suite, SQL Compliance Manager or SQL Secure, click on these links or contact your Sales Representative.