GDPR has been in place for nearly three months. While we’re still in the earliest stages of seeing how the regulations will shake out, GDPR has been talked about enough that people outside the security industry want to know why we can’t do something similar in the U.S.
The California state government took up that challenge and in a matter of weeks, delivered the California Consumer Privacy Act (CCPA) to the governor’s desk, who then signed it into law. CCPA goes into effect on January 1, 2020, and like GDPR, will give users more control over their personal data.
“The bold move from California definitely ups the ante for other states and potentially the federal government to adopt similar initiatives,” said Jim Varner, CEO of SecurityFirst. “The good news is, we have the European Union’s GDPR to help navigate around most of the hurdles of meeting compliance.”
CCPA: Similar But Not the Same
If your company did all the legwork to be in compliance with GDPR, you’re set with CCPA . . . right? Not exactly, said Erik Archer Smith, marketing director, ABM at Arm Treasure Data. “With the California law, GDPR-compliant companies will have additional work to do to prepare for CCPA implementation in 2020.”
According to Archer Smith, here are some of the ways CCPA differs from GDPR:
- CCPA requires companies to set up specific communication channels — toll-free numbers and websites — so California residents can request information about their data.
- CCPA expands the definition of personal data to include household information and data from devices connected to the Internet of Things (IoT).
- CCPA establishes a different set of data deletion requirements.
- CCPA establishes new requirements around selling data for commercial purposes.
How CCPA Improves on GDPR
GDPR casts a wider net over the companies that the regulations apply to than CCPA will be required to do, James Slaby, security expert at Acronis, pointed out. Even having just one customer living in the EU forces you to be compliant with GDPR, no matter the size of your company. CCPA compliance, on the other hand, is required for businesses earning at least $25 million a year in revenue, collecting personal data on at least 50,000 individuals, or when selling consumer personal information is more than half of the company’s revenue.
Yet, Slaby added, CCPA does improve on GDPR in a few important ways, including:
- Consumers have the right to sue companies for monetary damages if their personal data is abused, whereas GDPR uses hefty regulatory fines as its big stick to make companies comply.
- CCPA also worries about the potential abuse of metadata, and so requires companies to not only let consumers look at personal data, but explain how it is being categorized, where it comes from, and who it’s being sold to. Further, if a company can expand a consumer’s profile by making inferences about the individual (say, by looking at offline data to draw conclusions about his/her income or buying preferences), the consumer is entitled to access and control that information, too.
- CCPA doesn’t give companies as much wiggle room as GDPR on how they are supposed to comply with various provisions of the law. For instance, CCPA explicitly says that businesses under its jurisdiction must put a “Don’t Sell My Personal Data” button on their homepage.
“There are also differences between the two in choices of bureaucratic jargon,” Slaby stated. “For example, GDPR calls the main objects of its protections ‘data subjects,’ while CCPA calls them ‘consumers.’ Also, CCPA doesn’t make as fine a distinction in terminology between ‘controllers’ and ‘processors’ of personal data, but the law still covers that distinction conceptually.”
Yet Still Falls Short of GDPR
While CCPA will improve on GDPR, it also falls short of GDPR’s stringency. CCPA doesn’t have to worry about protecting the privacy of consumers around the world, nor does it have the strict penalties of GDPR. CCPA doesn’t apply to every company, meaning plenty of private data will be left unprotected.
Also, said Sven Dummer, director of marketing at customer identity and access management (CIAM) company Janrain, CCPA was rushed through – as opposed to the years of deliberation and preparation of GDPR -- and that can leave holes in the legislation. “This means many of the California law's finer details are waiting to be ironed out between now and 2020,” he said.
For example, he added, it is unclear how the law will deal with cookies. “The law counts unique personal identifiers such as IP addresses; geolocation data; and shopping, browsing and search histories in its broad definition of personal information. However, the law won't apply to personal information that is 'de-identified or in the aggregate consumer information,' which makes it sound as if anonymous tracking data will be exempted.”
While the two privacy regulations have their similarities, their differences, and their growing pains, one thing is certain, according to Slaby.
“Any progress you have made on GDPR compliance issues, like improving your ability to defend customer personal data against security breaches, can only boost your efforts to achieve CCPA compliance,” he said. “The two aren’t perfectly alike, but the gist is the same: Be much more careful with how you handle consumers’ sensitive data and obey their wishes on what you do with it, or be ready to pay heavy penalties.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba