The two most important statutes regarding data privacy and compliance are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The GDPR came into force on May 25, 2018. and applies to every member state in the European Union (EU) and those who have contact with EU citizens. EU member states may legislate higher protections in certain areas. The CCPA took effect on January 1, 2020. and is one of the strictest data privacy laws in the USA. It secures new privacy rights for California consumers. The two statutes are very similar, but separate legal frameworks with different scopes, definition, and requirements. A business that complies with GDPR and is subject to CCPA may have additional obligations under the CCPA.
While CCPA incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR or where there are substantial differences.
For example, the GDPR does not include a specific right to opt-out of personal data sales. Under CCPA, businesses must generally enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties.
In general, if a company took steps needed to comply with GDPR, then it is most of the way there for the CCPA.
The CCPA gives consumers more control over the personal information that businesses collect about them. California consumers have new rights under this legislation, including:
1. The right to know about the personal information a business collects about them and how it is used and shared;
2. The right to have personal information collected from them deleted (with some exceptions);
3. The right to opt-out of the sale of their personal information; and
4. The right to not be discriminated against for exercising rights under the CCPA.
Does the CCPA apply to your business?
All entities that serve California residents and meet any of the following requirements must comply with the CCPA.
– Have over $25 million in gross annual revenue;
– Buy, receive, or sell personal data of at least 50,000 people; or
– That collect more than 50% of their revenues from the sale of personal data of California residents.
As with GDPR, entities do not have to be based in California or have a physical presence there to comply with the law. The CCPA does not apply to non-profit or government entities.
How to make sure your business is compliant?
The notice must be provided at or before the point at which the business collects consumers’ personal information.
A business must designate at least two methods for consumers to submit a request for deletion of personal information, such as, an email address, website form, or hard copy form and mailing address. If a request for deletion is submitted by a consumer, a business has 45 days to respond to the request and can ask for a 45-day extension.
What is data privacy statement and why is it important?
What happens if a company is not in compliance with CCPA?
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue is not resolved, there is a fine of up to $7,500 per record. CCPA also provides for a private right of action, and it allows class action lawsuits for damages.
Consumers may file a lawsuit against a business if personal information, including their name, is stolen in nonencrypted and nonredacted form due to a business’s lack of security measures. Consumers. In addition to a consumer’s name one of the following must also have been stolen:
– Social security number,
– Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number on government issued identification,
– Financial account information such as account number, credit, or debit card number, along with any required security code, access code, or password,
– Medical or health insurance information,
– Biometric data used to identify a person’s identity such as fingerprints.
Consumers can bring a cause of action for monetary damages that they suffered from the breach or statutory damages of up to $750 per violation. A business has 30 days from receipt of written notice by the consumer to cure the violation. If a business cures the violation in the 30-day period and provides a written notice to the consumer stating that the violation has been cured and will not happen again, the consumer is barred from suing for statutory damages, unless the violations continue.
The Attorney General can also file an action against a business for violation of the CCPA reported by consumers and other information leading to a pattern of misconduct.
If you would like to speak with a Data Privacy expert, please contact us.