GDPR, California, and You
So, what do GDPR, California, and you all have in common? Possibly a lot!
Since almost all of us are internet-connected creatures, the recent EU General Data Protection Regulation (or GDPR) is likely no longer a new topic. GDPR went into force on May 25, 2018 and there has been much publicity in its wake. Also, I am sure you all received updated privacy notifications from virtually every online party you have subscribed to, socialized with, or done business with. I wasn’t counting, but I probably reviewed at least 150 revised privacy updates from the organizations I interact with. I think GDPR did privacy advocates a great service and set the bar for other regions to learn from.
Although many of the resultant privacy updates and notifications contextually missed the mark, especially with respect to regaining “opt-in consent first,” and “control of individual’s data,” some got it right. In general, I think we all agree that on the introduction of GDPR, we’re off to good start for improving individual data privacy and protection. At least, now we are all aware of the issues.
Many businesses, including Catapult, applaud the improved level of privacy protections and control of their data afforded to individuals as a direct result of GDPR. Catapult takes seriously these protections, having revised our processes in support of GDPR, including consent and handling of personal data (non-sensitive and sensitive). But how about you?
Do you think that GDPR doesn’t affect you because you have no EU customers nor EU employees, or because you don’t monitor the personas of anyone in the EU? Perhaps with direct respect to GDPR, you are correct.
But here’s the catch—and the reason for this blog publication:
Enter the California Consumer Privacy Act 2018 (AB 375), otherwise known as “CCPA” or “AB375“
California legislature passed the California Consumer Privacy Act 2018 (AB 375) on June 29, 2018, and these new rules will govern most organizations that hold data on California residents. Like GDPR, the law becomes enforceable after a vetting and revisions period. This means that in approximately 16 months, on January 1, 2020, this law will go into effect.
The CCPA will change how businesses handle data of California residents. Businesses that collect and store volumes of personal information, including the big players like Google and Facebook, will be required to disclose the types of data they collect and who they share it with, as well as provide the means for consumers to opt out of having their personal data sold or shared.
Please see the table below for a highlighted, brief comparison between GDPR and CCPA.
California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
|Highlighted Item||GDPR||CCPA (California Consumer Privacy Act 2018)|
|Basis for Consent||Opt In||Opt Out|
|Applies to…||Organization or entity that collects or processes personal data on EU citizens.||For-profit organization or entity that collects or processes personal data of California residents and either:
|Rights of Individuals||Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.||Right to disclosure and objection relating to whom data is being sold, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know to whom data has been provided.|
|When it Becomes Enforceable||May 25, 2018||January 1, 2020|
|Fines and Penalties||4% of turnover of revenue or €20m (whichever is the greater)||$7,500 per violation. $750 or actual damages for each individual, whichever is greater.|
|Responding to Individual Requests||1 month||45 days|
The most important revelation of the California Consumer Privacy Act 2018 (AB 375) (CCPA) is that it brings GDPR-like data protection requirements to U.S. businesses that might otherwise have been exempt from EU GDPR law. Specifically, this pertains to many businesses that collect, process, or hold data on California residents.
If you have customers who are residents of California, and/or you hold data about the same, then CCPA applies to YOU! Catapult can help you, as we have done for customers facing GDPR compliance requirements.
For starters, here are five steps you should take to prepare for CCPA:
- Assess your data privacy policies and update them into a state of compliance.
- Assess your data storage repositories (cloud and on-premises) to ensure that you properly detect and protect any sensitive data that you hold. This can be personal data, but we apply similar protections for your intellectual property, corporate documents, and critical business data.
- Implement data loss prevention (DLP) solutions that detect sensitive data and protect it before it leaks (some clients don’t even realize the level of sensitive data that may exist on their systems). Our Spyglass security assessment helps to reveal these data issues and we will recommend and help implement solutions to remediate them.
- Assess your overall security posture. All data protection laws stipulate that you’ll need the technical resources to protect the data you are responsible for. We can help you find the gaps, prioritize actionable insight, build a roadmap and implement the solutions that stand the test of compliance requirements.
- Monitor and maintain your systems, networks, and processes to ensure they are updated, secure, performing optimally, and that they keep up with changes, trends, attack patterns, compliance requirements, etc.
Solely on the basis of data privacy law harmonization, and since our clients represent the very businesses that must comply with potentially a broad range of competing data privacy laws, I am hoping that the U.S. Federal Government will establish a uniform data privacy law that affords all U.S. residents with similar, or better, protections and control over their individual personal data. Then, all states and local laws will have harmonized laws that respective businesses and that individuals can benefit from.
CCPA is a great start. But…
What about the remaining 49 U.S. states and territories? This is where we should really follow the lessons already learned by Europe. See, prior to GDPR, each EU Member State had their own data privacy laws that supported the old and outdated “Data Privacy Directive.” All of these competing laws caused much confusion and complications across EU businesses and individuals. Specifically, the laws were all different, so European businesses had to deal with at least 23 versions of privacy law where seldom anything could get resolved due to conflicts and jurisdictional issues.
The EU smartly introduced GDPR to harmonize privacy laws across all EU Member States. In fact, over half of GDPR language is dedicated to this very harmonization, making it less complicated to comply.
This is where the U.S. could apply the lessons learned in Europe. While California’s CCPA is a great step, we will see other states and cities introduce their own versions of data privacy laws to protect their residents. In fact, the City of Chicago in April 2018 introduced legislation, an amendment of Municipal Code Title 4 by adding new Chapter 4-402 entitled the “Chicago Personal Data Collection and Protection Ordinance” which provides its residents with specific data privacy rights and protections.
And yes, the Chicago Personal Data Collection and Protection Ordinance is different than CCPA in details, yet very similar in nature – all drawn from the tenants of GDPR. Most U.S. businesses, in general, have customers located in other U.S. states and certainly in a broad range of cities. Think about the potential that each state (as well as major cities) create their own laws to protect their residents’ personal data. I believe you see where I am going with this…
There is a tremendous opportunity for the U.S. to learn from the past 25 years of EU’s individual data privacy refinements, specifically from the EU GDPR harmonization of data protection laws by creating an acceptable, stringent, and modern data protection law that applies to all member states. I am hopeful that U.S. leaders will see the benefit of uniform individual data privacy and protection law.
If you’re ready to start laying the groundwork to ensure compliance with these impending regulations, let’s chat: put 15 to 30 minutes on my calendar.
’till next time,