Your business may be compliant with the General Data Protection Regulation (GDPR), but that does not guarantee compliance with the next wave of data privacy: the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020.

What Is the CCPA? The first-of-its-kind data privacy law in the United States, the CCPA is incredibly complex and greatly favors consumers. It applies very broadly and may impact businesses that have the personal information of consumers residing in California, including employees, regardless of where the business is located.

Does the CCPA Apply to My Business?

If you answer YES to any of these questions, you must start preparing for CCPA compliance now:

  1. Does my business have gross annual revenues of at least $25 million?
  2. Does my business—alone or with partnering companies—receive, buy, sell, or transfer the personal information of 50,000 or more consumers, households, or devices?
  3. Does my business make 50% or more of its annual revenue from selling personal information?

What Are Consumers’ Rights Under the CCPA?

The goal of the CCPA is increased clarity for consumers regarding how companies use their data. California created the following series of consumer rights that companies must satisfy: the right to access their personal data, the right to have their data deleted, the right to opt out of the sale of their information, and the right to not be discriminated against for exercising their rights under the CCPA.

Consumer Rights

CCPA Requirements

Is There a GDPR Equivalent?

Right to access if business is collecting data

Disclose categories and specific pieces of data collected, categories of sources from which data was collected, business purpose for collecting, and categories of third parties with whom data is shared

Similar; disclose purpose of processing, categories of data processed, and source if available

Right to access if business is disclosing data for a business purpose

Disclose categories of data collected, categories of entities to whom data was disclosed, and categories of data disclosed for a business purpose

Similar; disclose recipients or categories of recipients to whom the data was disclosed

Right to access if business is selling data

Disclose categories of data collected, categories of data sold, and categories of entities to whom data was sold

N/A

Right to have their data deleted

Delete data a business collected about the consumer and direct its service providers to do the same (with some exceptions)

Similar; “right to be forgotten”

Right to opt out of sale

Consumer can direct a business that sells his or her data to not sell that data. Before a business may sell the data of a consumer 13 to 16 years old, it must observe an opt-in process. The data of a consumer younger than 13 years old may not be sold.

N/A

Right to nondiscrimination

A business cannot charge different prices, provide a different level or quality of goods or services, or suggest consumers will receive a different price or quality of goods or services for exercising their other rights

N/A

How Do I Prepare for Compliance? Update your privacy policy: Lay out the consumer’s rights under the CCPA, include an opt-out link, and list the methods by which consumers can exercise their rights.

Make opt-out link conspicuous: The link must be titled “DO NOT SELL MY PERSONAL INFORMATION” and appear conspicuously both in the privacy policy and on the company’s homepage.

Include at least two request options: At a minimum, and excluding the opt-out link, list a toll-free (800) number and provide a webpage for consumers to submit requests to exercise their CCPA rights.

Answer requests within 45 days: A business’ receipt of the request starts a 45-day clock to provide a substantive response, which may be extended once if certain circumstances exist.

Provide information free of charge: Any information requested must be provided to the consumer free of charge and in a portable and user-friendly format.

Update existing agreements: Update your agreements with existing vendors, business partners, and contractors to make sure that if a consumer exercises one or more of these rights, all downstream companies you work with and that have the consumer’s data are bound to make the same changes within their systems.

Utilize data mapping: While not required, robust compliance programs that utilize data mapping will decrease the cost of, and hours spent on, responding to consumer requests.

What Happens if My Business Is Noncompliant? Don’t let the big numbers of the GDPR make you think the CCPA is a law that can be ignored, because it can be just as severe as the GDPR in terms of financial impact. For example, in a class action of 26,000 people suing a company under the CCPA for a single breach where each receives the maximum statutory damage, the company would owe roughly $20 million in damages. Given the litigious nature of US culture and the population of California, hefty damages are all the more possible.

CCPA

GDPR

Private Right of Action

Greater of statutory damages of $100 to $750 per consumer per incident or the actual damages suffered; class action eligible

Right to damages suffered; no statutory damages proscribed

Public Right of Action

Up to $7,500 per violation

Up to €20 million or 4% of annual revenue, whichever is greater

With all the novelty contained in the provisions of the CCPA, there are many parts of it that are unclear and lack specificity, which will make compliance more challenging. One thing we know for certain today is that being GDPR compliant will not guarantee CCPA compliance.