5 minute read 17 Dec 2018
Woman using laptop on bed

How The California Consumer Privacy Act compares to the EU GDPR

By

Angela Saverice-Rohan

EY Americas Privacy Leader

Promotes cross-functional teamwork. Calm and steady in crisis. Wicked sense of humor. Mother of two.

5 minute read 17 Dec 2018
Related topics Risk Advisory Cybersecurity

As privacy regulations become globally unified, organizations can use this as an opportunity to gain competitive advantage.

During the months  preceding the European Union's General Data Protection Regulation (GDPR) go-live date on 25 May 2018, California lawmakers were working on privacy legislation of their own. Initially, California activists intended to pass a privacy bill through the California ballot initiative process in the November 2018 election. This effort was abandoned on 28 June 2018 when Assembly Bill No. 375 was signed into law, guaranteeing California residents rights around access, erasure, portability and opt-out choices and creating the California Consumer Privacy Act of 2018 (CCPA, or the Act).

The Act was consciously designed to emulate certain provisions of the GDPR, providing California residents with many of the same rights for their personal data as the GDPR. The enforcement date of the Act is 1 January 2020, and it is currently the broadest privacy law on the books in the United States, requiring businesses that were previously exempt from the GDPR to spend the next 17 months redesigning the way they collect, process, share and retain data. It represents what is predicted to be a trend across other states, which may ultimately result in all United States businesses evaluating their privacy programs.

While working toward compliance with the CCPA, companies can also use this opportunity to gain a competitive advantage by examining what needs to change and how data can be maximized within the confines of the trending requirements.

What does the Act require?

The Act provides consumers with the following rights:

  • Right to access the personal data collected about them and the identification of any third parties with whom the information is shared
  • Right to erasure of personal information
  • Right to opt out of the sale of personal information
  • Right to equal service and price when any of the above rights are exercised

Businesses are required to designate and share at least two methods (one telephonic and one web-based) by which consumers may exercise the above rights.

Those familiar with the GDPR will note that the rights to individuals created by the CCPA mirror those in the GDPR. However, it is important to note that in some areas the CCPA goes further, while in other areas it is less prescriptive.

Opt outBusinesses are required to provide consumers with a method by which to opt out of the sale of their personal information to third parties. A business must alert any relevant third parties with whom the personal information was shared that the consumer has exercised his or her opt-out right and the data must be erased from their systems.

Provide noticePrior to the collection of any personal information, businesses are required to provide the consumer with a notice that covers:

  • The consumer's rights under the Act
  • The categories of personal information the business will collect
  • The purpose for which the personal information will be used
  • Whether the personal information will be sold to third parties

Additionally, businesses must post an online privacy policy, containing a more general description of the personal information the business collects and sells to third parties, as well as a link titled "Do Not Sell My Information," which allows the consumer to opt out of the sale of their personal information.

Who can bring an action?

In addition to regulatory enforcement, the Act provides for a private right of action for certain violations of the statute. Specifically, the private right of action is limited to violations involving "unauthorized access and exfiltration, theft or disclosure of a consumer's non-encrypted or non-redacted personal information."

What are the penalties if a company does not comply?

The California Attorney General's Office may order a company to pay penalties up to $7,500 per violation for any intentional violation of the statute. If a company unintentionally violates the statute and fails to rectify its actions within 30 days of the notice given, the Attorney General may fine that company $2,500 per violation. A consumer filing a private right of action may recover damages ranging from $100 to $750 per consumer, per incident, and companies can expect large class actions representing all individuals affected by a major breach or other systematic violation under the Act.

Companies that have not aligned their data practices to the GDPR will have the largest programmatic changes to make to meet the 1 January 2020 go-live date for the Act.

When less identifiable data means more competitive advantage

Compliance with the Act requires certain foundational efforts, including, among other things, identification of impacted individuals and their personal data, where the data resides, as well as third parties with whom it is shared. Further, the holder of the data must identify and document the provenance of the data and its use.

Companies may use the same work streams that create the foundation for compliance to both optimize their internal processes and maximize the value of identifiable personal data to their business. These measures lead to competitive advantage by creating a data-lean organization that maintains only the personal data needed to add value. The costs in time of maintaining extraneous and identifiable data means that data must be parsed in order to respond to a data subject’s request, or worse, the data could be unnecessarily exposed in a breach situation.

In contrast, the data-lean organization may uncover that personal data slated to be deleted could be retained as an asset. Through the process of de-identifying (anonymizing) data but retaining it, a data-lean organization may continue to gain value in enhancing the customer experience, creating new products and services and informing new markets without the burden of data subject to rights or breach exposure. Leveraging anonymized data and understanding the correlation of activities, both current and prospective, may offer new opportunities for incremental revenue or cost savings.

Insights gained from anonymized data that may be retained indefinitely can provide a competitive advantage that may come in the form of enhancing the speed to market for a new solution or through back-testing plans against anonymized data to validate assumptions. It may also come in the form of data insights enabled by correlations between current personal data and anonymized retained data to support a given use case. This is a value proposition that is broader then compliance with the CCPA, but supported, in great part, by an organization’s foundational efforts to identify, understand and position the company to act on the personal data it collects.

Summary

The California Consumer Privacy Act of 2018 (CCPA, or the Act) was consciously designed to emulate certain provisions of the GDPR. It represents what is predicted to be a trend across other states, which may ultimately result in all United States businesses evaluating their privacy programs.

While working toward compliance with the CCPA, companies can also use this opportunity to gain a competitive advantage by examining what needs to change and how data can be maximized within the confines of the trending requirements.

About this article

By

Angela Saverice-Rohan

EY Americas Privacy Leader

Promotes cross-functional teamwork. Calm and steady in crisis. Wicked sense of humor. Mother of two.

Related topics Risk Advisory Cybersecurity