GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
After the EU’s passage of the General Data Protection Regulation (GDPR) in May of 2018, it was only natural that discussion about data privacy protection here in the United States quickly followed.
Like Europeans, Americans have become more reticent to hand out personal information. The paranoia isn’t entirely misplaced. After all, data breaches are common news and many leading companies—such as Yahoo, eBay, Target, Home Depot, Anthem, and even the credit reporting agency, Equifax—have reported data breaches in recent years.
This groundswell of data privacy concern forms the backdrop for California’s adoption of the California Consumer Privacy Act, or CCPA. The law is designed to help consumers better understand and control the spread of their personal information online, which is why it’s been called the “American GDPR.”
California isn’t alone. As data privacy concerns have grown in prominence in the wake of data breaches, many states have added or updated laws regarding privacy and the notification of consumers. For example, South Carolina, Alabama, Arizona, Vermont, Colorado, Ohio, Nebraska, Iowa, South Dakota, and Louisiana have each passed regulation to protect consumer information at different levels. However, the CCPA stands out from the rest because the law grants Californians the most comprehensive consumer privacy protection in the country.
But is CCPA truly just an “American GDPR”, or are there major differences that companies need to know about? Both regulations concern data privacy and security, but contain different requirements and mean different things for how companies manage their data. It is thus extremely important that managers understand the specific regulations of the CCPA and the GDPR.
What is the CCPA
The California Consumer Privacy Act (CCPA) is a bill that protects California residents and households, enhancing privacy rights and consumer data protection. Bill AB 375, which passed the CCPA, was signed into law by Governor Jerry Brown in June 2018. More than 629,000 California voters petitioned to get the law on the ballot, while many tech industry leaders—including Comcast, AT&T, Google, and Verizon–opposed it.
The CCPA applies to any business (including nonprofit entities) that does business in California and falls into at least one of the following groups:
- Businesses that have annual gross revenues that exceed $25 million
- Businesses that acquire personal information from more than 50,000 consumers each year
- Businesses that earn more than half of annual revenues through selling the personal information of consumers
The CCPA grants consumers four basic rights:
- The right to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold
- The right to “opt out” of allowing a business to sell their personal information to third parties
- The right to deletion of their personal information
- The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
What is the GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s legislation and the first data privacy regulation that has global relevance, making it one of the most significant laws about information security and privacy laws ever passed.
The GDPR applies to:
- Any company that processes or holds the personal data of European Union residents, regardless of the company’s location.
- Data controllers and data processors
The GDPR grants the following rights to EU citizens:
- The right to be informed about the collection and use of individual’s personal data
- The right to access their personal data that a company holds
- The right to rectification if an individual’s personal data is inaccurate or incomplete
- The right to erasure of private information when requested
- The right to restrict or suppress processing of their personal data in certain circumstances
- The right to data portability allows individuals to obtain and reuse their personal data across different IT environments securely
- The right to object the processing and use of personal data for direct marketing
- Rights in relation to automated decision making and profiling. The law states automated decision-making can only be carried out if given the individual’s explicit consent, if it is necessary during a contract process, or if it is authorized by an applicable Union or Member state law.
How are the GDPR and the CCPA Similar?
Both the CCPA and the GDPR are heavily focused on the desire for consumer control over personal information and data privacy. Both laws were created to ensure consumers have more rights over their personal data while businesses are held accountable for maintaining and respecting the privacy of consumers. The laws have two different terms – personal information and processing – that align very closely. Many of the best practices that businesses have enacted to comply with the GDPR will also comply with the CCPA, such as documentation review, data mapping, contract management. The CCPA is expected to become a model for other state privacy laws, or even for a federal privacy law, so ensuring compliance with the CCPA might provide an advantage for being compliant with other federal or state privacy laws that will be enacted soon.
The Difference Between the GDPR and the CCPA
While the laws share a kindred spirit, their differences are revealed when examined by the letter. Below are a few of the critical differences managers should know.
Who Must Comply — The CCPA will apply only to businesses that exceed $25 million in revenue, or those who sell personal information as their primary business. The GDPR is enforced upon all businesses that process data of EU citizens.
Right to Deletion —The CCPA grants the consumer the right to request deletion of their data at any given point and for any reason. Whereas the GDPR allows the individual to request deletion of their data if it falls within reason of the six categories: objection made, consent withdrawn, compliance with EU law, data no longer necessary, unlawful processing, data collected in relation to the offer of services to a child.
The Consequences When Not Compliant —Under the GDPR, organizations can be fined the greater of % of annual revenue, or €10 Million for non-compliance penalties. The civil penalty for intentional violations of the CCPA is up to $7,500 per violation, to be enforced by the California Attorney General and subject to a thirty-day cure period.
Ensuring Compliance with the CCPA and GDPR
Compliance with the CCPA and GDPR is a necessity for organizations that handle consumer data. With the proper risk management software, you can promptly identify and adequately monitor any business risks with agility—before they become critical issues. To ensure you are complying with the laws and protecting consumer data, work with a company that specializes in offering compliance management solutions. It is important to have a software system in place to enable you to create an effective risk management solution that works for your specific operation.
For more on GDPR, check out LogicGate's Webinar: Managing Third Party Risk in the Age of GDPR.
