Seeing Double: How to Deal with Cloned Website Attacks | Once More Into The Breach
It’s a new year, and that means we’re going to see plenty of new and novel tactics from…
After the EU’s passage of the General Data Protection Regulation (GDPR) in May of 2018, it was only natural that discussion about data privacy protection here in the United States quickly followed.
Like Europeans, Americans have become more reticent to hand out personal information. The paranoia isn’t entirely misplaced. After all, data breaches are common news and many leading companies—such as Yahoo, eBay, Target, Home Depot, Anthem, and even the credit reporting agency, Equifax—have reported data breaches in recent years.
This groundswell of data privacy concern forms the backdrop for California’s adoption of the California Consumer Privacy Act, or CCPA. The law is designed to help consumers better understand and control the spread of their personal information online, which is why it’s been called the “American GDPR.”
California isn’t alone. As data privacy concerns have grown in prominence in the wake of data breaches, many states have added or updated laws regarding privacy and the notification of consumers. For example, South Carolina, Alabama, Arizona, Vermont, Colorado, Ohio, Nebraska, Iowa, South Dakota, and Louisiana have each passed regulation to protect consumer information at different levels. However, the CCPA stands out from the rest because the law grants Californians the most comprehensive consumer privacy protection in the country.
But is CCPA truly just an “American GDPR”, or are there major differences that companies need to know about? Both regulations concern data privacy and security, but contain different requirements and mean different things for how companies manage their data. It is thus extremely important that managers understand the specific regulations of the CCPA and the GDPR.
The California Consumer Privacy Act (CCPA) is a bill that protects California residents and households, enhancing privacy rights and consumer data protection. Bill AB 375, which passed the CCPA, was signed into law by Governor Jerry Brown in June 2018. More than 629,000 California voters petitioned to get the law on the ballot, while many tech industry leaders—including Comcast, AT&T, Google, and Verizon–opposed it.
The CCPA applies to any business (including nonprofit entities) that does business in California and falls into at least one of the following groups:
The CCPA grants consumers four basic rights:
The General Data Protection Regulation (GDPR) is the European Union’s legislation and the first data privacy regulation that has global relevance, making it one of the most significant laws about information security and privacy laws ever passed.
The GDPR applies to:
The GDPR grants the following rights to EU citizens:
Both the CCPA and the GDPR are heavily focused on the desire for consumer control over personal information and data privacy. Both laws were created to ensure consumers have more rights over their personal data while businesses are held accountable for maintaining and respecting the privacy of consumers. The laws have two different terms – personal information and processing – that align very closely. Many of the best practices that businesses have enacted to comply with the GDPR will also comply with the CCPA, such as documentation review, data mapping, contract management. The CCPA is expected to become a model for other state privacy laws, or even for a federal privacy law, so ensuring compliance with the CCPA might provide an advantage for being compliant with other federal or state privacy laws that will be enacted soon.
While the laws share a kindred spirit, their differences are revealed when examined by the letter. Below are a few of the critical differences managers should know.
Who Must Comply — The CCPA will apply only to businesses that exceed $25 million in revenue, or those who sell personal information as their primary business. The GDPR is enforced upon all businesses that process data of EU citizens.
Right to Deletion —The CCPA grants the consumer the right to request deletion of their data at any given point and for any reason. Whereas the GDPR allows the individual to request deletion of their data if it falls within reason of the six categories: objection made, consent withdrawn, compliance with EU law, data no longer necessary, unlawful processing, data collected in relation to the offer of services to a child.
The Consequences When Not Compliant —Under the GDPR, organizations can be fined the greater of % of annual revenue, or €10 Million for non-compliance penalties. The civil penalty for intentional violations of the CCPA is up to $7,500 per violation, to be enforced by the California Attorney General and subject to a thirty-day cure period.
Compliance with the CCPA and GDPR is a necessity for organizations that handle consumer data. With the proper risk management software, you can promptly identify and adequately monitor any business risks with agility—before they become critical issues. To ensure you are complying with the laws and protecting consumer data, work with a company that specializes in offering compliance management solutions. It is important to have a software system in place to enable you to create an effective risk management solution that works for your specific operation.
For more on GDPR, check out LogicGate's Webinar: Managing Third Party Risk in the Age of GDPR.
It’s a new year, and that means we’re going to see plenty of new and novel tactics from…
When you buy a new house, your mortgage lender wants to know that you have homeowner’s insurance in…
There’s usually one catalytic moment that forces an organization to get serious about managing cyber risk: The company…
Join us for a friendly debate on why compliance is so misunderstood and the critical role it plays…
Learn how to manage cyber risk during times of economic uncertainty.