CCPA: What Is It And What Does It Mean For My Business?

May 29, 2019

Alexandra Matthews

By now, you’ve probably heard of the California Consumer Privacy Act or CCPA for short. At the very least, you know that it is a U.S. privacy legislation that will provide consumers with control of their own data. But you may be wondering, how is it different than the General Data Protection Regulation (GDPR) – if it even is? This blog will outline some frequently asked questions about CCPA and what businesses can expect.

Before diving into the potential business impact of CCPA, and what differentiates it from GDPR, let’s start with a look at the new legislation itself.

What is CCPA?

CCPA, the first state-level data privacy law in the U.S., was signed into law in June 2018 by California Governor Jerry Brown. CCPA grants consumers new rights regarding the collection of personal data and will go into effect on January 1, 2020. Under CCPA, the California Attorney General is required to publish regulations between Jan. 2, 2020 and July 2, 2020. As a result, businesses will have until July 1, 2020 to familiarize themselves with the regulations.

Sounds like GDPR…

CCPA and GDPR have their similarities. For starters, both CCPA and GDPR aim to guarantee protection for individuals’ personal data and apply to businesses that collect, use, or share consumer data. But there are also some notable differences.

For starters, CCPA is slightly narrower in scope as it applies to for-profit businesses, while GDPR applies to data controllers and data processors. CCPA and GDPR also fine for noncompliance differently. For example, CCPA enforces financial penalties per violation at a set fee (between $2,500 and $7,500) while GDPR mandates penalties for data breaches and non-compliance, with fines being capped at a percentage of the guilty party’s global annual turnover.

While these are a select few examples, it’s safe to say businesses shouldn’t assume they are CCPA compliant just because they are GDPR compliant. As regulations under CCPA are finalized, the differences could continue to increase.

But my business isn’t based in California

The more important question is where your customers or users live. CCPA applies to for-profit businesses that collect and process personal information of California residents, in addition to meeting predetermined thresholds of revenue or data collection. So, even if you aren’t based in California, CCPA can still apply to your business. And, considering the size of the California economy, CCPA will likely affect businesses around the world.

Okay, so what does CCPA mean for businesses?

We won’t have the full picture until July 2, 2020; the deadline for the California Attorney General to publish the regulations in full. However, you can start familiarizing yourself with the basics of the bill and begin investing in tools and training to ensure your company can meet these new regulations.

A survey of over 1,000 U.S.-based consumers found that 66% of consumers want GDPR-like rules in the U.S. that require brands to provide consumers with greater privacy, security, and control of their personal data. So, in the current digital landscape and era of increased data privacy regulation, businesses must be able to ensure security for consumers while still providing a seamless experience across platforms, or risk being left behind.

Is that all?

For now, but many states are beginning to create their own data privacy regulations. For example, Vermont, Maryland, Washington, D.C, and many other U.S. states are considering passing privacy and data protection laws of their own. Each state having separate regulations could get really complicated for businesses, especially in our interconnected digital age.

Recent research found that most companies are approaching privacy regulations on a case-by-case basis, with two-thirds of privacy professionals agreeing the systems they have in place will not support new regulations. As more and more states pass separate privacy regulations into law, we will likely see an increase of noncompliance and fines across the board. Subsequently, we might see more companies begin advocating for the U.S. to develop its own version of GDPR at the federal level in an effort to simplify compliance for nation-wide companies.

Take it from us

At Ogury, we recognize the challenges in understanding and complying with new data regulations. As a leader in consumer privacy, Ogury has always been ahead of the conversation and requirements for compliance, and CCPA is no different. As regulations continue to advance, we remain rooted in our commitment to helping organizations move into a new era of data responsibility.

We believe that the choice of whether to share or withdraw data should be placed firmly in the hands of the consumer, regardless of whether your company is required to by law.

Want to learn more about what you need to do to ensure you’re only partnering with companies who are completely compliant? Reach out to me at Evan@ogury.co

Evan Rutchik, CRO, USA