CCPA: California’s version of GDPR?

Share this:

Data privacy is an issue that has become top of mind for both companies and consumers. This new awareness is thanks to a stream of legal actions being taken by governments to combat the many data breach incidents that have happened in the last few years. From the EU’s General Data Protection Regulation (GDPR) to Japan’s Act on the Protection of Personal Information, governments are taking a stand on consumer data issues.

The U.S. recently joined these countries with the California Consumer Privacy Act (CCPA), which was signed by Governor Jerry Brown on June 28, 2018 and will go into effect January 1, 2020. The CCPA will protect the rights of California consumers and encourage stronger privacy online and greater transparency overall.

Data in business

Currently, in the United States, businesses collect information about consumers and are able to sell it to third parties without consumer approval. The California Consumer Privacy Act was crafted to give consumers ownership, control, and security over their personal information. They will be able to request that a business is transparent about the information it collects and prevent their data from being sold to third parties.

Californians will have the right to:

  • Know the personal information that is being collected by companies

  • Have access to the personal information being collected and request that it’s deleted

  • Know if their personal information is being shared, and if so, with whom

  • Opt-out of the sale of their personal information

  • Have equal service and price, whether or not they choose to exercise their privacy rights

Businesses will also be prohibited from selling data from consumers aged 13-16 unless the consumers opt-in. Those under the age of 13 will need consent from a parent or guardian.

The CCPA does not cover all businesses. California businesses that may be subject to compliance:

  • Earn $25,000,000 or more a year in revenue

  • Annually buy, receive, sell, or share personal information of 50,000 or more consumers, households or devices for commercial purposes

  • Derive 50% or more of their annual revenue from selling consumer personal information

Those who do not comply will be charged a fine for any violation that is not addressed within 30 days.

CCPA is similar to GDPR in that it encourages transparency and security. However, there are a number of stipulations that differ. For more information on the specific similarities and differences between the GDPR and CCPA, explore this interactive Venn diagram that compares the two.

This is not the last time you’ll be hearing about a privacy act. In the near future, companies should be prepared to comply with more strict regulations and consumers should know their rights under these laws.

Rob Sobers is a Sr. Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book ‘Learn Ruby the Hard Way,’ which has been used by millions of students to learn the Ruby programming language. Prior to joining Varonis in 2011, Rob held a variety of roles in engineering, design, and professional services.