The General Data Protection Regulation (GDPR) introduced new standards for data protection in Europe. Introduced in May 2018, GDPR changed the way that businesses handle collect, handle, and process consumer data. The regulations also granted new rights to individuals, affording them greater control over their data. Following many scandals surrounding “big data”, it is not surprising that consumers have become more concerned about how their information is used, and what it may mean for them.
Therefore, it is unsurprising that states in the US are looking to update their data protection legislation. Consumers are sharing their data with businesses and organisations at an unprecedented rate. However, no GDPR-style federal laws are dictating how that data should be secured. States must formulate their laws to protect their residents against the misuse of their data.
California became the first state to implement measures to improve its data security landscape. Governor Jerry Brown signed the Californian Consumer Privacy Act (CCPA) into law in June 2018, amending Part 4 of Division 3 of The Civil Code of the State of California. Ed Chau, member of the California State Assembly and Democrat Senator Robert Hertzberg authored the bill.
CCPA shares many similarities with GDPR. For example, they both have global scope; any organisation that operates within their jurisdiction must comply with their rules. Compliance is required regardless of the physical location of the organisation’s headquarters. However, while ostensibly similar, there are some key differences. GDPR is concerned with data security within organisations, whereas CCPA more pertains explicitly to consumer privacy rights.
Any business that collects consumers’ personal information which does business in California and which satisfies one or more of certain criteria must comply with CCPA. The criteria are:
• has annual gross revenues over twenty-five million dollars ($25,000,000);
• possesses the personal information of 50,000 or more consumers, households, or devices; or • earns more than half of its annual revenue from selling consumers’ personal information.
CCPA and Rights of the Individual
Much like GDPR, CCPA grants new rights to individuals, giving consumers more control over their data. Some of these rights include:
• Right to be informed as to the categories of information being collected
• Right to be informed of the purposes for which the data will be used
• Right to know what information the business holds on the consumer
• Right to request that a business deletes any information on the consumer
• Right to refuse the sale of the consumer’s information to a third-party
• Right not to be discriminated against if the consumer does not permit the sale of their data
CCPA also allows individuals to pursue legal action against companies obtained data that was accessed by an unauthorised individual or stolen following a data breach. Consumers might sue an organisation if it was found that the company was negligent in ensuring that proper cybersecurity safeguards were in place to protect consumer data.
As data breaches are occurring with increasing frequency, this threat of legal action offers further incentive to the organisation to ensure that adequate security frameworks are in place to protect consumer information.
Conclusion
CCPA has revolutionised how businesses collect, share, and process the data of Californian residents. By requiring businesses to reevaluate their methods and practices, CCPA aims to improve the level of data security in California. Cyber attacks are forever looming on the horizon, but with more strict regulations placed on businesses, CCPA hopes to mitigate the risk of a cybersecurity attack. Data breaches can have catastrophic effects on the lives of those affected. Following California’s example, other states may soon start to introduce new legislation to improve cybersecurity and protect their citizens.