Demonstrating Compliance with both GDPR and CCPA
With the dust of the entry into application of the GDPR hardly settled, the data protection community is shaping up to deal with the next challenge: the California Consumer Privacy Act. This new law was adopted on 28th June 2018 by the California state legislature and has been signed into force by the Governor of the sunshine state. As of 1st January 2020, Californians will enjoy a higher level of data protection with several provisions exceeding what is enshrined in the GDPR.
The California Consumer Privacy Act (CCPA)
The core of the CCPA consists of five new rights that have been awarded to Californians:
- A right to know what personal information is being collected about them;
- A right to know whether their personal information is sold or disclosed and to whom;
- A right to say no to the sale of personal information;
- A right to access their personal information; and
- A right to equal service and price, even if they exercise their privacy rights.
In addition, the CCPA contains less obvious rights that have also been embedded in the legislation, like the right to data portability and the right for consumers to benefit from the sale or disclosure of their data to third parties (“incentives”). The enforcement of the law, which is still subject to change pending a public consultation procedure, will be attributed to the California Attorney General. His office shall undertake any required enforcement action, which could also lead to (monetary) sanctions.
All companies with an annual gross revenue of at least $25 million, as well as data brokers and other businesses that buy, sell, or share the personal information of 50,000 or more consumers, households, or devices, will be subject to the CCPA. The same applies to businesses that get the majority of their annual revenue from selling consumers’ personal information. As long as they do business in California, it doesn’t matter where the company is established.
It is hard not to recognise the overlap between several of the CCPA rights and the EU GDPR. Notably the right to information (GDPR Articles 12-14), the right of access (GDPR Article 15), and the right to data portability (GDPR Article 20) have a clear overlap with the European law, with the one exception that the CCPA rights only apply to persons who have their habitual place of residence in California; whereas the GDPR establishes rights irrespective of nationality or habitual place of residence.
Meeting and Demonstrating Compliance
While some amendments are likely before Jan 1, 2020, the next 18 months will see many companies preparing for the new CCPA requirements, like they have prepared for GDPR over the past two years. But before doing so – it is helpful to take a deep breath. Privacy legislation will always be subject to change, no matter where an organisation is located and in how many countries it operates. That is why Nymity recommends an accountability approach to comply with multiple laws for organisations operating across jurisdictions.
For example, organizations that put in place privacy management throughout their organization based on a comprehensive privacy framework, such as the Nymity Privacy Management Accountability Framework™, will find that such a Framework can be mapped to any privacy or data protection law from around the world. That way, implemented Privacy Management Activities including the underlying policies and procedures, can be used to meet requirements from multiple laws at the same time.
Currently, there are well over 770 privacy and data protection laws around the world. Developing specific privacy programs for each of these laws is almost impossible, and certainly not the most effective approach. Instead, mapping your privacy program to the legal requirements makes sense; it allows you to focus on developing, implementing and maintaining your core privacy program.
Quick scans against the local legislation will subsequently help you to identify the specific requirements that need to be implemented in a specific jurisdiction on top of your core program. Whether your next concern originates in California, or maybe in Brazil or Canada, with an accountability approach to your privacy program you will be able to deal with it much more easily.
Nymity and CCPA
Nymity offers specific tools and resources to support compliance with the CCPA such as mapping of the CCPA to the Privacy Management Accountability Framework,™ and various updates to our software solutions that will allow for Regulator Ready™ CCPA reporting. Finally, please join our next webinar on 21 August where we will discuss in more detail how to deal with the CCPA from an accountability perspective.