Opinions & solutions expressed are personal and not employers. This is NOT Legal Advise. Please consult with your team before making any decisions/changes.
Its that time of the year again as we prepare for upcoming legislation to make the digital ecosystem a better place to thrive. Personal information has been the bread and butter for technology offering free internet to users. With no federal or national standards in place, enter California state’s band aid of legislation controlling how business define & use personal information. Assuming your business just completed the race to get GDPR compliant, you are already on the journey towards using existing capabilities towards CCPA compliance. I have charted out below essentials of CCPA , compared with GDPR and identified additional capabilities required. Note that there are still bills awaiting closure by the Senate , which would potentially change CCPA definitions.
CCPA Definition
GDPR Comparison
Digital Leader’s Notes
Who are Protected?
Residents of California who are either: a. Domiciled in California but are travelling or temporarily out of state b.Permanent resident with no temporary or transitory purposes
Similar to EU, protects residents of the state even when they are temporarily out of state travelling for leisure of for work
Methods & policies currently in place that identify EU users should expand to CA users.
Who are Regulated?
1. A business entity that controls or is controlled by a covered business 2. Shares trademark/branding with another business 3. Doing business in the state of CA meeting any of the following criteria : a. Gross Revenue > $25 Mn b. Receives , buys , sells or shares personal information of more than 50,000 consumers, households or devices, per annum c.Generates >50% annual revenue from selling consumers personal information
Important to note the parameters for regulation appear to be startup friendly and expands regulation of personal information beyond consumers to households.
How many of our consumers/users are based in California?
What is Personal Information?
Any information that can identify, indicate, link or may be reasonably associated with a device , consumer or household across offline & online ecosystems
CCPA has expanded to regulate identification of households and has defined categories of personal information,possibly for further regulation
Need to check with data providers/partners to confirm if they identify, create or onboard household level data
What is NOT Personal Information?
Information aggregated & pseudonymized for a certain group of consumers that renders the personal information no longer attributable to a particular customer
Similar regulations as GDPR for pseudonymized data
Expand existing capabilities for GDPR to be used for CCPA
What can consumers do?
1. Request disclosure of personal information collected by the business, its purposes & third parties with which it shares information – twice a year for a 12 month look-back 2. Request disclosure of personal information in a readily useable format that can be ported to another entity 3. Request deletion/ erasure of data subject to withheld by completion of transaction, security incidents,error debugging or legal obligations 4.Opt-out of the sale of personal information
GDPR has wider regulations than CCPA around rectification, restrict/object to processing data, automated decision-making which are not regulated under CCPA. Businesses can refuse to execute request on the broader grounds mentioned
Expand existing capabilities for GDPR to be used for CCPA
Discuss data -retention requirements of the business to adhere with transaction requirements , legal & security norms.
What business need to do?
1. Include a “Do not Sell My Personal Information” link in a clear & conspicuous location on the homepage 2. Must not discriminate against consumers who exercised their rights as described above 3. Act on customer request in 45 days and provide reasons in case of delays – without placing any charges to the customer 4. Comply with consumer’s request to opt-out of the sale of personal information to 3rd parties
The language appears substantially different but the outcomes might be the same. For ex. GDPR does not provide any right to Opt Out of personal data sales but data subjects can opt-out of processing data for marketing purposes, which essentially allows opt out of third party sales.
Work with UX/UI team to initiate the “DO Not Sell My Personal Information” link on the homepage
Recheck capabilities can act on consumer requests in the mentioned number of days and in the mentioned format
What about Children?
1. Prohibits sale of personal information when consumer is under 16 2. Children under 13 require parental consent and those between 13-16 can directly provide consent 3. Federal COPPA norms apply in top of CCPA requirements
GDPR considers children data extremely sensitive and requires heightened security measures to be in place. CCPA requires parental consent only for personal data sale
Check audience size of age <16 and restrictions of data sale to third party providers
Hope this brief summary helped provide a direction towards getting ready for CCPA via GDPR. In case I have missed any details, please reach out in the comments section below