data privacy
Blog

Data Privacy Compliance & the CCPA

Data privacy is growing – and rapidly getting more complex. As pretty much every region enacts new laws to more strictly govern data privacy rights than ever before, today’s legislation is creating an increasingly dangerous landscape where non-compliance is concerned.

GDPR’s Global Data Privacy Impact

Despite the threat potential fines and penalties pose, most companies today are nowhere near compliant. Even after the EU’s General Data Protection Regulation (GDPR) set the global stage for data privacy almost 18 months ago, organizations have largely failed to establish the basic principles needed to prepare themselves for today’s wave of new regulations.

Since GDPR was clearly written and laid out, carefully planned enterprise compliance were overwhelmingly successful. The regulation creates global reach for a new set of data privacy obligations and expectations – and brings with it dramatically more restrictive and severe penalties for any organizations that fails to adhere to its requirements.

Unlike the enterprise-centric approach countries like the U.S. currently employ, GDPR and the next generation of data privacy states the right of information ownership resides with individuals rather than the controllers and processors collecting, storing, and using it. This distinctly different view means problems for the myriad of businesses that sell private consumer data – and presents new challenges for virtually any company that interacts with EU citizens in some form or fashion.

If you thought you were safe from GDPR’s data privacy requirements because you don’t do business or collect data from anybody in Europe, think again. There’s an even more serious U.S. law coming a few months from now…

Meet the CCPA

The California Consumer Privacy Act (CCPA) will go into effect January 1, 2020 – establishing the most expansive (and serious)  data privacy law in the U.S. While several amendments to the law are currently awaiting official approval, there’s a strong possibility more will be added to enhance the bill’s effectiveness and strengthen its substantial personal protections.

This initiative follows the onslaught of other states implementing similar legislation. In 2019 alone, six others – Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington – introduced similar data privacy laws because the federal government has failed to pass a bill despite bipartisan support for the initiatives.

Inspired by the EU’s GDPR, the CCPA grants California residents five new rights that establish the framework for the widespread data privacy in the U.S. They are:

  1. The right to request disclosure of a business’ data collection and sales practices including the categories of data collected, the source of the data collected, how and when the data is used, if the data is disclosed/sold to third parties, the category of data disclosed/sold to third parties, and the category of third parties to whom data was disclosed/sold
  2. The right to request a copy of the personal data collected in the past 12 months
  3. The right to have personal data deleted
  4. The right to request personal data not be sold to third parties
  5. The right to not be discriminated against due to exercising these new rights

This new legislations applies to all California businesses that generate annual gross revenue over $25 million, derive at least half of their annual revenue by selling customers’ personal information, or buy/sell/share personal data from at least 50,000 consumers, households or devices – a.k.a. 25% of all organizations in the state.

And compliance with CCPA doesn’t come cheap — according to an economic impact assessment prepared for California’s state attorney general’s office, initial changes could cost these companies up to $55 billion. Even the most conservative estimates predict firms paying an average of $50,000 to ensure compliance.

Data Privacy Like Never Before

Beyond California, this bill is a critical step toward establishing a nationwide data privacy regulation in the U.S. After all, it doesn’t make much sense for you to use a different compliance standard for each state you sell to. The difference between CCPA and other existing legislation is simply California’s economic impact – it features a GDP larger than most countries.

If you’re not prepared for the next generation of data privacy, regulations like GDPR and CCPA are going to be a major headache at minimum. You’ll not only have new compliance mechanisms and expectations to meet – you’ll have to track down each customer’s personal data and figure out what information you’re collecting, storing, and using on a daily basis, too.

data privacy Fortunately, you don’t have to face this daunting task alone. Sign up for AOTMP® University’s Introduction to Data Privacy Course today to start solving your most serious data privacy challenges before it’s too late.