The law, known as AB 375, goes far beyond breach notification and security standard requirements. Instead inspiration for the law was drawn from the EU’s General Data Protection Regulation (GDPR). What took the EU four years to develop, took California’s state legislature just three months. The implications of this legislation is huge because it is the first time in the United States that data is now explicitly owned of the individual.
To summarize, the CCPA requires that by 2020 all companies who use personal data must comply with requests from individuals to reveal collected data, how they use that data, prevent further exchange of data, or even delete the data upon request. For some sectors this is no big deal, however for the tech industry this could be a real disruption to their business models.
Naturally companies are now putting resources into at minimum, weakening the law. So expect a fierce battle in the coming months about the bill. Here is a quick bullet list of what the bill entails:
- Right to know about all data collected about yourself for free (twice annually)
- Right to refuse the sale of your data
- Right to have that data deleted
- Right to be informed about what data will be collected prior to the start of collection
- Right to be informed of changes to data collection categories
- Mandates opt-in prior to the sale of any data from people under the age of 16
- Right to know what categories third-parties fall under who are receiving your shared data
- Right to know for what reason data is being collected about you
- Right to private legal action against companies experience a data breach with your data
- The Attorney General now has more power to enforce the compliance of this policy
Of course the details reveal much more regarding the specifics. Communication and incentives are quite important as well and specific provisions of the legislation address them. The public is generally quite cheerful about this bill, meanwhile large business are pulling their hairs out. While this is huge for California and the US in general, this law pales in comparison to the GDPR.
CCPA and GDPR
Despite being heavily influenced by the GDPR, the CCPA has left a lot of provisions out that were pretty significant for the European citizens. Some of those include the right to be forgotten, right to data portability, privacy by default, and encryption provisions. These differences are large enough to make the CCPA quite distinct from the GDPR, even if it was influenced by it.
Additionally the CCPA has some rather contradictory statements in regards to communications and incentives that will likely be addressed in the future.
Implications Across the Country
The CCPA is the very first bill that explicitly defines citizen’s rights when it comes to personal data. The ambiguity before certainly was beneficial to organizations who did not want to make significant changes to address privacy or data breach concerns. The rights laid out in the CCPA make this a game changer for the US. In the coming years expect to see Massachusetts, Colorado, and Delaware experimenting with such the GDPR and the CCPA. Here at Teramind we will have much more in-depth content about the CCPA and the GDPR for businesses and public institutions to work with.