The state of California took a stand by implementing the California Consumer Privacy Act (CCPA) going into effect in January 2020. As the data protection laws become more popular nationwide, it’s important for the United States to be aware of how current and data protection laws will affect consumers and businesses alike.
What is the CCPA?
This act applies to for-profit entities that do business in the state of California and collect personal information of residents. Even if the business does not reside in the state, if they are making sales with the California residents, they are also subject to the rules.
The definition of personal information under this act is information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly with a particular consumer or household. This definition is quite broad and unlike other data regulations, includes “household” in addition to consumer, casting a wider net on who will be protected.
Some examples of the types of personal information protected are:
- Social security numbers
- Driver’s license numbers
- Purchase histories
The only information excluded is HIPAA protected information and information lawfully made available from federal, state, or local government records.
There are a few main ways in which the new Act will give consumers control over their data, the first being that a business must notify a consumer when their personal information is being collected, how it is used, and who it is being sold to. Another point is that consumers must be given a way to opt-out of having their personal information sold and businesses must have a “Do Not Sell My Information” link on its homepage.
This act also requires that consumers can request to have their personal information deleted from a business and from any third parties who received the data in a sale. The final right for consumers is that they will receive equal treatment from businesses even if they decide to exercise their right under this law.
Breakdown of the GDPR
The General Data Protection Regulation (GDPR) aims to protect consumers in the European Union from being affected by privacy and data breaches. It was adopted in April 2016 and officially went into effect on May 25, 2018. The largest change in data protection here is that it applies to companies who process personal data of consumers in the European Union, regardless of the company’s location. It also applies to businesses who work with and keep personal data of EU residents, no matter where they may reside. This means that even though the GDPR was put into place in the EU, United States businesses who do business with them overseas are still expected to follow the rules.
There are several ways in which the GDPR aims to protect personal information:
- The agreements that give consent for data processing must be explained in plain text terms for people to understand
- Businesses must notify consumers if they were involved in a data breach within 72 hours of being made aware
- Consumers have the right to have a business erase personal data and be forgotten completely
- Data subjects have a right to know if their personal data is being sold, where it is being sold, and why
While the GDPR offers some similarities to the CPPA, there are a few differences to take into account.
Differences and Consequences of Data Protection Laws
Both protection acts have a common goal in mind of transforming the way that businesses process personal information. While the GDPR covers a wider span of processors, the CCPA only applies to California businesses who receive or share personal information of more than 50,000 residents annually, make annual gross revenue of $25 million, or derive at least 50% of its annual revenue by selling information about the residents.
The penalties for not following the regulations differ as well. The GDPR charges incompliant companies 4% of their annual global turnover, or 20 million euros, whichever is greater. California applies fines per violation with a maximum per violation of $7,500.
While The EU’s rules are already in place, the CCPA will not go into effect until 2020, giving policymakers time to add or change parts of the act.
Data Privacy in the Other States
The National Conference of State Legislatures (NCLS) states that as of January 2019, at least 24 states have laws that relate to data security practices. The majority of these laws require businesses to maintain reasonable security procedures and practices that are, according to NCLS, “appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Washington, D.C. has already enacted a data breach law, in which businesses must notify affected D.C. residents of a breach as soon as possible through email or mail. If the breach affects over 1,000 people, all consumer-reporting agencies must be notified. There is a $100 fine per incident. They recently enacted the Security Breach Protection Amendment Act of 2019 This act does the following:
- Includes passport numbers, military IDs, biometric data, health information, taxpayer identification numbers, health insurance info, and genetic information and DNA profiles to the list of information companies are accountable for
- Requires companies to implement security measures to prevent unauthorized access
- Requires companies to notify the Attorney General’s Office of any data breaches
Some states have laws that apply to businesses only, some only to statewide governments, and others to both governments and businesses. Unfortunately, many states still have no data protection whatsoever, though there has been an increase in states creating laws just from 2016-2018.
Encryption Ensures Protection
One aspect of data security each of the above laws touches on is the idea of encryption. In some cases under the newly GDPR and CCPA, if a business suffered a data breach but had the data encrypted, they are not required to notify everyone affected by the incident. This can also result in lesser or non-existent fines.
Our line of SecureDrives are not only made with military-grade hardware encryption but are GDPR and HIPAA compliant. They can aid businesses in storing customer information or keeping third parties from accessing information without consent. As the data protection laws become a widespread standard, SecureDrives will become a much-needed addition to privacy policies everywhere.