You Might Not Need to Worry About CCPA – Here’s Why
CCPA in Simple Terms
California has made a name for itself as a state that passes many first-of-its-kind pieces of legislation. From allowing college athletes to earn money from endorsements while they’re in school to outlawing fur trapping, the Golden State has many forward-thinking laws on the books.
For those of us in the tech industry, one law in particular has our attention – the California Consumer Protection Act (CCPA). Its purpose is to protect the personal data of California residents – similar to how the General Data Protection Regulation (GDPR) protects the data of European Union residents.
But CCPA is not the same as GDPR. It has different conditions and requirements – and it only applies to a specific set of organizations.
So does your company need to make changes to come into compliance? How might it impact your business going forward?
How to Tell if CCPA Applies to Your Business
Paul Hager, our CEO and owner, has been keeping a watchful eye on CCPA.
“CCPA is nowhere near as restrictive as GDPR. People talk about it being like GDPR but that’s really only true in the very broad sense that GDPR brings to light security policy and privacy concerns and so does CCPA,” he says.
CCPA only applies to a company if:
- They collect personal data of California residents
- They (or their parent company or a subsidiary)
exceed at least one of these three thresholds:
- Annual gross revenues of at least $25 million
- Obtains personal information of at least 50,000 California residents, households, and /or devices per year
- At least 50% of their annual revenue is generated from selling California residents’ personal information
Let’s take a moment to define exactly who counts as a California resident. California laws define a resident as any person who:
- Is in California for other than a temporary or transitory purpose
- Is domiciled in California, but is outside the state for temporary or transitory purposes
Key Differences Between GDPR and CCPA
In a nutshell, CCPA only applies to companies who collect the data – not any companies that process the data. And it only applies to data collectors that meet the above criteria.
Take a printing company for example. The company uses mailing lists to print and mail newsletters for a client. The printer is a data processor – not a data collector. They aren’t in the business of gathering people’s names, addresses, or emails and selling those lists. The printer simply takes lists other companies have gathered and processes them in order to create newsletters. Therefore, CCPA doesn’t apply to the printing company.
GDPR applies to anyone who touches the data of an EU citizen. That includes the organizations that collect data as well as companies that use the data in any capacity. CCPA, on the other hand, is far less expansive. It only applies to organizations that collect data on CA residents. It also doesn’t have the encryption and data-handling requirements that GDPR does.
“CCPA only requires that you be transparent about gathering personal information and allow people to edit and delete that information (another aspect that differentiates it from GDPR),” notes Hager. “All companies technically gather data with their websites. In that situation, every company is a data collector. So those ‘I accept’ banners on websites will continue to be everywhere.”
Make Data Security Your Top Priority
In a world of GDPR and CCPA, data privacy and protection are paramount. Whether or not your business falls under either of these two laws, you should have solid data protections in place. In fact, data privacy should be a central facet of your overall security strategy. Ask yourself these questions.
What sensitive data does your company have? You can’t protect it if you don’t know about it. Find out what data you have and where it’s stored.
Who can access sensitive data? Learn who has access to what. Make sure only the people who are supposed to have access actually do.
What controls are in place? Develop policies to ensure access to data stays consistent and appropriate. Make sure they stay updated – especially if people with access to data leave the company.
Navigating data protection can be tricky. Let the security experts at ITP help you out. We’re ready to answer your questions and assist you in keeping your data safe. Contact us today.
Weathering the Privacy Storm from GDPR to CCPA & PDPA (Dark Reading)