CCPA: California’s Mini-GDPR Regulation
California – it’s about to get personal…
The California legistlature has passed a new privacy act, the California Consumer Privacy Act (CCPA). How is it similar to the GDPR, and how can your organization be ready?
The California legislature has unanimously passed its own new privacy regulation, Bill AB-375, also known as the California Consumer Privacy Act of 2018 (CCPA) which will go into force on January 1, 2020. It is not hard to see that the CCPA was heavily inspired by the GDPR.
The CCPA is focused mainly on protecting consumers from companies profiting from the sale of personal information without their knowledge or consent. Some might refer to CCPA it as ‘mini-GDPR’ as it constitutes only a small portion of the wide GDPR privacy regulation. Still, there are obvious similarities, though not nearly as demanding.
What are the similarities?
The CCPA essentially cover the following requirement that are close to congruent with GDPR:
- Right of Access
- Third Party Processing
- Right to be forgotten
- Right to Object/Consent (specific to sale of personal data)
Right of access, according to the CCPA, grants the consumer the “right to be informed of the types of information collected and the purposes for collection.” This is very similar to its GDPR counterparts (‘Right of access by the data subjects’ and ‘Records of processing activities’), especially in terms of the technical capabilities needed for meeting this requirement.
The CCPA adds to that by emphasizing that Californians have the right “to know whether their personal information is sold or disclosed and to whom”. This provides the consumers with the knowledge of how their personal data is being shared with third parties.
‘The Right to be forgotten’, the GDPR article that has perhaps made the biggest waves, has also been adopted by the CCPA. This requirement asserts that organizations are required to delete data subject information upon request. According to the CCPA, “a consumer shall have the right to request that a business deletes any personal information about the consumer which the business has collected from the consumer.”
In alignment with that, the CCPA grants Californians with the right to reject the sale of personal information. Consumers will have the legal right to opt out of the sale of a consumer’s personal information. This requirement doesn’t go as far as GDPR requirement involving consent, right to object and restrict processing, which allow data subject to restrict or object processing of personal data, but it is a step towards improving customer privacy nonetheless.
What is the solution?
SecuPi has been built for enabling organizations to meet the strict GDPR requirements. Hence, the CCPA, being a lighter and narrower version of GDPR, can surely be covered with the SecuPi privacy platform by providing discovery, monitoring and controls.
The initial step towards compliance is to first figure out which applications and systems are in scope for the regulation. From there, the organization needs to discover and map where the personal data is located within each of the applications. Once that is set, monitoring and auditing user activity and data access on business application and analytics environments enables meet the right of access requirement. Finally, the organization needs to have a systematic mechanism for deleting consumer information. And as we’ve witnessed with GDPR, deletion of personal data is no simple task, which requires some technical tools to properly delete personal information without hurting system operability.
SecuPi has enabled several large European organizations in the Telco, retail and financial industries to meet these requirements by discovering, monitoring and deleting personal data. If you’d like to see how SecuPi can help your organization be CCPA ready, please schedule a demo at email@example.com