In 2018, California passed the Consumer Privacy Act (CCPA), which will take effect in January 2020 after more than a year of buffering. At that time, similar to the EU bill, CCPA will regulate all data business practices that have business with California residents.
Editor’s note: This article is from WeChat public account “machine heart” (ID: Almosthuman2014), author of the heart of the editorial department.
Companies that are still dealing with the European Union Data Protection Act (GDPR) may need to face more problems – the US data protection bill will soon be released.
The California Consumer Privacy Act (CCPA) is due to take effect in January next year, and is now only available in less than three months. In addition, starting with the State of New York, more bills are in force in several states in the United States.
The CCPA Act is similar to GDPR. Regardless of where the company’s geographic location is, as long as the company’s consumer group is owned by California and New York State residents, the company must comply with the law or face fines.
The Internet industry has been fined countless times since the GDPR came into effect in Europe. In the first year, more than 90,000 commercial companies proactively reported data vulnerabilities to meet GDPR requirements. At the same time, there are more than 145,000 consumer complaints.
In January 2019, Google paid a fine of 50 million euros to the French authorities because it did not specify the collection and use of personal data in targeted advertising. Earlier, a Portuguese hospital paid 400,000 euros for its poor medical record management. The hospital is easy to create and has created 1,000 doctor-level management accounts.
This is not all. The GDPR online law enforcement tracking tool captures all illegal online activities, including a $204 million fine that is being reviewed for British Airways, as the company leaked information on 500,000 passengers.
What is CCPA compared to the “most stringent” GDPR?
CCPA, according to its official website, is a privacy protection regulation that protects personal data and is a local law introduced in California. This law was passed in 2018 to help consumers give new rights to access, delete and share personal data collected by companies.
In particular, companies that collect consumer data must disclose the information they collect, the business purpose for which they are collected, and all third-party organizations and institutions that share this information. And the company needs to be based on the consumerThe formal request to remove the relevant information if the consumer has such a demand. In addition, consumers can choose to sell their information, while companies cannot change prices or service levels at will. For consumers who are allowed to collect their personal information, companies can provide “financial incentives.”
According to the CCPA regulations, California residents have access to many rights related to personal data. Mainly include:
1. Data access rights
2. Data deletion rights
3. The right not to be discriminated
4. Hang out the obvious “Do not sell personal information” option on the product page, and miss the new privacy policy
5. Authorization of minors and guardians
6. Private litigation
In addition to data privacy protection, CCPA also wants to help the public understand what data they are collecting and how it will be sold or made public.
Similar to GDPR, CCPA requires any company that does business with California residents to comply with this law and does not have the principle of territorial jurisdiction. This will undoubtedly have an impact on many non-US overseas companies.
Comparing GDPR
So, what is the relationship between CCPA and GDPR?
The biggest difference between CCPA and GDPR is that CCPA is more lenient than GDPR in terms of applicable regulatory standards, but illegal companies receive greater penalties once they meet the regulated standards.
The two have the following differences:
1. GDPR does not regulate the companies that apply to the Act, so all businesses with operations are regulated. However, CCPA will not regulate the business practices of data processing for users with annual turnover below $25 million and not involving more than 50,000, even if data breaches have been discovered.
2. However, once the above conditions are met and a data breach has occurred, CCPA’s penalties are much more severe than GDPR. Even if a leak occurs inadvertently, CCPA requires $100 to $750 per user, or a fine for the actual loss caused by the leak. So for some companies, it is likely that the fine will make it directly bankrupt. The upper limit of the GDPR is 4% of the company’s income.
Only 2% of companies are ready
According to CCPA’s law, the California and New York State’s mandatory privacy laws protect the privacy of consumers and their customers, regardless of the manner in which the business operates or provides services in the United States.
However, it is worth noting that there are less than three months to officially implement CCPA on January 1, 2020, so are US companies ready to do so?
In August 2019, IAPP/OneTrust conducted a CCPA Readiness survey of employees of US companies (all sizes). The results showed that 74% of respondents thought their employers should follow California’s upcoming The privacy law was implemented, but unfortunately, only about 2% of respondents believe that their business is fully prepared for CCPA.
IAPP/OneTrust conducted two surveys in April and August 2019, respectively. The question is: When do you want your company to fully comply with CCPA? In the April 2019 survey, companies have now or can fully comply with CCPA by 55% by January 1, 2020, and strangely, in the August survey, the ratio fell to 49. %. Does this explain the attitude of companies to CCPA?
So, even if companies now believe that these privacy laws do not apply to themselves, the application of relevant standards is inevitable. In addition, although the law does not apply, if the company violates or damages the relevant standards, they will also be held accountable for their civil liability. In any case, these laws are constantly being rolled out in the United States and around the world, setting a standard for judges to deal with direct disputes between companies and affected customers (not legally verified). Ultimately, protecting the privacy of customers helps them increase their trust in the business and the development of the company’s own business and brand, and these values are much higher than the fines that companies pay for violating privacy laws.
Data protection is an urgent task
With the continuous development of the era of big data, the privacy of users has been violated and even used for improper profitability, and the legislation on data privacy in various countries often cannot keep up with the development speed of the Internet. Therefore, in order to change the abuse of such user data and the violation of privacy, countries around the world are constantly improving the data legislation, so that enterprises can be more supervised, so that user data can be more fully protected.
In the case of the European Union, the EU proposed the GDPR as early as April 2016, but it did not implement it immediately. Instead, it gave the company more than two years of buffer time. It was finally officially implemented on May 25, 2018. Called “the most stringent user personal data protection bill in history.” The strictness of the penalties of GDPR is astounding to violateFor example, the fines for personal data will be subject to a maximum fine of 4% of its annual turnover, whichever is higher, which is 20 million euros (about 156 million yuan).
In the global wave of personal data protection, China is also unable to stay out of the way. China is also making continuous efforts in data protection legislation. As early as 2003, the Information Office of the State Council began to carry out research on the legislation of personal information protection law, and formed an expert opinion draft in 2005. In 2009, the Criminal Law Amendment (VII) of the People’s Republic of China was stolen, sold or illegally provided to others. The act of “providing serious circumstances, imprisonment for three years or less, or criminal detention, and penalties or penalties”, after the 2015 Criminal Law Amendment (IX) supplemented the crime of illegally obtaining personal information of citizens; On December 29, 2017, the National Information Security Standardization Technical Committee officially issued the “Information Security Technology Personal Information Security Specification”, which comprehensively stipulated the collection, preservation, use, commission processing, sharing and transfer of citizens’ personal information from the perspective of information rights protection. , public disclosure, and the disposal of personal information security.