California Consumer Privacy Act (CCPA) compliance shares many of the same requirements in the European Unions’ General Data Protection Regulation (GDPR).
While the CCPA has been signed into law, organizations have until Jan. 1, 2020, to enact its mandates. Luckily, many organizations have already laid the regulatory groundwork for it because of their efforts to comply with GDPR.
However, there are some key differences that we’ll explore in the Q&A below.
Data governance, thankfully, provides a framework for compliance with either or both – in addition to other regulatory mandates your organization may be subject to.
Does CCPA apply to not-for-profit organizations?
No, CCPA compliance only applies to for-profit organizations. GDPR compliance is required for any organization, public or private (including not-for-profit).
What for-profit businesses does CCPA apply to?
The mandate for CCPA compliance only applies if a for-profit organization:
Does the CCPA apply outside of California?
As the name suggests, the legislation is designed to protect the personal data of consumers who reside in the state of California.
But like GDPR, CCPA compliance has impacts outside the area of origin. This means businesses located outside of California, but selling to (or collecting the data of) California residents must also comply.
Does the CCPA exclude anything that GDPR doesn’t?
GDPR encompasses all categories of “personal data,” with no distinctions.
CCPA does make distinctions, particularly when other regulations may overlap. These include:
What about access requests?
Under the GDPR, organizations must make any personal data collected from an EU citizen available upon request.
CCPA compliance only requires data collected within the last 12 months to be shared upon request.
Does the CCPA include the right to opt out?
CCPA, like GDPR, empowers gives consumers/citizens the right to opt out in regard to the processing of their personal data.
However, CCPA compliance only requires an organization to observe an opt-out request when it comes to the sale of personal data. GDPR does not make any distinctions between “selling” personal data and any other kind of data processing.
To meet CCPA compliance opt-out standards, organizations must provide a “Do Not Sell My Personal Information” link on their home pages.
Does the CCPA require individuals to willingly opt in?
No. Whereas the GDPR requires informed consent before an organization sells an individual’s information, organizations under the scope of the CCPA can still assume consent. The only exception involves the personal information of children (under 16). Children over 13 can consent themselves, but if the consumer is a child under 13, a parent or guardian must authorize the sale of said child’s personal data.
What about fines for CCPA non-compliance?
In theory, fines for CCPA non-compliance are potentially more far reaching than those of GDPR because there is no ceiling for CCPA penalties. Under GDPR, penalties have a ceiling of 4% of global annual revenue or €20 million, whichever is greater. GDPR recently resulted in a record fine for Google.
Organizations outside of CCPA compliance can only be fined up to $7,500 per violation, but there is no upper ceiling.
While CCPA has a more narrow geography and focus than GDPR, compliance is still a serious effort for organizations under its scope. And as data-driven business continues to expand, so too will the pressure on lawmakers to regulate how organizations process data. Remember the Facebook hearings and now inquiries into Google and Twitter, for example?
Regulatory compliance remains a key driver for data governance. After all, to understand how to meet data regulations, an organization must first understand its data.
An effective data governance initiative should enable just that, by giving an organization the tools to:
The erwin EDGE software platform creates an “enterprise data governance experience” to transform how all stakeholders discover, understand, govern and socialize data assets. It includes enterprise modeling, data cataloging and data literacy capabilities, giving organizations visibility and control over their disparate architectures and all the supporting data.
Both IT and business stakeholders have role-based, self-service access to the information they need to collaborate in making strategic decisions. And because many of the associated processes can be automated, you reduce errors and increase the speed and quality of your data pipeline. This data intelligence unlocks knowledge and value.
The erwin EDGE provides the most agile, efficient and cost-effective means of launching and sustaining a strategic and comprehensive data governance initiative, whether you wish to deploy on premise or in the cloud. But you don’t have to implement every component of the erwin EDGE all at once to see strategic value.
Because of the platform’s federated design, you can address your organization’s most urgent needs, such as regulatory compliance, first. Then you can proactively address other organization objectives, such as operational efficiency, revenue growth, increasing customer satisfaction and improving overall decision-making.
You can learn more about leveraging data governance to navigate the changing tide of data regulations here.