The California Consumer Privacy Act (CCPA) is set to be indoctrinated on January 1st, 2020, and will change the consumer privacy landscape across the United States of America. Largely inspired by the General Data Privacy Regulation (GDPR), the CCPA is very similar in its quest to move control of consumer data back into the hands of the customer. However, one major difference that business owners must pay close attention to and prepare for is the difference in what is deemed Personal Information that the company will now be responsible for.
Personal Information Under CCPA
Under the CCPA, the definition of Personal Information that is deemed sensitive is much broader than under GDPR. The following is a summation of the 11 categories the Californian law constitutes as “Personal Information”:
- Personal Identifiers such as real name, SSN, passport number, etc.
- Specific information under customer records.
- Legally bound information such as products or services purchased, consuming histories or tendencies, etc.
- Biometric information.
- Internet or other network activity such as browsing history, search history, etc.
- Geolocation data.
- Characteristics detected by the senses.
- Employment-related data.
- Educational information, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences obtained from any of the above information used to create a customer profile.
Under CCPA, businesses will be responsible for a much wider set of customer Personal Information than under law of GDPR. For example, objective statements, such as a customer’s credit card number, are regarded as personal information under both CCPA and GDPR and must be handled in full compliancy with the businesses respective governing law. However, subjective statements, such as an insurance brokers driver reliability assessment or an online retailer’s assessment of their best customers will only be affected under CCPA. In other words, sectors that tend to process a mass amount of subjective information, or information that is not comprised of only one correct answer, will now have to ensure all of this data is compliant under CCPA. Also, it is important to note that under CCPA, Personal Information does now always have to be sensitive. Meaning that a customer’s IP address and browsing history must be regulated as well.
Another key difference between CCPA and GDPR is that the Californian law allows consumers to have a much greater view and overall control of the Personal Information that a business may hold on them. The difficulty in this is that since the definition of Personal Information under CCPA is so broad, the mass amount of data that a business may have on a customer is usually fragmented throughout the organization, leading it to be extremely expensive and time consuming to access, given that the customer exercises their CCPA given rights.
The dawn of a new age of consumer privacy rights is upon us – come January 1st 2020, organizations operating under CCPA will be separated into two categories; those who are held back by the law, and those who thrive under it.
To fully leverage the indoctrination of CCPA, organizations must have a solution in place to handle the sheer mass amount of Personal Information that they will obtain from their customers, and also a solution that enables the customer to exercise their CCPA given rights – in an cost-efficient, time-efficient, and compliant manner.