A survey shows that most companies are not yet ready for the California Consumer Privacy Act (CCPA), and this includes companies that have undergone compliance processes for the EU General Data Protection Regulation (GDPR).
CCPA is not GDPR or a subset of GDPR. It’s a different law with different requirements, for which preparation will require time and attention.
Privacy law experts warn companies not to assume they can comply with the California Consumer Privacy Act (CCPA) because they are in compliance with the EU’s General Data Protection Regulation (GDPR).
“The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) at a privacy panel at RSA 2019.
If it makes the individual go “huh, why did that (use of my information) happen?” you, company that provides a service utilizing data, may have a data protection problem on your hands.
This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.
“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”
Details from the International Association of Privacy Professionals.
The Federal Trade Commission should be the primary enforcer of a federal privacy bill and to do so would need a larger budget. That is one point that seemed to be in consensus at the Senate Committee on Commerce, Science, and Transportation hearing held on February 27, 2019 in connection with a U.S. Federal privacy law.
Additional points discussed included:
Details from the International Association of Privacy Professionals
To U.S. Federal Privacy Law or To Not U.S. Federal Privacy Law, that is the question.
At a House Committee on Energy and Commerce hearing February 26, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill. The discussion revolved around how prescriptive a federal law should be and its potential impact on small businesses and vulnerable populations.
Two points discussed:
Details from the International Association of Privacy Professionals.
Under a proposed amendment to the California Consumer Privacy Act (CCPA) filed Feb. 22, companies that amass user data could be the target of class-action litigation from state consumers if they’re accused of violating the CCPA.
This expands the existing private right of action under CCPA which currently applies only to data breaches. Other proposals include:
Read the full text of the private right of action amendment.
What’s in store for CCPA?
Narrower definitions? Broader private right of action? Increased funding?
All were discussed at a hearing regarding the California Consumer Privacy Act (CCPA) held at the California State Assembly in Sacramento, CA.
Supervising Deputy Attorney General on Consumer Protection Stacey Schesser indicated that her office would seek to expand the private right of action provision within the CCPA. Schesser also indicated to the lawmakers that the Attorney General will be asking for increased funding to help the office enforce the CCPA.
At the hearing, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA, including the broad definitions of the terms “personal information”, and “consumer”.
Details from the International Association of Privacy Professionals.
Show me the money and I’ll show you my data.
“How much would you charge a marketer to use your personally identifiable information for general advertising purposes?”
About 60 percent of 2,000 U.S. adults polled in November 2018 were willing to share personal data for a price. A majority (57 percent) said it was worth a minimum of $10, while 43 percent valued it at less than $10 (28 percent) or would share it without compensation (15 percent).
The higher the income, the more likely they were to want more for their data.
This trend in how individuals regard their data may become even more interesting in the coming year as the California Consumer Privacy Act (CCPA), which will come into effect in 2020, allows companies to provide individuals with financial incentives for their information if certain conditions are met.
Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?
As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:
A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).
New Jersey follows in California’s footsteps with legislative initiatives on privacy.
The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:
Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:
“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,” said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.