How the EU Broke Ground for Data Protection

Marketers and website owners are regularly looking for new ways to sell their products or services. In the last decade, the use of cookies and collecting customer information in order to further advertise became standard practice. While useful, over time consumers felt like they were being watched too closely and were giving up too much personal identifying information. Concerns about data security and privacy became more common.

A few years ago, the EU responded to data security issues with the GDPR (General Data Protection Regulation) regulation.

These regulations were conceived in January 2012 in attempts to ramp up data protection for the digital age. A final agreement was reached approximately 4 years later, wherein all members of the union were bound to the GDPR framework. Organizations throughout the union must adhere to strict data collection conditions. 

Those charged with collecting and managing data are also responsible for protecting it from misuse. These individuals are also expected to respect the rights of the data owners. They are subject to stiff penalties if they fail.

While there’s no doubting the impact that the GDPR had on data protection, it’s a law that protected those in the EU.

In the US, it’s been something of the Wild West to this point. However, if a privacy law passed in California is any indicator, the rules surrounding data collection might become far more stringent.

What is the California Consumer Privacy Act (CCPA)?

California’s new privacy law, the California Consumer Privacy Act (CCPA), was launched on January 1st. 

The CCPA states that consumers have a right to know what personal info is collected. Furthermore, they have the right to delete that info. On top of that, they must be afforded the chance to opt-out of the sale of their personal info.

Akin to how the GDPR planted the seeds for the CCPA, this new privacy law might have more significant implications.  

Who does CCPA apply to?

Right now, the CCPA only affects businesses across the state of California. But it’ll likely act as a catalyst for other regulatory bodies to follow suit. Though, it goes a bit deeper than that—with the CCPA immediately making a remarkable impact on some more specific businesses. 

Below, is a set of specific criteria that means your business should consider amending its information security, website, and digital marketing efforts:

● Your business does more than $25m in gross annual revenue
● Your business buys, receives, or sells the personal information of 50k or more consumers/households/devices
● Your business derives 50% or more of revenue from selling personal info.

What are the Penalties for Failing to Comply with the CCPA?

If any business in California fails to comply with the data privacy protection laws of the CCPA, they’ll be subject to an array of fines and enforcement. 

At the high-end of the CCPA compliance penalty spectrum is a $7,500 fine that’s reserved only for intentional violations. 

Though, in many instances, companies are going to commit accidental rule infractions. In which case, they’ll be subject to a $2,500 maximum. 

While these fines are nothing to scoff at, they pale in comparison compared to the other kind of reputational impact that the CCPA’s provisioning might have. Namely, consumers will have the right to bring lawsuits to light. For instance, this situation might occur if a consumer’s “non-encrypted or non-redacted personal information” is breached in any manner. It doesn’t even matter if there’s no malicious intent or result with the data. 

Consumers, under the CCPA, are subject to collecting anywhere between $100 and $750 during each of the above scenarios. 

Conversely, the damage can potentially exceed $750, in which case, the consumer can receive even more compensation.

What Does the CCPA Mean for Your Website?

If the CCPA applies to your business, your website now has a list of specific requirements to which it must adhere.

Here’s the list of CCPA rules for your website:

  • Your privacy policy must be updated with information on how, why, and what personal information you can gather and process.
  • Your privacy policy also must be updated with information on how your users can request, access, change, or erase their personal data that you’ve gathered
  • You need an identity verification method for the individual making requests based on their data
  • Your home page requires a “Do Not Sell My Personal Information” link 
  • The link mentioned above will serve your user to prohibit their personal data from being sold on your end 
  • Prior consent must be obtained from minors of 13-16 years of age before selling their personal data
  • Parents of children under 13-years-old must provide consent for their personal data

Are you no longer allowed to sell User Data?

You are – in fact – still allowed to sell your users’ personal data under the umbrella of the CCPA. However, you don’t necessarily have free reign to do so. Your website users now have the benefit of opting out of your selling of their data. 

It’s here where the “Do Not Sell My Personal Information” link comes into play on your homepage.

Provided your user wishes to opt-out of their personal data being sold, they click the link, and you’re banned from the act of selling their information. 

Some businesses of a more nefarious nature might attempt to obfuscate this process to create the illusion of compliance. As a result, the CCPA has clarified the need to make the opt-out process as straightforward as possible. One of the rules implemented is preventing websites from requiring users to create a separate opt-out account.  

How Does the CCPA Define Personal Data?

Personal data is defined by the CCPA as any information that identifies, describes, relates to, is capable of being associated with, or could be linked with a given consumer or household. 

Making the CCPA’s definition of personal data different from other similar laws is that its scope extends to household information. 

Here’s what falls under the CCPA’s definition of personal information (though it’s not limited to these examples):

  • Name
  • Email address
  • Biometric data 
  • IP address
  • Internet of Things information 
  • Geolocation data
  • Professional or employment information
  • Other information

What doesn’t fall under the category of CCPA’s definition of personal data is publicly available information.

Does being Compliant with the GDPR Mean You’re Compliant with the CCPA?

While the CCPA is a descendant of the GDPR, being compliant with one doesn’t mean you are with the other. 

Yes, there’s undoubtedly some overlap, and you’ll tick some of the boxes of one by adhering to the other. 

For instance, including the Do Not Sell My Personal Information” link on your home page is exclusive to the CCPA.

Also, the GDPR does not necessitate requests methods for access, change, and erasure of data. Nor does it require an identity verification method for people making data-related requests. These are all strict rules of the CCPA. 

It’s Time to Prepare for the Future of Data Protection

It’s a big scary world if you’re unfamiliar with data protection. However, by taking the time to understand its complex nature by doing your research, it can be a seamless transition into the future of data security for your business.