The California Consumer Privacy Act is a landmark piece of consumer privacy legislation, which passed into California law on June 28th of 2018. The bill is also known as AB 375. This act is the strongest privacy legislation enacted in any state, giving more power to consumers with regards to their private data.
Companies that already comply with GDPR may find that they currently meet many of the requirements set forth in the California Consumer Privacy Act. With many experts predicting that other states will pass similar legislation in the coming years, companies across the U.S. that take proactive steps today to better protect consumer data will be best equipped for future regulations.
These two data privacy regulations fundamentally extend individuals’ rights to the data being captured about them, who has it, and how it is used. This also typically includes the ability to have private data deleted or barred from use in certain circumstances. While GDPR is much more prescriptive than CCPA, they both share a notion of protection or preservation of the data that organizations must comply with, for example backups and archives.
Failing to comply with governance/governmental regulations is not an option and can cause many undesirable consequences, as evidenced in ESG research (see Figure 1).[1] The addition of this new breed of data privacy regulations, and in the case of the U.S., the potential multiplication of these regulations, with each state offering its own variation, will only create additional exposures, audits, and risks for those who don’t plan accordingly.
It should also be noted that neither CCPA (nor GDPR) supersedes other compliance or regulatory requirements (for example, the requirement to keep data archived for x number of years).
[1] Source: ESG Master Survey Results, 2018 Data Protection Landscape Survey, November 2018.