When the European Union’s General Data Privacy Regulation (GDPR) was written, it gave businesses some two years to adjust their systems so that they could be in compliance with the GDPR’s complex rules. But when state legislators approved the California Consumer Privacy Act (CCPA), companies were given just under a year to comply.
Understandably, this is causing considerable teeth gnashing on the part of many executives in the U.S. whose operations do not have a European facility or any customers on the Continent so they never gave much thought to GDPR. Some clients are concerned that vagueness in the law makes it difficult to clearly understand what they need to do, how they will be affected, and what will happen if their business runs afoul of any of its provisions.
As we wrote recently, while the two sets of regulations are similar in some respects, there are notable differences. One of the biggest is in how companies can be sanctioned and fined and the amount of the fines that can be levied.
Under GDPR, privacy commissioners may impose a fine if a company is in non-compliance or if there is a data breach – or both. The law provides for fines up to 4-percent of a company’s worldwide revenue up to €20-million, about US$22.6-million at today’s exchange rate, whichever is greater.
We are seeing some examples of this already.
The French privacy commissioner has imposed a US$57-million fine on Google for violating the regulations and his Irish counterpart is weighing a similarly-large fine against Facebook. While Google’s parent, Alphabet Inc., is appealing the fine, it is likely to be very big even for Google, and six other EU countries are examining levying their own fines against the company.
Fines work quite differently under the CCPA.
The California law does not provide penalties for non-compliance but it calculates fines on a per violation basis of up to $7,500 for each incident whether a breach affects an individual or a household. There is no maximum or cap that can be levied against a company so if, say, 10,000 individuals have had their identifiable information breached the total fine can add up quickly.
Another key difference is that the CCPA also allows people to file a lawsuit against a company that has suffered a data breach.
There is a lot of confusion about CCPA. For instance, it says the law applies to companies based in California with annual sales of more than $25-million or where the main business activity is selling data – the so-called Facebook provision. But it is still unclear just what this means. Because the state is so large – by many estimates, it has the world’s fifth or sixth biggest economy – does “based” mean it has a facility or employees there? Will a business located elsewhere but with customers in California be subject to the law and its penalties if their data is breached?
Until the state Attorney General issues the regulations governing CCPA, which are not expected for several more months, our advice to clients is to be proactive and consult with experienced counsel.
For starters, we generally advise clients to be sure that personally identifiable data is encrypted. As is the case with the GDPR, under the CCPA encryption is not only offers some protection against a hack, but can reduce liability.
The California law takes effect January 1, 2020. Businesses had two years to prepare for GDPR yet many were scrambling at the last minute to be ready. For companies wondering about what impact CCPA will have on them, the best advice is to follow the Boy Scouts motto: Be prepared.