In May 2020, the GDPR turns two. This European data protection regulation has been obligatory since 2018, and allows fines of up to 4% of a company’s annual global turnover. Since it was implemented, this regulation has been used to hand million-euro fines to such large companies as British Airways and Marriott International.
In the last few months, we have seen two clear examples of how important it is to properly protect users’ personal data. In mid-October, a server was discovered containing the personal data of over one billion people—one of the largest data breaches of all times. And in early December, the data of over 267 million Facebook users was exposed online in a database without a password.
The CCPA: California tries to protect personal data
In order to protect users’ rights when it comes to their personal data, the State of California has introduced a new law called the California Consumer Privacy Act (CCPA). The law came into effect on January 1, 2020, and mandates strict requirements regarding transparency in the use of personal data
Under the law, every California resident has the right to demand to see what information a company stores about them. They also have the right to see a full list of all third parties the company shares their personal data with. What’s more, the law provides the right to sue a company that infringes these privacy guidelines, even if there hasn’t been a data breach.
CCPA and GDPR: similarities and differences
The new Californian data protection law has certain similarities with its European counterpart. Like the GDPR, a company doesn’t have to be based in California for the CCPA to affect it; any organization that does business in California must comply with the rules, regardless of where it is registered.
However, there are also differences. Unlike the GDPR, the CCPA doesn’t require a company to report a data breach. In fact, under the CCPA, in order for a company to be fines, there needs to be a consumer complaint.
Another difference is the limited scope regarding the companies affected: it only applies to companies with at least $25 million in revenue and that make at least half of their money selling data. It also applies to companies that store the data of at least 50,000 consumers.
Another important difference between the two regulations is that the CCPA has a much broader definition of what it considers personal information:
- Identifiers such as real names, aliases, physical addresses, IP addresses, account names, etc.
- Biometric information.
- Browser history, search history.
- Electronic, visual, thermal, audio, olfactory or similar information.
- Professional or employment-related information.
- Education information that isn’t publicly available.
The consequences of infringement
As well as the possibility of being sued, in the event of a data breach, a company could face a fine of up to $7,500 (€6,750) for each record affected. If we bear in mind the amount of files that are usually affected in a data breach, it is clear that these sanctions can be considerable.
The consequences of the CCPA go beyond financial aspects: like any cyberincident, being fined under this law will also cause reputational damage for the company affected. Gaining a reputation for not being able to protect the personal data that your company handles may make consumers think twice about trusting your organization.
Protect your company against the repercussions of the CCPA
As CSO explains, the tools to help comply with the CCPA not only need to have full visibility of the data stored by a company, but they also need to ensure that there are strict access controls on that data. Panda Data Control is an additional module of Panda Adaptive Defense, specifically designed to protect the personal data (PPI) that a company stores. It discovers and audits unstructured personal data on computers. It automatically identifies company files that contain personally identifiable information, as well as the users, employees or collaborators, and computers and servers that can access this information.
Protecting personal data is one of the most pressing issues for all companies these days. Data breaches are an ever more frequent reality, and it is vital to make every effort to protect against them