A quick reference guide for CCPA compliance has been saved
Perspectives
A quick reference guide for CCPA compliance
Comparing CCPA compliance and the GDPR
The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. Is your organization prepared? Discover how the General Data Protection Regulation (GDPR) has paved the way for CCPA compliance initiatives.
Explore content
- Take the poll
- How will CCPA compliance impact businesses?
- Five frequently asked questions about CCPA compliance
- How does the CCPA stack up to the GDPR?
- Third-party risks increase with new privacy regulations
- Finding the upside of new privacy rules
- About Deloitte Risk and Financial Advisory
- Get in touch
- Join the conversation
How will CCPA compliance impact businesses?
The CCPA, effective January 1, 2020, will have a significant impact on corporate privacy initiatives across all sectors of the technology, media and entertainment, and telecommunications (TMT) industries. TMT companies that may still be in the process of compliance deployment for the European Union’s (EU) GDPR have some advantages addressing the new requirements, but brands that are primarily focused on the United States and markets in the Americas largely avoided GDPR’s scope. Regardless, the rising tide of privacy concerns among consumers and legislatures globally is driving data privacy mobilization across TMT.
Considered one of the strictest privacy laws in the United States, CCPA provides California residents with the ability to control how businesses process their personal information. Businesses will now have to honor requests from California residents to access, delete, and opt out of sharing or selling their information. Additionally, businesses will have to consider a number of CCPA-specific requirements when updating their privacy programs, such as the CCPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.
Five frequently asked questions about CCPA compliance
The CCPA will apply to for-profit businesses that collect and control California residents' personal information, do business in the state of California, and meet at least one of the following thresholds:
● Annual gross revenues larger than $25 million
● Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
● Make 50 percent or greater annual revenue from selling California residents' personal information
Non-profits, smaller companies that don't meet the revenue thresholds, and/or those that don't traffic in large amounts of personal information from California residents, and don't share a brand with an affiliate that's covered by the CCPA won't have to comply.
Currently, the CCPA extends to for-profit companies established in California (i.e., doing business in California) and entities that “indirectly” qualify as doing business (i.e., parents and subsidiaries of companies established in California).
Organizations located outside of California may wonder if they’re subject to the CCPA. If a business transacts with California residents and meets threshold requirements, it’s also important to consider whether that business collects the personal information of California residents. The scope of the CCPA is secured to the residency of the consumer—its purpose is to protect the rights of residents in California.
The CCPA will be enforced on January 1, 2020. Upon taking effect, consumers will be able to request that a business disclose specific pieces of information for the preceding 12 months—from as early as January 1, 2019—that a business has collected or processed about the consumer and whether such information was disclosed or sold to a third party.
Additionally, the California attorney general (AG) will delay its own enforcement actions for a period of six months after the act goes into enforcement. It’s important to note that consumers can still lodge a complaint directly with a business or can request their personal information from a business beginning on January 1, 2020.
The CCPA will mean that increased disclosures become a large part of compliance for businesses subject to the new law. Organizations should prepare comprehensive privacy notices that are presented to consumers when personal information is collected. These notices should include descriptions as to how personal information is collected, how that personal information is used, and the categories of personal information the business has sold to third parties in the last year.
Businesses also need to publicly disclose and inform consumers of the existence and nature of consumers’ rights under the CCPA. These rights include the ability for an individual to request the business to provide copies of their personal information.
The CCPA has defined personal information more broadly than typical privacy-related laws in the United States. Personal information is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition is broader (and more complex) than the GDPR.
The definition of personal information also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers, purchase histories, and “unique personal identifiers” like device identifiers and online tracking technologies.
The CCPA excludes information that’s publicly available, such as property tax data from the government records or otherwise publicly maintained.
The CCPA also excludes aggregated data, as well as medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or Health Insurance Portability and Accountability Act of 1996 (HIPAA).
How does the CCPA stack up to the GDPR?
Both the GDPR and the CCPA have a number of similarities. But the CCPA’s unique requirements require focused efforts on the part of businesses to achieve and maintain compliance. Organizations that have previously updated their governance mechanisms and operational implementations to comply with the requirements of the GDPR have an advantage over a business that wasn’t subject to the GDPR. A specific element is transitioning from a point-in-time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program that can be responsive as privacy regulations stabilize and mature.
With clarification from lawmakers on elements of the CCPA still pending, organizations may not have a sense of urgency when it comes to getting their compliance programs ready. But TMT companies should have learned from GDPR that the level of effort for developing a compliance program can be a lengthy process, and it’s critical to get started as soon as possible.
How the CCPA compares to GDPR
Third-party risks increase with new privacy regulations
With both the GDPR and CCPA compliance, third-party risk management will likely be challenging for many organizations.
In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties.
– Richard Vestuto, a managing director at Deloitte Transactions and Business Analytics LLP.1
Any number of third parties potentially house an organization's data, including external vendors performing marketing, billing, or collections. Under the CCPA and the GDPR, the organization that gathers or processes the personal information is responsible for keeping that data private, which requires a contract in many circumstances.
Organizations should consider a thorough and complete review of existing contracts to inventory and determine which third parties might be collecting, processing, or retaining personal information on that organization’s behalf. Upon identifying those in-scope contracts, the next steps may include amending or renegotiating those contracts to achieve compliance. Additionally, consider different technologies to extract the privacy clauses involved and conduct an analysis against standards and regulatory provisions.
1 “EU GDPR: After the Deadline, What Comes Next?,” CFO Journal, January 10, 2019.
Finding the upside of new privacy rules
Business leaders understand that doing what needs to be done to create enterprise value often means taking risks. TMT executives should consider viewing data privacy and security not just as a risk management issue but as a potential source of competitive advantage that may be a central component of brand-building and corporate reputation.
The CCPA is coming soon, and it’s likely that additional data privacy regulations will follow in the United States and globally. Planning for CCPA compliance and the potential variety of similar regulations will require focused effort from across an organization. In support of that, organizations can focus on developing mature privacy strategies, with input from all the impacted facets of a business, to manage both the CCPA’s immediate requirements as well as plan for future privacy-related concerns.
About Deloitte Risk and Financial Advisory
Deloitte Risk and Financial Advisory helps organizations effectively navigate business risks and opportunities—from strategic, reputation, and financial risks to operational, cyber, and regulatory risks—to gain competitive advantage.
We apply our experience in ongoing business operations and corporate lifecycle events to help clients become stronger and more resilient. Our market-leading teams help clients embrace complexity to accelerate performance, disrupt through innovation, and lead in their industries.
Explore our priority markets:
Explore content
- Take the poll
- How will CCPA compliance impact businesses?
- Five frequently asked questions about CCPA compliance
- How does the CCPA stack up to the GDPR?
- Third-party risks increase with new privacy regulations
- Finding the upside of new privacy rules
- About Deloitte Risk and Financial Advisory
- Get in touch
- Join the conversation
