Virtualization Technology News and Information
VMblog's Expert Interviews: Archive360 - Does GDPR Compliant Equal California Consumer Privacy Act Compliant? Nope…


It appears that just as U.S. organizations are beginning to get their arms around the General Data Protection Regulation (GDPR), new laws here in the U.S. are coming into effect.  Specifically, California's new Consumer Privacy Act of 2018 (CCPA).  Today, we speak with Bill Tolson, Vice President, Archive360 ( on this business critical topic. 

VMblog:  So much work has been undertaken by organizations in the U.S., not to mention around the world, to ensure they meet the EU's General Data Protection Regulations (GDPR).  If organizations are GDPR compliant, does that mean that they are also compliant for the new CCPA?

Bill Tolson:  Great question - and the answer is a resounding no!  Even if your organization has already taken all the measures necessary to comply with GDPR requirements, it doesn't mean that you're set and done when it comes to addressing the requirements of the emerging California Consumer Privacy Act (or any others coming onto the books, for that matter). 

CCPA, which takes effect on January 1, 2020, is considered by legal experts to be the most aggressive and far-reaching privacy protection measure ever enacted in the US.  It is believed that it will likely prompt other states, or even the federal government, to eventually follow suit.

VMblog:  Just how similar, or how dissimilar, are these statutes; and how well does a company's previous planning for GDPR compliance prepare an organization for the new mandate?

Tolson:  Some early comparisons between the two pieces of legislation referred to CCPA as "the United States' version of GDPR" or "GDPR 2.0." Unfortunately, this led to quite a few business and IT, and even a few legal and compliance professionals, to believe that they were basically the same law, or that the similarities outweighed the differences.  The truth is that there are vast differences between to two pieces of legislation. 

Again, let me restate that GDPR compliance does not equal CCPA compliance. Corporate regulatory and compliance officers-as well as their external consultants in law firms-need to be aware of this fact and familiarize themselves with the differences between GDPR and the CCPA. To avoid major financial penalties, enterprises now must get ready to address both sets of rules separately, ensuring that they have done their due diligence when it comes to protecting consumer data here and abroad. 

VMblog:  Beyond both statutes, GDPR and CCPA, having the same starting point - i.e., the premise that data privacy is a fundamental right, are there any other similarities?

Tolson:  Beyond that premise, there are a few other specific areas in CCPA that are recognizable to those familiar with GDPR, which include the "right to be forgotten" (to a certain degree), the "right to portability," and the "right to access data." After that, these statutes diverge considerably. Despite any likenesses that the new California act has with GDPR, or influence that the latter had in crafting the former, CCPA requires different compliance thresholds.

VMblog:  Could you outline some of the major differences?

Tolson:  One significant variance is how these rights are delivered, and the method of sanctions-in other words, who gets paid if a violation to a consumer's data privacy is determined to have occurred. For instance, in California statute, the affected individual has a right to recover money. The California act includes an area called "presumed damages," or the explicitly stated damages that consumers can be awarded if a data breach occurs that affects an individual's personal data. In this far-reaching provision, all California citizens are empowered to initiate a civil action to recover damages if they feel an organization hasn't sufficiently protected their personal data, as in the event of a data breach, even if they can't show actual damages.

Under CCPA, the possible damages of a breach are not less than $100 and not more than $750 per consumer per incident-or actual damages, whichever is greater. So if a breach takes place and consumer data is accessed-or even if it could have been accessed-CCPA operates under the assumption that the data will be misused. Though fines in the hundreds of dollars may seem small, the result could quickly add-up to the millions of dollars for larger breaches depending on how many consumers were affected, and the measured damages. The potential fines and penalties for GDPR may end up even higher, since fines can be required for compliance failure that are 4 percent of global revenue or EUR 20 million, whichever is higher.

Another major difference between GDPR and CCPA is that the consumer has more rights via the California act than those in the EU, specifically as to the preemption of the sale of the third party data before it happens, and to know the purpose of why their data is being collected and sold. Specifically, CCPA requires that organizations inform California residents what data the organization is collecting and how that information is being used. It also gives state residents the option to request that the company delete the data or stop selling it. CCPA does not, however, prevent organizations from collecting people's data or give consumers the option to request that a company stop collecting their personal data, which differentiates the language from GDPR.

There's also the significant distinction of who is affected by each type of legislation. CCPA has in essence taken small businesses out of the requirement, since it is directed at businesses that have $25 million or more in revenue, or trade in the data of 50,000 or more people or endpoints, or derive half or more of their revenue from selling personal information of consumers. (In the draft version of this statute, the requirement had been stated as $50 million in revenue, so it was originally intended to cover only very large companies. With the figure now cut in half, the net is a lot wider as to who is impacted by this new law, and it's still a very large universe of companies.) So the California law primarily affects medium to large businesses, unless an amendment changes that before 2020. GDPR, on the other hand, affects all businesses without limits on revenue size. 

VMblog:  If you've already prepared for GDPR, and are an enterprise collecting or in possession of California resident data, are there areas in which you should pay particular attention, and perhaps address first?

Tolson:  An ideal starting point for many organizations would be to address data consolidation and then security in light of this new environment.  The majority of data management professionals know that it's more efficient and easier to secure a single repository-plus perform search, review, production, and retention/disposition on the data-as opposed to trying to work with multiple application repositories with varying capabilities and rules.

The new California state law also will compel companies to expand their awareness of exactly what consumer data they are collecting.  They will need to find a way to manage that data at a more granular level. As with the recently released GDPR requirements, it's again time to ramp up and get prepared for the new California law - now.

And don't be surprised if this pattern repeats itself, adding to the compliance complications, when other states enter the fray and consider adoption of their own consumer data privacy legislation down the road. While it's possible that other states will decide to adopt California's law, we also could end up with a patchwork of requirements if each state designs their own customized privacy regulation.  (Which also begs the question - will this at some point progress towards federal regulation?)

While it will take enterprises a while to fully grasp the distinctions between these two important statutes in the consumer data privacy realm, it helps to keep one bottom-line fact in mind. If your company has taken the needed steps to become GDPR compliant, and your assumption was that your business is now also "California ready" when it comes to CCPA, that's not accurate. Gear up, because it's time for you to adjust your systems again to become compliant with California law, and to ensure that data security and information management take center stage.


Published Friday, August 31, 2018 10:20 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2018>