The introduction of the European Union’s General Data Protection Regulation (GDPR) has arguably had a huge influence on the emerging data protection laws of countries and states across the world.
The California Consumer Privacy Act (CCPA) came into law in June 2018 and sets the rules for businesses in California, that collect, process and share consumers’ personal information.
At the present time, there is no federal privacy law in the United States. Consequently, the CCPA is viewed as a major step forward in protecting the data of individuals engaged in purchasing transactions with online businesses.
Unlike the GDPR, which applies to any organization that collects, processes and shares personal data of EU citizens, only for-profit entities are required to comply with CCPA regulations. This applies to businesses with a gross annual income of $25 million or more, or companies that make at least 50% of their sales revenue from the sale of consumer data.
Under the CCPA, financial penalties can fall anywhere between $2,500 and $7,500. It all depends on the type of violation involved. The GDPR directs penalties through the UK’s Information Commissioner’s Office (ICO). The CCPA does so through action brought by the Attorney General of California.
GDPR and CCPA empower individuals to ask an organization to refrain from selling or sharing their personal information. However, the difference is that the GDPR requires consumer consent in order to legally allow companies to collect and process their data. Currently, no such restrictions apply under the CCPA. Therefore, US legislation allows businesses to freely collect Personally Identifiable Information (PII), and consumers are retrospectively given the choice of whether the organization can sell what it has collected.