American analogue of the GDPR: what you need to know about the act of CCPA

    More and more analogs of GDPR appear in the world. Recently, a similar bill was developed in India , now in line with the United States. The example from Europe was taken by California, approving its own law governing the rules for working with users' personal data.

    The California Consumer Privacy Act, or CCPA, will enter into force on January 1, 2020. Next, we consider the main provisions of the law, which was developed and adopted in just a week.

    / photo by Ryan Brisco PD

    Who fall under the law

    The new law is not as severe as the European directive, but still implies big changes in the life of the business. Every Internet user in California has the right to request the company information that it has collected about it, and a list of third parties to whom it has become known.

    Based on the same law, a user can now sue an organization that improperly used its PD or did not fulfill any of its requests on time.

    SSRA includes companies that process personal data of California residents (residents can be both within the state and outside it) and receive a minimum of $ 25 million in annual income. But there is a nuance: if the company's income is less, but it stores personal data for more than 50 thousand people, its activity falls under the SSRA.

    The new law also regulates the activities of firms that receive more than half of the profits (no matter how large) from the sale of PD. The location of the organization does not matter: it does not matter whether it is located in California or outside the state.

    What is considered personal data

    Personal data are any identifiers, biometrics, geolocation, history of activity on the Internet and information about employment or education. In general, there are any data that can identify a person.

    At the same time, the law contains rather vague wording. For example, a personal identifier may include information about the user's family. As well as PD classify any information that allows you to create user profiles: whether psychological, behavioral, etc.

    User rights

    By law, the user receives a "traditional" set of rights:

    • Right of access. The user can send a request and get all the information that the company has collected about him;
    • Right to oblivion. The user may request to remove information about himself from the company's servers and servers of third parties;
    • The right to know. Upon request, the company must disclose the purposes of collecting personal data and their sources;
    • Right to refuse. Users may refuse to transfer their data to third parties.

    Here lies an important difference from the GDPR - according to the European directive, the company needs to obtain the user's consent to the processing of PD. Under California law, an organization should only process requests from users.

    If user data was lost or stolen, the company would have to pay between $ 100 and $ 750 to each victim.

    If the user has sent a company a complaint about a violation related to his personal data, she is obliged to resolve the problem within a month. Otherwise, it is waiting for a fine. Now he is 7.5 thousand dollars.
    However, under the SSRA, companies are not obliged to disclose any facts of violations, if they have not received a corresponding request from users.

    The amounts of fines and fees may still change, but in any case (considering all the technical and legal costs), the SSRA may become a financial threat to the existence of many companies.

    / photo Justin Lim PD


    Another interesting nuance is that the law prohibits companies from discriminating against users who refuse to provide their personal data. But it also implies the possibility of introducing a reward system for those who agreed.

    Formally, this means (if the item does not change) that companies can make discounts to those who share their data with third parties and set different prices for users depending on their privacy settings.

    This creates not only an interesting technological precedent, but also a cultural one: de facto, the CCPA creates new rules of the game, according to which companies can buy information from users that they previously received for free.

    The bottom line

    Formally, the law enters into force on January 1, 2020. But as soon as it starts its action, the company should immediately be able to provide users with the data collected about them in the last 12 months. Accordingly, the deadline for the implementation of all the necessary technological solutions comes a year earlier - that is, just four months later.

    With this approach, we can expect the appearance of the first lawsuits on the first day of the directive. As it was with GDPR and claims to Facebook and Google .

    / Photo Book Catalog CC

    Large IT giants gradually, but not very openly, oppose this law . In particular, they finance a public organization that fights against it.

    Experts believe that the law, passed so hastily, in two years will still be corrected and written down. However, they are not sure that the changes will be significant. The main provisions are likely to remain intact.

    Thus, the SSRA is the first step towards a completely new understanding of the security of information in America and modifications of most of the practices that were considered basic and unchanged for many years.

    PS Posts on a topic from our IaaS blog:

    PPS Fresh posts in our blog on Habré:

    Also popular now: