Overcoming CCPA Compliance Challenges: What Is CCPA?

The new California Consumer Privacy Act (CCPA) takes effect at the beginning of 2020 and imposes stiff penalties on those that misuse and resell consumers’ private information.

Nevada and New York have also introduced their own privacy regulations. Canada and Mexico, as well as Texas, Washington and many other states are watching the personal data privacy narrative as it unfolds in California.

In this blog series on CCPA, we will examine CCPA and outline its effects on California businesses and how Neo4j’s graph technology can help your company conform to the CCPA’s regulations.

Personal Data Privacy Leaps across the Atlantic

American consumers and regulators have been concerned but patient about personal data privacy over the years.

The new millennium brought a tsunami of personal data breaches at Marriott, TJ Maxx, eBay, Equifax, Home Depot, JP Morgan Chase, Target, Adobe, Sony, VeriSIgn, Anthem, Uber and many other major institutions. The top 15 incidents alone compromised more than two billion accounts. A colossal hack at Yahoo! exposed another three billion identities that appeared for sale on the dark web.

In recent years, the European Union has introduced extensive, strict personal privacy reforms with their General Data Protection Regulation (GDPR), but American lawmakers did not follow suit with their own tighter federal laws.

The California legislature wrote the CCPA after the high-profile Cambridge Analytica scandal and other similar data scandals, in which Aleksandr Kogan, a Russian-American professor, amassed profiles for 50 million Facebook users. Only half-a-percent of those account owners consented to the use of their information and only for academic purposes.

Kogan turned the data over to Cambridge Analytica who then repackaged it into targeted digital marketing services that it sold to political campaigns including Donald Trump’s presidential campaign. The gravity of this event alerted Americans to the far-reaching and completely unintended consequences of how their personal data can be used.

What Exactly Is CCPA?

CCPA is a set of personal data protection regulations passed by the State of California in 2018 that take effect on January 1, 2020. They address the personal privacy risks associated with the collection, use and resale of personal information about California residents.

The regulations in CCPA require collectors and resellers of personal information to enable California residents to:

• Know which information is collected about them and how it is used
• Examine their information and request its deletion
• Know if any of their information is sold or disclosed, and to whom
• Block the sale of their information, especially for minors
• Enjoy the same level of service whether they opt for privacy or not.

If a data breach occurs or a consumer files a complaint, regulators require businesses to document the sequence of events that led to the breach. This requires organizations to keep accurate data lineage records of all private consumer data.

CCPA does not replace existing California privacy laws including CalOPPA, Shine the Light and the Digital World Act’s protection of California minors. Existing privacy requirements in CalOPPA and other regulations are still in full force.

CalOPPA applies to all businesses based in California as well as to organizations that collect any information about California residents. It does not require consent to collect personal data unless it belongs to a minor under the age of 16. But CalOPPA doesn’t address the resale of personal information.

CCPA adds a layer of privacy protection by requiring businesses to allow users to request that their data is not resold.

Is CCPA Just California’s Version of GDPR?

In short: not quite.

In May 2018, the European Union rocked the online world when its General Data Protection Regulation (GDPR) took effect. GDPR’s goal is to recognize the realities of today’s digital world while giving EU citizens more control over their personal information and privacy.

While the spirit of CCPA and GDPR are similar, there are some important differences. California’s CCPA regulations are focused on the resale of personal information while GDPR requirements are wider and more far-reaching.

Do I Need Separate Solutions for CCPA and GDPR Compliance?

There is some good news in this complex wave of new privacy regulations: The data issues underlying CCPA, GDPR and other privacy regulations are very similar. The relationships among the various data elements are the same, regardless of jurisdiction or regulatory terms.

By using a powerful and flexible graph database framework, you can easily address the data management requirements of personal data privacy, no matter the origin of particular regulations.

Conclusion

As we have shown in this first blog in our three-part series on compliance with CCPA, CCPA is a set of personal data protection regulations passed by the State of California in 2018 that take effect on January 1, 2020.

This series is intended to help you and your company as you work toward data privacy compliance with CCPA.