This blog discusses the potential issues around implementing CCPA compliance if a superseding federal law is enacted. It covers:
The United States is facing a data privacy crisis. As hacks, leaks and other breaches find the daily headlines, the response seems to be delayed at the federal level, forcing a highly fragmented response by individual states.
There are no comprehensive Federal laws in place that address personal data privacy. Instead, 26 states published different laws as an attempt to address the concerns of their citizens.
For companies within the United States (and in the case of the CCPA, any company that maintains personal data on California consumers), this is a compliance nightmare. Many of these companies already battle compliance on the global stage as they operate in different jurisdictions where often mutually incompatible laws need to be maintained. To maintain additional compliance on a growing list of states becomes nearly impossible.
The impact of this patchwork of data privacy laws is that it overcomplicates product and service delivery, as well as creating the risk of non-compliance as new laws crop up with new requirements.
Even though a few countries like Canada and Japan developed comprehensive data privacy laws early on, in 2018 the GDPR became a legal behemoth that created a wave of awareness among ordinary citizens. The slew of data breaches exposed in recent times didn’t help. Now, American citizens are demanding the same rights as their European counterparts.
Internally, the United States is getting tremendous pressure to consolidate data privacy laws as well. Recently, a group of 51 highly influential tech CEOs signed an open letter to Congress, asking for a Federal data privacy law that supersedes state laws, in an attempt to simplify compliance and strengthen individual data privacy rights.
The CCPA is possibly the most prominent data privacy law in the United States at the moment. As one of the largest economies in the world, and as a hub for technology companies, California couldn’t avoid implementing some form of legislation.
As a data privacy law, there is some overlap with GDPR, but there are also a number of fundamental differences, chief of which is the broad definition of personal information, and an “opt-out” approach focused on the sale of data rather than GDPR’s consent model.
One might expect that with its prominence, the CCPA could serve as a template for a Federal law. However, the CCPA is written in a way that doesn’t obstruct the sale of data, making it more lenient to companies that built their operations on the sale of consumer data.
It seems that the general direction for Federal privacy laws is to copy or mirror the GDPR, which is much stricter and would impede the ability of many businesses to sell personal data. From the perspective of individuals, this would be a good thing, but from the perspective of many such businesses, this could spell disaster.
The US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, already promotes the idea of a GDPR-like Federal law to govern data privacy, giving the SEC the power to enforce it. Even Tim Cook, CEO of Apple, publicly asked that Congress adopts laws that are similar to the GDPR. It is therefore unlikely that a Federal law will closely match the CCPA.
The short answer is “no.” It is very risky to ignore any state laws, and particularly the CCPA, as if you have data on California citizens, it will remain the de facto compliance requirement for the foreseeable future. Non-compliance will open up your organization to serious fines and civil action.
The reality is that law at the Federal level is unlikely to be adopted in the near future. It takes tremendous time, effort and legislative grappling to push a law of this magnitude and impact through Congress, leaving organizations to comply with whichever state law applies to them.
There are some steps you can take to ensure you are prepared for a Federal data privacy law:
Still unsure? We have developed a comprehensive CCPA implementation guide that includes a comparison with GDPR. We also developed a white paper that gives you practical insights on how technology can support your data privacy compliance journey.
This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.
Please consult with an appropriate legal advisor before implementing any part of a CCPA compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.