The future of the CCPA: What about a Federal law?

27 September 2019
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

The-future-of-CCPA-Header-image

This blog discusses the potential issues around implementing CCPA compliance if a superseding federal law is enacted. It covers:

The fragmented states of data privacy

The United States is facing a data privacy crisis. As hacks, leaks and other breaches find the daily headlines, the response seems to be delayed at the federal level, forcing a highly fragmented response by individual states.

There are no comprehensive Federal laws in place that address personal data privacy. Instead, 26 states published different laws as an attempt to address the concerns of their citizens.

For companies within the United States (and in the case of the CCPA, any company that maintains personal data on California consumers), this is a compliance nightmare. Many of these companies already battle compliance on the global stage as they operate in different jurisdictions where often mutually incompatible laws need to be maintained. To maintain additional compliance on a growing list of states becomes nearly impossible.

The impact of this patchwork of data privacy laws is that it overcomplicates product and service delivery, as well as creating the risk of non-compliance as new laws crop up with new requirements.

The global data privacy drive hits the US

Even though a few countries like Canada and Japan developed comprehensive data privacy laws early on, in 2018 the GDPR became a legal behemoth that created a wave of awareness among ordinary citizens. The slew of data breaches exposed in recent times didn’t help. Now, American citizens are demanding the same rights as their European counterparts.

Internally, the United States is getting tremendous pressure to consolidate data privacy laws as well. Recently, a group of 51 highly influential tech CEOs signed an open letter to Congress, asking for a Federal data privacy law that supersedes state laws, in an attempt to simplify compliance and strengthen individual data privacy rights.

The CCPA: a template for Federal law?

The CCPA is possibly the most prominent data privacy law in the United States at the moment. As one of the largest economies in the world, and as a hub for technology companies, California couldn’t avoid implementing some form of legislation.

As a data privacy law, there is some overlap with GDPR, but there are also a number of fundamental differences, chief of which is the broad definition of personal information, and an “opt-out” approach focused on the sale of data rather than GDPR’s consent model.

Webinar: CCPA and SAP: Prepare nowWebinar: CCPA vs GDPR

 


One might expect that with its prominence, the CCPA could serve as a template for a Federal law. However, the CCPA is written in a way that doesn’t obstruct the sale of data, making it more lenient to companies that built their operations on the sale of consumer data.

It seems that the general direction for Federal privacy laws is to copy or mirror the GDPR, which is much stricter and would impede the ability of many businesses to sell personal data. From the perspective of individuals, this would be a good thing, but from the perspective of many such businesses, this could spell disaster.

The US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, already promotes the idea of a GDPR-like Federal law to govern data privacy, giving the SEC the power to enforce it. Even Tim Cook, CEO of Apple, publicly asked that Congress adopts laws that are similar to the GDPR. It is therefore unlikely that a Federal law will closely match the CCPA.

Should I wait before tackling a CCPA compliance project?

The short answer is “no.” It is very risky to ignore any state laws, and particularly the CCPA, as if you have data on California citizens, it will remain the de facto compliance requirement for the foreseeable future. Non-compliance will open up your organization to serious fines and civil action.

The reality is that law at the Federal level is unlikely to be adopted in the near future. It takes tremendous time, effort and legislative grappling to push a law of this magnitude and impact through Congress, leaving organizations to comply with whichever state law applies to them.

What can I do to prepare for a Federal law?

There are some steps you can take to ensure you are prepared for a Federal data privacy law:

The future of the CCPA Graphics-01-1The future of the CCPA Graphics-02-1

The future of the CCPA Graphics-03The future of the CCPA Graphics-04The future of the CCPA Graphics-05

Still unsure? We have developed a comprehensive CCPA implementation guide that includes a comparison with GDPR. We also developed a white paper that gives you practical insights on how technology can support your data privacy compliance journey.

Making CCPA compliance easier - from an SAP perspective



Disclaimer

This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.

Please consult with an appropriate legal advisor before implementing any part of a CCPA compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: