Chances are, this past spring your organization had to dedicate some time to GDPR compliance changes – changing website wording or documenting the process for removing someone’s data. It may have seemed a lesson in futility at the time, especially if you don’t have many European customers.
Turns out, the GDPR was just the first shot across the bow. In June, California lawmakers voted unanimously to pass a bill that gives state residents significantly more privacy protections when it comes to their digital data. The California Consumer Privacy Act of 2018 provides consumers with tighter control over how their information is gathered, stored and shared. It also includes steep penalties for businesses that fail to comply.
The new law applies to digital products and platforms that collect the data of California residents. Considering that the state contains over 12 percent of the U.S. population, and is often a legal and technological bellwether, software vendors throughout the U.S. will want to comply with the new law.
Transparency, Control, Compliance
Like the GDPR, the California Consumer Privacy Act of 2018 (CCPA) mandates that businesses give consumers access to data that has been gathered on them. Companies like Apple have addressed this need in compliance with GDPR by allowing consumers to access an online portal for their data. The portal contains common first-party data that companies store, including purchase histories, participation in promotions, engagement with certain marketing campaigns, file downloads and play histories, and other so-called “breadcrumbs” users leave behind as part of their digital trail.
The CCPA differs in one key way from the GDPR: its opt-in requirements are much stricter and favor consumers strongly when it comes to fairness of options. Under the GDPR, a business must get expressed opt-in permission from users before it can collect, store and use their data.
California’s new law also goes a step further by requiring that companies allow people to use their product even if they opt out. It does allow companies to charge different prices to users based on how much data they are willing to share, alongside other factors like whether they are willing to be exposed to ads. However, the bill’s text explicitly states that the differences in price must be “reasonably related to the value provided to the consumer by the consumer’s data.”
What ISVs Can Do to Prepare for the CCPA
The CCPA shares a number of similarities with Europe’s recent landmark GDPR legislation. Independent software vendors also get a little wiggle room from the bill’s language that essentially admits that many aspects of enforcement and compliance are to be determined. Because the bill also doesn’t go into effect until 2020, ISVs have time to prepare for (and potentially even help shape) the new rules.
We’ve provided a number of GDPR compliance guidelines for software developers, and we’ll continue to keep you up to date on CCPA compliance issues in future posts.
