On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. Much like the General Data Protection Regulation (GDPR) of the European Union, CCPA aims to protect consumers against predatory data practices. However, should businesses outside of the United States be concerned about complying with CCPA?

Businesses That Need to Comply with CCPA

According to the rules laid down in CCPA, the act applies to businesses that meet any of the following four conditions:

  • Organizations that do business in California
  • Organizations that collect personal information of people living in California
  • Have an annual gross revenue of $25 million or more
  • Process personal information of at least 50,000 California consumers, households, or devices

According to case law in the US, businesses can be deemed as doing business in the country even if they are operating from outside its borders. Thus, according to that definition, CCPA can apply to not only UK businesses, but an international business as well.

If you are a UK business that does a gross annual revenue of $25 million or more and/or you do business with California consumers in any manner - for instance, if you run an online store and deliver to consumers in California - you would do well to comply with CCPA. This also applies if you have any remote employees that live in California or engage in online tracking behavior that may affect a California resident, such as tracking internet activity through the use of cookies.

Is the UK Working on its Own Version of CCPA?

There are no reports to suggest that the UK is working on its own version of CCPA. If anything, it is expected that any kind of data regulation law will be on the lines of GDPR, as opposed to CCPA. In fact, the UK Data Protection Act (DPA) 2018 is likely to be amended to make it the UK's version of GDPR.

A Note on GDPR and PECR

The General Data Protection Regulation (GDPR) came into effect in May 2018. Fundamentally speaking, GDRP and CCPA are very similar in their intention: to protect consumers from unauthorized access to personal information. However, the two differ in terms of how they set about achieving the goal. The key difference between CCPA and GDPR is, while the former focuses on data, GDPR focuses on the user.

Two of the key differences between CCPA and GDPR are:

  • CCPA does not consider any information available publicly to be personal information
  • Only GDPR gives users the right to ask a business to correct any false information that it might have on them. Under CCPA, users can only ask the information to be deleted, which is a provision under GDPR, too.

The Privacy and Electronics Communication Regulation (PECR) came into effect in the EU in March 2019. Together with GDPR, it gives users even more protection against misuse of personal information. Specifically speaking, PECR deals with electronic communication, such as emails and texts, and cookies.

Despite the UK no longer being a part of the European Union, GDPR and PECR both still apply to businesses in the UK until 2021, which is the transition period for the UK leaving the EU. After 2021, it is expected that the UK government will pass legislation very similar to GDPR. Not much is known about if the UK will legislate something similar to PECR, or if it will bundle it with a single, far-reaching data protection law.

The Bottom Line: If you are already compliant with GDPR and PECR, you've like done 90% of the work toward CCPA compliance, but you're likely not there yet. Check your company's current standards against the CCPA requirements to see if you have anything still outstanding.

Why CCPA Compliance Matters for International Businesses

Any kind of data protection regulation, CCPA or otherwise, is meant to give customers more control over their personal information and how it is used by companies. Failure to comply with these tough regulations can attract hefty fines. For instance, non-compliance with GDPR can attract a fine of 20 million Euros or 4% of a company's global revenue, whichever is higher. British Airways had to pay a price for data breach, and so did Marriott International, two of the biggest names that have been fined since GDPR came into effect.

Any kind of data breach can also severely dent a business' image, which can hamper their customer relationships. Given the complexity of modern datasets in terms of volume, variety, and distribution across multiple locations, data mapping and encryption can be a time-consuming task. Handling the process manually also increases the risk of errors, which can prove to be very costly.

The best way to ensure data compliance across complex datasets is automated detection of sensitive information and encryption, of the same. That's where ETL tools such as Integrate.io can help ease the process of data compliance for organizations. Integrate.io uses ETL (Extract-Transform-Load), which is a continuous process of data extraction, and identification and encryption of sensitive information, before the data is loaded into a data warehouse or a data lake.

Automation of data transformation tasks with the help of low-code solutions eliminates manual errors from the process. It also helps businesses keep their IT overheads down while still complying with data protection regulations. To experience Integrate.io's ease of use and high commitment to security, contact us to schedule a demo.