CCPA (California Consumer Privacy Act)

Glossary

"CCPA (California Consumer Privacy Act)"

This glossary explains various keywords that will help you understand the mindset necessary for data utilization and successful DX.
This time, we will explain the California Consumer Privacy Act (CCPA), which will have an impact on the future use of data, and through that we will consider issues related to data use.

What is the CCPA (California Consumer Privacy Act)?

CCPA is an abbreviation for the California Consumer Privacy Act. It is a law established by the state of California to protect the personal data of people who live in California (people with registered residency).
This law gives residents the right to privacy regarding their data and requires businesses that handle personal information to use and manage it appropriately. Violations of the law may result in fines and civil lawsuits, so it can affect Japanese companies even if they do not have a headquarters or branch in California.

California Law

The CCPA is a personal data law (state law) established by the state of California, a part of the United States. You may be wondering, "Isn't this a US law?" However, unlike prefectures in Japan, each US state has strong authority similar to that of an independent nation, and each state can establish its own laws.

California has always been a region with a history of advanced consumer protection initiatives, such as food safety initiatives (strict regulations on the labeling and regulation of chemicals contained in food and drinking water) and environmental protection (banning the sale of gasoline-powered vehicles by 2035). The state is also independently taking steps to protect consumers regarding the use of personal data.

The movement to better protect people's rights when using personal data is a growing trend around the world, and is being discussed frequently as a sign of the times, along with the EU initiative, GDPR. It is likely that other regions will also adopt similar regulations that emphasize the protection of individual rights, and it is also possible that the content of GDPR and CCPA will become even stricter in the future.

It may also be relevant to Japanese companies.

You might think that California law has little to do with Japan, but it may also apply to companies other than those with headquarters or business locations in California.

In order to protect the rights of California residents, if your company sells its products or services in California and handles customer information, you may be subject to the CCPA even if you do not have a business presence in California. Furthermore, if you provide content or services via the Internet, and there is a reasonable chance that they will be accessed from California, you will be subject to the CCPA.

California is also the most populous state in the United States (approximately 40 million people), and is home to Silicon Valley, an advanced IT region, and Hollywood, home to the content industry. It accounts for roughly 10% of the US population, and if California were a country, its economy would be larger than that of the UK and third largest after Japan and Germany.

While state law may seem like a local issue, it is hard to ignore its economic importance not only in the United States but also around the world. Furthermore, when you consider Silicon Valley and Hollywood, it is inevitable that state law will be involved in various Internet initiatives.

High penalties and risk of civil litigation

Violation of the CCPA can result in heavy fines and even civil lawsuits with huge damages, so the risks of violating it are high.

Penalties of up to $2,500 per violation, or $7,500 if the violation is willful, can be imposed. For example, penalties can be imposed if a company fails to respond to inquiries or delete data within a certain timeframe. If a violation involves 1,000 pieces of personal data, even if it was unintentional, a fine of up to $2.5 million can be imposed. In addition, there is a risk of being sued for damages through civil litigation.

The scope of personal information is wide

Like the GDPR, the CCPA protects a broader range of personal information than previous legislation. In addition to data that is clearly privacy-related, such as names and facial photographs, CCPA also protects data that is somehow linked to an individual.

For example, an IP address is a number, but if it is linked to someone's internet access, it becomes personal data. Product purchase history, geographical movement history, and web browsing cookies are also linked to individuals, so they are also personal data.

Cookies were originally created to improve the convenience of web browsing and information registration, but they have come to be widely used in providing content and services online as a technical means of implementing web advertising and marketing activities. Now that cookies are subject to protection, they will have a major impact on online business activities, just like the GDPR.

What rights and obligations does it stipulate? A different approach from GDPR

The CCPA grants consumers (California residents) eight privacy rights and stipulates eight corresponding obligations for businesses that handle personal data. Below is an introduction to some of these obligations.

Right to request disclosure

The CCPA provides consumers with the right to know what personal data about them is being collected, for what purpose, how it is being used, and whether or not that data is being shared or sold to third parties, thereby fulfilling their "right to know" regarding their own data.

Companies that receive inquiries must respond to them. They are obligated to provide a policy for handling requests within 10 days and a response within 45 days. If a business does not conduct business online, it must also provide multiple channels for accepting inquiries as specified by the CCPA (email, web forms, telephone, written documents, etc.). Failure to comply with these requirements constitutes a violation of the CCPA and may result in fines.

Right of erasure

This is the right to request the deletion of data relating to you. You must also respond by the deadline. After confirming that it is your data, you must also respond with information about how you have handled it (completely deleted all data except for backups, anonymized it, or made it only statistical information and not individual data, etc.).

Right to stop sales to third parties

This gives you the right to opt out of having your data sold to third parties, and requires that you also have a way to opt back in, so that this request does not result in an irreversible loss of rights.

Notice obligation

When collecting personal information, companies must notify users. For example, when acquiring cookies, they must notify users of the information they will acquire and how it will be used.

If you sell the information you collect to third parties (this includes not only converting it directly into money, but also providing services to third parties using access logs, such as access analysis services), you must also notify users of their right to opt out.

To avoid people agreeing to the data before they fully understand it, it is necessary to provide an easy-to-understand explanation (i.e., not an explanation that is technically or legally difficult to understand) and obtain consent clearly.

Right to data portability

The right to transfer data about you to other services.

Non-discrimination

The CCPA stipulates that companies may not stop providing you with products or services or change the content or terms of those services as a result of you exercising your rights.

Obligations to achieve these

You will be obligated to provide training to implement these measures, to record and manage the necessary data, and to ensure a reasonable level of security to achieve these goals.

Differences from GDPR

While there are some similarities with the European GDPR, there are also differences in the protection policies and concepts. The GDPR seems to have a tendency to create a society where citizens' rights are protected through government regulation, while the CCPA seems to have a concept of protecting individuals' rights regarding data. This difference seems to reflect the differences in the thinking of the European and American nation states themselves.

For example, under the GDPR, the transfer of data outside the region is illegal in itself (Japan is an exception as it is deemed to have the same level of protection as the EU), but under the CCPA it is possible with the consent of the individual. While the risk of huge fines under the GDPR seems to be primarily assumed to come from public institutions, the CCPA also anticipates that consumers will be able to defend their own rights to sue, raising the risk of huge damages through class action lawsuits.

In any case, the specific details of the regulations are not identical to those of the GDPR and there are differences, so it cannot be assumed that compliance with the GDPR also equates to compliance with the CCPA.

Each country has different regulations

While the European GDPR and CCPA have been attracting attention due to the possibility of huge fines being imposed, other countries (and other states in the US) also have legal regulations regarding data. Japan must also comply with the Personal Information Protection Act. China and India also have their own unique regulations, and in addition to personal information, they may also impose restrictions on the handling of data for security reasons.

It is becoming necessary to comply with various data-related regulations imposed by each country. Furthermore, with regard to GDPR and CCPA, the regulations may be updated in the future, and current measures may no longer be sufficient.

It would be inconvenient if the rules differed between countries, so some form of unification will likely be pursued. However, if the underlying differences lie in how people think about data and individual rights, then these are fundamental differences, and so differences between countries are likely to remain.

More consideration is needed when using data

When working to utilize data, it is necessary to take into account the circumstances in each country, and be aware of where the data on residents of which country or state it was obtained from, where it is currently stored (the laws of the place where it is stored), and where and how that data will be processed.

Furthermore, the protection of personal data is not the only consideration when utilizing data. Of course, technical aspects must also be considered, such as what data is needed to achieve the desired results and how the data must be stored technically.

Furthermore, there are many things to consider, such as whether to keep the data in-house, if to store it on the cloud, which service to use and how, how to prepare for data loss due to a major disaster, and how to share data in businesses that collaborate with other companies.

Is there a way to freely retrieve and use data?

When it comes to data utilization, people tend to focus on analytical functions and other processing capabilities. However, data tends to be scattered in various formats both inside and outside the company, and in most cases, it cannot be fully utilized as is.

Data utilization requires the development of a "connecting" function that can connect to a wide variety of data sources, acquire data, and integrate it as needed. This is necessary not only for the realization of data utilization itself, but also for the realization of a system that can comply with CCPA, GDPR, etc.

However, developing the IT infrastructure needed to handle such diverse data integration needs in-house can be cumbersome, and it can also be difficult to respond quickly to ever-changing data needs.

Software called "EAI" or "ETL," or a cloud service called "iPaaS," can be used to effectively resolve such situations. By simply placing connection icons on the GUI and configuring various settings, you can connect to a wide variety of data and systems, from cloud to on-premise, and access, transfer, or process data.

Related keywords (for further understanding)

GDPR (General Data Protection Regulation)
- This is a regulation that stipulates what must be considered when handling "personal data" in the European Union (EU). It can be said that it sets out what must be done to handle data in a way that respects human rights, as the EU sees it.
EAI
- It is a concept of "connecting" systems by data integration, and is a means of freely connecting various data and systems. It is a concept that has been used since long before the cloud era as a way to effectively utilize IT.
ETL
- In the recent trend of actively working on data utilization, the majority of the work is not the data analysis itself, but rather the collection and preprocessing of data scattered around, from on-premise to cloud. This is a means to carry out such processing efficiently.
iPaaS
- A cloud service that "connects" various clouds with external systems and data simply by operating on a GUI.

Are you interested in "iPaaS" and "connecting" technologies?

Try out our products that allow you to freely connect various data and systems, from on-premise IT systems to cloud services, and make successful use of IT.

The ultimate "connecting" tool: data integration software "DataSpider" and data integration platform "HULFT Square"

"DataSpider," data integration tool developed and sold by our company, is a "connecting" tool with a long history of success. "HULFT Square," a data integration platform, is a "connecting" cloud service developed using DataSpider technology.

Another feature is that development can be done using only the GUI (no code) without writing code like in regular programming, so business staff who have a good understanding of their company's business can take the initiative to use it.

Try outDataSpider/ HULFT Square 's "connecting" technology:

There are many simple collaboration tools on the market, but this tool can be used with just a GUI, is easy enough for even non-programmers to use, and has "high development productivity" and "full-fledged performance that can serve as the foundation for business (professional use)."

It can smoothly solve the problem of "connecting disparate systems and data" that is hindering successful IT utilization. We offer a free trial version and online seminars where you can try it out for free, so we hope you will give it a try.

Free trial seminar here

Why not try a PoC to see if "HULFT Square" can transform your business?

Why not try verifying how "connecting" can be utilized in your business, the feasibility of solving problems using data integration, and the benefits that can be obtained?

I want to automate data integration with SaaS, but I want to confirm the feasibility of doing so.
We want to move forward with data utilization, but we have issues with system integration
I want to consider data integration platform to achieve DX.

PoC Program | HULFT Square

CCPA (California Consumer Privacy Act)