CCPA isn't just another GDPR. Here's what it means for NZ and AU businesses
In May 2018, a massive piece of data privacy and security legislation came into effect – perhaps you’ve heard of it? The General Data Protection Regulation (or GDPR as it’s more commonly known) is a law designed to give the power back to the people of the European Union, at least with regards to their data. Among other things, the GDPR gives EU citizens and residents the right to ask for their data to be deleted, prevents companies from obtaining personal data without explicit consent and forces businesses to immediately notify customers in the case of a data breach or hack.
...and now California is joining in the fun!
Keep your eye out for the CCPA
The California Consumer Privacy Act (CCPA), passed halfway through 2018 and coming into effect January 2020, is another addition to the growing list of data privacy regulations. The CCPA focuses almost entirely on data collection and privacy, giving Californians the right to access their personal information, ask whether it’s being collected or sold, say no to it being collected or sold and still receive the same service or price even if they do say no. This is different to the GDPR, which spans across a broad range of topics – the fines for non-compliance are also nowhere near as huge as they are for the GDPR ($7,500 max fine vs €20 million or 4% of annual turnover, whichever is higher).
Now before you say, ‘That doesn’t sound so bad – plus it’s only relevant to California!’, there are still more bills under consideration that will likely be passed at some point in the near future – ones that would place even further restrictions on companies that collect personal data. And although California is only one of the 50 states in the U.S., it’s home to over 10% of the country’s population and has an economy that’s larger than that of the whole United Kingdom. So with that in mind, the legislation will likely affect changes in data privacy across the whole of the U.S. rather than just in California.
But what does this mean for NZ and AU-based businesses?
Impact of the CCPA on New Zealand and Australia
If you’re a Kiwi or Aussie company that has any U.S. based customers, it’s pretty likely that you’ll have Californians in your database. This gives you two options: come January 2020, you’ll either have to meticulously segment your database by state to create separate procedures for Californian residents (and EU ones for that matter), or you’ll have to implement different data collection and privacy procedures for all your customers going forward.
Though it might not initially seem like it, the latter is almost always the easier option – as well as the one that will prepare you most for the constantly changing data privacy landscape.
Maybe you’re an NZ or AU business that exclusively collects information domestically. Despite the fact that this doesn’t affect you yet, it probably makes sense to at least start thinking about updating your data processes. Many of the articles set forth in both the GDPR and CCPA are closely aligned with those from New Zealand’s Privacy Act 1993 (the current data privacy law in NZ), plus it’s likely that similar changes will be arriving to NZ in the near future. Not to mention, Australia has just introduced the Consumer Data Right bill (a similar piece of legislation around data privacy) to parliament, which will come into action February 2020 if it is ultimately passed.
Given all these changes, it’s important for all Kiwi and Aussie organisations to get ahead of the legislation and begin updating their data collection and security processes in advance.
How can NZ businesses prepare for the new CCPA regulations?
If you run a large organisation that interacts closely with U.S. customers, you’ll want to internally (or externally) designate someone as the Data Protection Officer in order to ensure total GDPR and CCPA compliance. Many businesses have also been pre-emptively seeking legal help as well, just to make sure they know exactly what they need to do to prepare and what they should be avoiding in the future.
The next step is to figure out what your current data management practices are. Where do you keep customer data? How much of it do you keep? When (if at all) do you delete it? What is protocol if there were to be a data breach? In order to give a specific customer access to their information (or delete it), you also need to be able to view personal information at an individual level – is this something you’re currently capable of?
If not, we can help. Data is our bread and butter – and giving organisations better insight into their customers is literally what we do! Datamine has also gone through innumerable structural data changes over the years - our processes and practices have drastically changed since we were founded, but that’s a good thing. It means we’re staying up-to-date, and it means we’re fully qualified to help other organisations through the same changes.
Concerned about the effects the CCPA or GDPR might have on your business? Or looking for advice on how to best prepare for the changing expectations around data privacy? We’d be happy to sit down with you and figure out the best way for you to move forward. Click here to schedule a free phone consultation.