In less than a year, the state of California will pass the California Consumer Privacy Act (CCPA). This law will strengthen the rights of consumers. Like the European regulation (RGPD), it will give individuals a right of scrutiny over the use made of their professional information. Companies could be fined. But the ACCP is not as strict as the GDPR.
Appearances can be deceiving. At first glance, the ACCP is California's version of the General Data Protection Regulation (GDPR). But there are differences between these two texts.
The companies concerned accp
All businesses and administrations processing data relating to EU citizens, regardless of location or size, must be in compliance with the GDPR. The scope of the ACCP is narrower: it only applies to California companies with revenues over $ 25 million and data brokers (specializing in the resale of personal data).
Financial sanctions
The European text provides for a graduation of sanctions in the event of non-compliance and / or breach of data protection. They can reach up to 4% of the company's overall annual turnover or 20 million euros (whichever is higher).
CCPA fines are applied per violation (up to a maximum of $ 7,500 per violation). The fundamental difference is in compliance. In Europe, a company can be condemned even if it has not been the victim of a data breach. The CNIL indeed verifies the conformity or not of a site or an application for example. Then she gives the company formal notice to modify certain points. This was the case this winter for the lack of consent . If they are not settled within a specified time, the company may be penalized.
The ACCP sanctions only from the moment a violation has been found. Another difference is that consumers can sue the company for violation.
Consumer rights
These two regulations strengthen the rights of natural persons. The GDPR strengthens certain principles (consent, transparency, etc.) and adds others (access and portability, subcontractors). But this European text focuses on a person's personal data while California law considers both the consumer and the household as identifiable entities.
Promulgation and application of the law
The GDPR was validated in April 2016. It has been enforceable since May 25. In its current form, the American text appears as a response to abuses observed in 2018. The ACCP represents a first step towards better protection of citizens. Other states could introduce more or less similar regulations.
Note that the European Commission has just adopted an adequacy decision concerning the protection of personal data circulating on the internet in Japan. This decision guarantees European Internet users, individuals and businesses, to benefit from high standards of protection when their information is transferred to this country.
No comments:
Post a Comment