The Personal Information Protection Act 'CCPA' enforced from 2020 is more stringent to companies than GDPR

In Europe, GDPR was introduced to protect consumer's personal information, but in California state California Consumer Personal Information Protection Act ( CCPA ) which is similar to GDPR was established in June 2018, 2020 It is supposed to be newly enforced from the year. Companies that specialize in data processing TonicAI blogs CCPA states that the range of data applied to GDPR is wider and requires more attention.

Synthetic Data Blog | Tonic

Although regulations concerning the use of data by companies have existed long ago, like the International Weapons Regulation Regulation (ITAR) and the Medical Insurance Portability and Responsibility Act (HIPAA), "Regulations are strict but applicable range "It is narrow" or like "California's Online Privacy Protection Act (CalOPPA)" or " Shine the Light " method , "It is applied to a wide range but regulation is loose". However, unlike in the past regulations, new regulations such as GDPR and CCPA are subject to strict regulations over a wide range.

CCPA regulation is subject to the regulation of "annual gross profit exceeding 25 million dollars (about 2.7 billion yen)", "processing personal information of 50,000 or more" and "personally identifiable information (PII)" It is a company that meets one or more of the three conditions of "the percentage of revenue exceeds 50%". For example, if 50,000 California residents visit the website and the visitor's IP address is recorded on the server, the company operating the website will be subject to CCPA.

In addition, the data covered by CCPA is very extensive, and in TonicAI's blog, for example, "ID" "geographic data" "history of browser and application operation history" "biological data" "purchase history" "information on education "Information on occupation" "reasoning derived from the above information" "demographic data" are listed. Nonetheless, it is said that CCPA does not restrict the business use of "information that is not directly related to customer, not identifying, correlating, or portraying a specific customer, information not connected to customers" It is.

CCPA also grants consumers the same rights as GDPR. CCPA will grant "right to information" "right to be forgotten " " right to opt out of information sharing to third parties" "right to receive services" "right to do data transplant" "data Right to sue in cases where it is not properly protected ". Companies need to install opt-out buttons, and unless the service directly requests data sharing, even if consumers opt out, they can not make a difference in prices or services. Since January 1, 2020, companies may be fined up to $ 7,500 (about 820,000 yen) per violation, and there is a possibility that they may also order consumers for damages in addition to fines It is said that there is.

Because the definition of confidential data is very wide, it is necessary for some companies to take action in order to use data of production environment for testing and development. Normally, using the data of the production environment raises the reliability of the test, but instead it will increase the business risk, so how to respond to CCPA seems to be a difficult problem.

in Note,   Security, Posted by log1d_ts