How the new California privacy law and GDPR affect your North Carolina business

Data breach reports have reached record-breaking numbers over the last few years. Laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CPPA) aim to combat breaches and maintain data privacy for consumers. These laws will affect any organization that conducts business within the presiding jurisdictions.

What is GDPR? What is CCPA?

The GDPR is a regulation passed by the European Union in 2016 and effective in 2018. It requires all companies to use proper technological and organizational measures to secure personal data gathered on any EU citizen.

The CCPA is a law passed in 2018 that similarly governs data in the state of California. It is set to become effective on January 1, 2020, and is designed to give consumers greater control over who uses their personal data.

How do these benefit consumers?

Laws like these are extremely beneficial because they enlighten individual consumers about how companies are storing and handling their sensitive personal data.

They also allow individuals to request that their personal data be deleted or unsellable. Therefore, there is less risk that personally identifiable information can be used against them or subject to a data breach.

How do they affect companies in North Carolina and the U.S.?

Despite being passed by the EU and California, these laws affect businesses that reside or operate in other jurisdictions.

For the GDPR, any firm that’s located outside the European Union but “offers free or paid goods and services or monitors the behavior of European Union residents” is subject to the regulations. Therefore, a business that doesn’t even operate in the European Union but gets web traffic from European countries falls under GDPR jurisdiction.

It’s less clear whether the CCPA applies to entities outside of California as the language specifies “any organization that conducts business in the state of California.” However, there is some ambiguity regarding whether businesses that merely collect data on California residents are subject to the CCPA as they would be under the GDPR.

Some criteria for judging whether a business is subject to the CCPA include having gross revenue over $25 million, transacting with personal information of greater than 50,000 individuals, or earning more than 50% of revenue by selling consumer personal information and data.

In any case, all organizations based in North Carolina or other states should carefully examine whether they are in compliance with both the GDPR and CCPA. Companies that fail to comply or enforce these regulations may face fines and other consequences.

intentionality and success

How are other states handling these developments? Will similar regulations pass in North Carolina?

Some states are following California’s lead and have introduced bills applying similar consumer privacy and data protection. New York and Nevada are two of the first and are in the process of adopting such copycat laws.

Today, no legislation or regulatory action within the North Carolina state government governs data regulations. However, businesses that operate in the state should take steps to ensure compliance if they conduct business in jurisdictions that have enacted measures.

While its experts recommend seeking legal counsel for specific legal matters that impact your business, Think Tech Advisors offers technological consulting services and experience implementing an effective data management strategy that complies with data protection laws.