On June 28, 2018, California Gov. Jerry Brown signed into law a sweeping privacy bill that many are comparing to the EU General Data Protection Regulation (GDPR). The California Consumer Privacy Act (CCPA) is often compared to the GDPR because of its broad scope and strong privacy protections with a potential to impact businesses worldwide. The CCPA becomes effective on January 1, 2020.
Where CCPA Applies
A business covered by CCPA is defined as any for-profit entity that meets one or more of three criteria: 1) $25 million in annual revenue; 2) holds the personal data of 50,000 people, households, or devices; or 3) obtains at least half of its revenue in the sale of personal data. Notice that the business does not need to be located in California – it need only collect or possess the personal data of people in that state. This makes the CCPA applicable worldwide, in a similar way as the GDPR.
Certain data are exempt from CCPA requirements regarding collection and handling (in fact, employee data are specifically excluded at the time of this writing); but businesses may process data on behalf of customers who are obliged to comply. Because those customers will want to be assured that the data processing activities performed on their behalf will be CCPA-compliant, the processing services offered by the business will need to comply with CCPA. Here again is a similarity with the GDPR, which obliges data processors (like cloud software providers) to comply by virtue of handling their customer’s data.
The CCPA aims to protect any “consumer,” defined as a “natural person who is a California resident.” A resident is “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
Is CCPA the “GDPR of California”?
To call the CCPA “the GDPR of California,” as many do, conveys the comparable heft of the two laws, but the comparison can be misleading. CCPA is not directly modeled on the GDPR; compliance with the GDPR does not equate to compliance with the CCPA.
The three criteria that define where CCPA applies gives it a somewhat narrower scope than GDPR; many small businesses will not be required to comply with CCPA. Yet the CCPA’s broad geographic reach, combined with a solid set of rights provided to individuals concerning their personal data, is certainly comparable in breadth and importance to GDPR.
Rights of the Individual
The GDPR speaks of “individuals,” while the CCPA speaks of “consumers.” The GDPR grants individuals rights of access, rectification, correction and opposition – as do most data protection frameworks. Additional rights, such as the right to data portability or the right to an explanation of automated decision making, are also conferred.
The consumer’s right to access personal data under the CCPA is very similar to the access rights under the GDPR. Both allow individuals to request and see all the data an organization holds about them. Once the data are made available to the individual, both the GDPR, the CCPA grant a right to cancel (erase) data that the business collected.
Where the personal information collection is concerned, the CCPA differs from the GDPR. While the GDPR requires the explicit agreement of the individual to collect their personal information, giving them the right to opt out of collection, the CCPA grants only the right to opt out of the sale of personal information, and not the collection or other uses of the information. By contrast the GDPR never permits the sale of personal data without the express prior opt in of the individual. The CCPA, however, requires that any sale of children’s data obtain an express opt in, either by the child (if between ages 13 and 16), or by the parent (if the child is younger than 13).
Like the GDPR, consumers under the CCPA have the right to request disclosure not only of the personal data a business holds, but also of any third parties with whom the data are shared. Such requests pose a challenge under both laws. Businesses will need a verification process to be certain the request is legitimate (and not from someone posing as the individual); otherwise, the business is at risk of disclosing the data to unauthorized parties.
Business Obligations under CCPA
Both the GDPR and the CCPA oblige businesses to disclose the personal data they collect, use, and share. The CCPA requires that businesses disclose, “at or before the point of collection” the categories of personal information to be collected and the purposes for which the data will be used. They must disclose the collection of any additional categories of information (or uses of collected information for any additional purposes) taking place after the initial disclosures have been made.
Organizations will be required to disclose to whom they sell consumer’s personal data, and consumers will have the ability to object to the sale of their data. To make objection easier, covered businesses under CCPA must place a “Do Not Sell My Personal Information” button on their web sites. Businesses that do not sell personal information must state that they do not sell personal information.
Businesses will be prohibited from discriminating against any consumer who exercises rights granted in the bill (for example, lowering or limiting the quality of service to consumers who object). CCPA does, however, permit them to offer higher tiers of service in exchange for consumer data, if done in a fair manner. For example, a business may offer a price or service difference if the difference is reasonably related to the value of the consumer’s data, so long as they explain the incentive or difference in price or service.
Enforcement and Fines
Both the CCPA and the GDPR introduce serious fines for non-compliance. The State Attorney General will enforce the CCPA. For unauthorized access to a consumer’s “nonencrypted or nonredacted personal information,” fines of up to $7,500 fine per violation (per record in a database, for example) may apply. Given the routine business necessity of storing personal information in databases – containing hundreds of records on average (as a conservative estimate) – the penalties are quite serious. The GDPR fines, which apply somewhat differently, can reach €20 million, or up to 4% of revenue.
Privacy Around the World
The CCPA and the GDPR may be early to the privacy regulation game, but they will not be the last to play. Many states in the U.S. are considering laws similar to the CCPA. Compliance with one does not guarantee compliance with another, but the overall trend is clear – privacy protections are the new normal. Companies and consumers alike take note.