The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.1
These rights sound very familiar to companies that have faced compliance with the European Union’s General Data Protection Regulation (GDPR). However, while there are similarities between the GDPR and the new CCPA, the significant differences between the two laws mean that compliance with the GDPR will not be sufficient for compliance with the CCPA.
The CCPA covers fewer businesses and affords broader rights to a more limited class of individuals than the GDPR.
Unlike the GDPR, which grants rights to individuals whose data is processed in the EU or who are located within the EU, even if only temporarily, the CCPA grants rights only to individuals who are residents of California under a definition used for income tax purposes. The CCPA does not apply to those temporarily in the state, but it would apply to a California resident who is temporarily outside of the state, like a student attending school in another state. As such, the class of individuals covered by the CCPA is narrower than that covered by the GDPR.
The GDPR defines personal data as any information relating to an identified or identifiable person. The CCPA arguably expands that definition to any information that is capable of being associated with or linked—directly or indirectly—with a particular California resident or household. As a result, the scope of data that a covered business must identify and be prepared to locate and disclose is greater than that under the GDPR (since under the GDPR, it could be argued that data linked to a household does not always constitute personal data).
In order for a business to be covered by the CCPA it must be for-profit (or for the financial benefit of its owners) and there are financial or data processing thresholds that need to be met. While the CCPA does not require a business to have a physical presence in California, it does require that a business be conducting business in the state. In addition, the business must either have more than $25 million in annual gross revenue, or process personal data of more than 50,000 California residents, or derive more than 50% of its revenue from the sale of California residents’ data. Affiliates controlling or controlled by a covered business and sharing common branding are also included under the statute’s purview. The CCPA does not extend to nonprofits, government entities or small businesses. The GDPR does not contain any such threshold requirements and equally applies to nonprofits, thus casting the net far wider in terms of the companies it catches.
Traditionally one thinks of a sale of data to mean delivery for money. The CCPA goes further and defines “sale” as any form of disclosure, in any format, to any other third party in exchange for money or other valuable consideration. It requires businesses to facilitate and honor individuals requests to opt out of such sales. “Other valuable consideration” substantially expands the definition of sale. A business that makes personal data available to a vendor for data analytics could be a “selling data” even though the business is paying the vendor for the service. Under the statute, a “sale” would occur where the business discloses data and, in exchange for that access, receives valuable intelligence about that data. This concept is not present in the GDPR, and so compliance with the GDPR in terms of accurately describing data disclosures would unlikely go far enough to meet the requirement of the CCPA.
The CCPA requires additional on-demand disclosure rights not required by the GDPR.
Both the GDPR and the CCPA empower individuals to request that a business erase the personal information about them, with broadly similar exceptions (although arguably the exceptions under the CCPA are weighted more in favor of the company). Both also provide that individuals may receive a portable copy of the data held by the business about them, though the CCPA limits the data to that collected in the 12 months before the request is made and the GDPR requires delivery of all data held (subject to exceptions). Businesses are required to verify the identity of requesting individuals and to respond to disclosure requests within 45 days under the CCPA. California residents can make requests up to twice in 12 months. The time to respond under the GDPR is shorter—one month (unless there is a good reason to extend) and there is no such limit on the number of requests which can be made.
Data Collection Practices.
In conjunction with the right to data portability, the CCPA requires a business to disclose its data collection practices along with providing the requesting individual’s specific personal data. The disclosure must include a description of the categories of personal information collected by the business in the 12 months prior to the request, the sources of the data, whether the data was shared for a business purpose or sold, and the categories of third parties receiving the data. The GDPR differs in the way that results should be presented to the individual and does not have a 12-month deadline in terms of how far the company needs to look back.
Data Sale Practices and Opt-Out.
The CCPA gives California residents the right to request information pertaining to the business’s personal information sale or disclosure practices during the 12 months prior to the request and to receive a response within 45 days. The response must include a description of both (1) the categories of data sold along with the categories of third parties receiving the data and (2) the categories of data disclosed for a business purpose along with the categories of third parties receiving the data. Given the broad definition of a sale of data noted above, businesses’ compliance with this obligation unique to the CCPA will require a review of contracts. In addition, the covered business that sells data must provide a simple, free means of opting out of the sale of personal data and must include on its website home page a link “Do Not Sell My Personal Information” that points to a page where the opt-out can be exercised. Clearly compliance with the CCPA will include a process to receive and manage these opt-outs. This disclosure and opt-out right are provided for differently under the GDPR, and so companies must decide whether to adopt the highest common denominator for all data or to deal with CCPA and GDPR data in different ways, which could create headaches in terms of data management practices.
Nondiscrimination and Enforcement.
The CCPA protects individuals who exercise their rights under the statute by prohibiting a business from discriminating against such individuals. This means that the business cannot deny goods or services, offer different prices or discounts for goods or services, or provide a different level or quality of goods or services. Such an explicit protection is not offered under the GDPR, and so a CCPA-covered business will, therefore, need to address this divergence via its policies and procedures to protect against discrimination as part of its compliance process.
Both the CCPA and the GDPR are enforced by the primary regulator—the local Data Protection Authority for the GDPR and the California Attorney General for the CCPA. Individuals have a private right of action under the CCPA to enforce violations relating to a data security breach, and the GDPR also provides for civil class actions. The Attorney General must provide 30 days’ prior notice of noncompliance before bringing an action and may recover fines of $2,500 per violation ($7,500 for willful violations). Individuals may recover penalties of $100 to $750 per violation. Maximum penalties for violation of the GDPR are €20 Million or 4% of global revenue (whichever is greater).
1. CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions. In contrast, the GDPR has no such carve out for health-related data.