The Californian Consumer Privacy Act (CCPA) ushers in new rights for Californian residents and compels companies that operate in California to implement changes or face fines or other enforcement action. The CCPA has been compared to GDPR and whilst there are some common themes it is not modelled on the EU Regulation. There are some key differences.
The CCPA was passed on 28th June, 2018, to take effect from 1st January 2020, and becomes enforceable on 1st July 2020. It has been argued that the Act was a ‘rushed job’ and it was acknowledged by many on both sides of the privacy debate as in need of refinement. Since the Act was passed it has been subjected to intense lobbying from interested parties.
Further, since the passage of the CCPA, the likelihood of new U.S. Federal legislation has increased significantly. Ironists may enjoy the fact that major corporate actors that have piqued Federal concern in this area are now among those most actively in favour of national regulation, presumably hoping to shape a law that may “trump” more onerous state laws. Upon its initial passing CCPA was widely considered to be groundbreaking by U.S. standards in it’s scope, and likely to provide a benchmark for future Acts in other states. (Indeed, the proposed New York Privacy Act, introduced earlier this year and currently before the state senate, is in some certain aspects broader in its scope than CCPA).
Consequently, lobbying by privacy advocates and industry groups at both state and federal levels is fervent, and reflects key competing goals.
Against this backdrop, the CCPA continues to proceed through the State’s legislative process. Multiple bills seeking amendments have been filed, with three currently approved and at least five pending. These largely reflect the competing interests of the ‘tech lobby’ and privacy advocates on issues surrounding eprivacy and adtech, that may be familiar in the context of GDPR/ePrivacy debate. In some cases, they also challenge or seek to weaken key privacy definitions familiar to businesses operating under the aegis of GDPR regime.
5 key CCPA impacts and how this differ from GDPR
1. Territorial & material scope
The CCPA applies to certain organisations who ‘do business in the State of California’ regardless of where they are located. This is limited to businesses that process the personal data of Californian residents.
The Act defines a “consumer” as “a natural person who is resident, as defined in Section 17014 of Title 18 of the California Code of regulations”. This references the Personal Income Tax code of the state and as such potentially encompasses a very broad definition of who exactly a “consumer” may be. For example, if a customer makes a purchase from a Californian based business from outside of the state, yet is actually a Californian resident temporarily out of the state (on holiday or business), they are covered by the Act and must be identified (somehow) by the business as such.
Additionally, as originally drafted, the Act’s definition of a “consumer” would apply to personal information businesses collect on their employees. A bill (AB-25) has been submitted to amend the Act to exempt employee data, in most instances, from the scope of the Act. This bill is one of the submitted amendments that are pending the decision of the Assembly Appropriations Committee.
The definition of ‘businesses’ means it will apply to ‘For-Profit’ companies doing business in California that collect consumer personal information, determine the purpose and means of processing and meet one or more of the following criteria:
- have gross revenue of $25M;
- alone or in combination annually buys, receive, sell or share the personal information of at least 50,000 consumers (natural persons resident in California), households or devices;
- derives 50% or more of annual revenue from selling such information.
This is a marked difference from GDPR, which encompasses not-for-profits and all organisations which process personal data, regardless of revenue.
There is also a distinction when it comes to processors. Under the CCPA ‘Service providers’ are a processor for a ‘business’ that receives the data for business purposes under a written contract containing certain provisions. Again, only for-profit entities can be classed as ‘service providers’ under the current drafting of the Act. Service providers under CCPA do not have the same accountabilities & liabilities as processors under GDPR.
The CCPA provides several specific exceptions from its scope, such as medical information and protected health information.
2. Personal data definition under CCPA
The Act defines personal data as any information that ‘identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’
A lengthy list of examples is provided, which could potentially make the Californian definition even broader than GDPR. Examples include IP addresses, cookies, pixel tags and beacons.
The CCPA does not contain special conditions for the processing of more sensitive data and has not defined anything similar to GDPR’s special category data.
3. No data protection principles
Data protection principles have always been at the heart of EU data protection law, and were simply revised under GDPR
The CCPA is markedly different in this respect. It does not have core principles and imposes few restrictions on what businesses can do internally with the personal data they process. However, the Californian Attorney General is authorised to issue guidance on the law, and this may include data protection principles.
Nor does the CCPA contain provisions surrounding lawful basis. Under GDPR processing of personal data must be justified under one of six defined lawful bases.
4. Consumer Rights
Under the CCPA Californian residents have 6 rights:
a. Right of access
The consumer’s right of access is covered in different sections of the CCPA. The main provision is similar to GDPR: “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”
b. Right of deletion
This creates the right for consumers to request that any business deletes the personal information relating to them. This only applies to the personal data that is collected by a business from the California resident who is exercising the right. How this is to be interpreted is not clear. There are also exceptions to this right which differ from GDPR.
c. The right to know what information has been collected
d. The right to know what information has been shared
This right is subject to some debate and businesses will need to consider whether sharing is for ‘business purposes’ and what sharing may be considered ‘commercial purposes’, as these will need to be separately disclosed.
e. Right to opt-out
This gives individuals the right, at any time, to opt out of a businesses’ sale of their personal information to third parties. Further guidance is anticipated from the Attorney General on what constitutes a ‘sale’.
f. Right to portability
This differs from the GDPR right to portability under GDPR. The CCPA provides that Californian residents that exercise their right of access, must receive the data “by mail or electronically and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transit this information to another entity without hindrance”.
It is worth noting that children’s data (defined as under 16 years) is subject to opt-in provisions, whereas collection of adult personal data is subject to opt-out provisions.
5. Obligation to inform consumers
At the point of the collection of personal data, businesses will be required to inform consumers of the types of personal information to be collected and the purposes of its use. Additionally, consumers must be informed about the right to deletion and the right to opt-out of the sale of their personal information.
Businesses must make certain information available to consumers via their privacy notices, or otherwise at the time the personal data is collected. Businesses will therefore need to review current privacy policies accordingly. This differs from the specific information requirements under GDPR.
The CCPA is the first state data protection law in the US but it’s significantly different from other data protection laws like the GDPR. It will require companies doing business in California to get to grips with the difference to GDPR and invest in CCPA compliance.
While the final nuances of the Act are under debate, (the IAPP has produced this handy CCPA amendment tracker), the deadline for enactment fast approaches. Companies who consider themselves GDPR compliant, or who are working towards compliance, and to whom the CCPA may apply, have a head start. Data Governance policies, Records of Processing Activities – all will serve well as key steps towards realising compliance under the CCPA concerning consumer rights. Nonetheless, no company can merely assume that being GDPR compliant makes them CCPA compliant.
A review of all practices in line with CCPA will be necessary, not least beginning with public-facing statements on a corporate privacy notice .
Mark Bridges, July 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.