Companies will want to know of the often similar but frequently very different requirements created by the California Consumer Privacy Protection Act of 2018 (CCPA) and the European Union’s Global Data Protection Regulation (GDPR). Two things are certain: first, if you didn’t know, the data privacy protection landscape is changing rapidly – probably too fast for many companies covered by these laws – and, second, failure to comply with their provisions will result in significant financial liability.
The GDPR went live a year ago on May 25, 2018, and has been touted as the most comprehensive data protection law ever. Arguably in the running for second place is the CCPA, considered the closest thing to a U.S. national standard and with global effect since California represents the fifth largest economy in the world.
“Although the CCPA has a few things in common with GDPR, the CCPA is far narrower and less comprehensive than the GDPR,” said noted privacy law expert Daniel Solove of TeachPrivacy and George Washington School of Law. That is in part by design and in part because of the speed of the CCPA’s implementation.
As for the birth of the California law, Solove wrote that it was “hurried through the legislative process to avoid a proposed ballot initiative with the same name.” The ballot initiative was created and funded with millions of dollars by real estate developer Alastair Mactaggart. “Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law,” Solove explained, and this prompted the “rush to pass the new Act, as the deadline to withdraw the initiative was looming.”
Mark W. Brennan, a partner at Hogan Lovells US, compared the “rushed CCPA” to “building a plane while trying to fly it.” He stated that the “applicability of the CCPA to non-U.S. companies is a bit uncertain, and even more unclear is the extent to which the California Attorney General or private litigants will really be able to enforce the CCPA abroad. Such limits underscore how the CCPA could put U.S. companies at a competitive disadvantage.” See more in an article published by LexisNexis®.
Who is regulated?
The CCPA regulates any for-profit entity doing business in California, that: a) grosses more than $25 million a year; b) annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. It also applies to any entity that controls or is controlled by a covered business, and shares common branding with that business. See the full text.
The GDPR “applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU” as well as “the processing of personal data of data subjects in the EU by a controller or processor not established in the EU” in relation to goods or services offered to EU citizens and the monitoring of behavior taking place within the EU. Read the full text.
The “scope and territorial reach” of the GDPR is “much broader” than the CCPA, and they differ “substantially” in the parties they regulate, as outlined in a comparison chart published by Thomson Reuters and written by attorneys at Baker Hostetler. See the comparison chart.
Who is protected?
Consumers are defined by the CCPA as California residents either: a) in California for other than a temporary or transitory purpose or b) domiciled in California but currently outside the state for a temporary or transitory purpose. See more at LegInfo and Findlaw.
Consumers include: a) customers of household goods and services; b) employees; b) those individuals involved in business-to-business transactions. As outlined in 1798.140 (g) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
GDPR protects “data subjects,” which is defined as “identified or identifiable persons to which personal data relates.”
“Substantially different in approach, but similarly broad in effect, both laws focus on information that relates to an identifiable natural person, however the definitions differ. Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider,” according to the Baker comparison chart.
Differences That Matter
The impact of the different definitions will matter greatly, however. Professor Solove commented that the CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” He said this is similar to the GDPR’s definition of “personal data” in that “it includes information that is identifiable — that could be linked directly or indirectly to people. But,” he wrote, CCPA diverges from GDPR because it excludes “publicly available information” — “information that is lawfully made available from federal, state, or local government records.” That’s not an insignificant difference. “There is a ton of data in these records, which can readily be aggregated, analyzed, and sold,” Professor Solove wrote.
The Baker comparison chart explains other similarities and differences. It found the two laws “substantially different” with regard to opt-out rights for personal information sales and selling data relating to children, where the GDPR is stricter. Unlike the GDPR, the CCPA does not address the right of rectification and the right to object to automated decision-making. The GDPR is stronger regarding the rights to “restrict and object” to processing in that the CCPA only allows opt-outs.
While the penalty provisions – for private rights of action and civil fines – differ between the two laws, violating either law may cause “significant” liability, the Baker chart warns.
Substantially similar, the chart says, are the two laws’ provisions relating to: information protected; anonymous, deidentified, pseudonymous, or aggregated data; data security requirements; rights of disclosure and access; right of data portability; right to deletion / erasure, aka the right to be forgotten (although GDPR is broader;) and responding to rights requests. The laws are fairly similar in areas of privacy notice / information right; disclosure requirements; and non-discrimination.
Are Your Current Data Protection Systems Still Enough?
Although both regulations are designed to protect consumers by granting greater control over personal data,” the LexisNexis Practice Advisor Journal article reads, “Brennan has the following advice for companies: ‘The new portability, access, and deletion rights, among others, are different enough from the GDPR that companies will need to take a fresh look at their operational compliance processes. Many companies are under the wrong assumption that GDPR compliance is sufficient, and unfortunately several systems launched by May 25 will no longer be sufficient.’”
The Future of Privacy Forum says the most significant differences are in the application, the nature and extent of collection limitations, and rules concerning accountability. Regarding accountability, the FPF says, “the GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. Conversely, the CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.”
The Future of Privacy Forum finds significant the differences in the “core legal framework” of the laws. “A fundamental principle of the GDPR is the requirement to have a ‘legal basis’ for all processing of personal data. That is not the case for the CCPA.”
The CCPA excludes from its scope “the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies.”
The CCPA specifically addresses, however, “transparency obligations” and limiting the sale of personal information. For example, the FPF says, it requires a “Do Not Sell My Personal Information” link on business homepages. The CCPA also includes provisions relating to data transferred through mergers and acquisitions, providing consumers opt-out rights, according to FPF.
Although California’s CCPA may not be as broad as Europe’s GDPR, a company that is compliant with GDPR may not be compliant with CCPA.
For example, CCPA defines "personal information" to include information linked at the household or device level where as GDPR does not, CCPA includes an explicit right to opt out of sales of a consumer’s personal data whereas GDPR does not, and CCPA requires a "Do Not Sell My Personal Information" link on a website homepage, whereas GDPR does not. Designing a comprehensive yet flexible privacy program that complies with each of these nuanced regimes is a real challenge for affected companies, especially as the CCPA continues to evolve.