How to leverage the GDPR for CCPA compliance
September 2019 | PROFESSIONAL INSIGHT | DATA PRIVACY
Financier Worldwide Magazine
September 2019 Issue
The California Consumer Privacy Act (CCPA) has been fêted as California’s answer to the European Union’s (EU’s) General Data Protection Regulation (GDPR), which marked a watershed moment for privacy law when it came into force last year. However, despite the fact that these two laws share some common features, the CCPA and GDPR are ultimately different beasts. Whereas the GDPR sets out a comprehensive framework that governs the processing of personal information, both by European businesses and other businesses handling European data, the CCPA is principally focused on giving Californian consumers greater rights to access their information and opt out from the sale to third parties.
Ultimately, if your business is caught by both the CCPA and the GDPR, you will need to assess your duties under each separately. That said, there is enough in common between the two laws that you will not need to reinvent the wheel. This article explores how the measures you implemented for GDPR compliance can be utilised and leveraged to prepare for the CCPA before it comes into effect at the start of 2020.
Determining how the CCPA applies to you
As a first step, you will need to assess how the CCPA applies to you and whether you will be considered a ‘business’, ‘service provider’ or ‘third party’ under the law. The CCPA only imposes direct obligations on businesses that meet certain thresholds, but you will be impacted if you are a service provider receiving personal information from a CCPA business. This is because businesses are required to put certain contract terms in place when sharing personal information with service providers and the CCPA imposes direct liability on service providers that use personal information outside the scope of these restrictions and for their own commercial purposes.
The analysis you carried out for the GDPR will be useful here and, in some cases, may be determinative. As with ‘controllers’ and ‘processors’ under the GDPR, a CCPA business determines the purposes and means of processing while a service provider merely processes personal information on behalf of a business. While these two functions do not carry the same rights and responsibilities as controllers and processors, the roles they play are equivalent. So if you have already reviewed your processing activities and third-party relationships for the GDPR, you may already have the answers for the CCPA.
Just when you thought data mapping was behind you, the CCPA has arrived. Understanding how your organisation collects, uses, shares and disposes of personal information will be crucial when it comes to providing adequate disclosures and fulfilling rights requests, so data mapping is an essential first step in any CCPA compliance programme.
Helpfully, given the similarity between ‘personal information’ under the CCPA and ‘personal data’ under the GDPR, any mapping you carried out for the GDPR will give you a good starting point. However, you will need to modify your analysis for the CCPA. Most obviously, the CCPA is only concerned with the personal information of California residents. On a more nuanced level, it also includes certain information within its scope, such as information that can be linked to a particular household, as opposed to just individuals, and excludes certain other information, such as publicly available information and certain protected health, medical and financial information. The CCPA also takes a different approach to what data may be considered ‘non personal’ and therefore out of scope, as its concept of ‘deidentified’ data is more akin to ‘pseudonymised’ data, rather than ‘anonymised’ data under the GDPR.
Finally, you will also want to capture different information when reviewing your data flows, including the categories of personal information according to the CCPA’s definition and greater detail around when and how you share information with third parties, particularly if you are selling personal information.
Notice and transparency
Like the GDPR, the CCPA requires businesses to provide certain information in their privacy notices and, helpfully, there is a great deal of overlap in terms of what needs to be disclosed. For example, both the CCPA and GDPR require businesses to disclose the purposes of processing and the sources of data by category. However, there are a number of CCPA-specific requirements so you will need to update your notices. In particular, the CCPA requires more granularity around the categories of personal information sold or disclosed for a business purpose in the previous 12 months, as well as a description of California consumers’ rights under the CCPA, including access, deletion and opt out.
The CCPA contains four basic rights: access, deletion, opt out from the sale of personal information and non-discrimination. In terms of your internal procedures, this is one area where you can really benefit from your existing GDPR compliance measures. If you have already designed and implemented technical and organisational capabilities to identify, retrieve and, where necessary, permanently delete personal information from your systems, as well as internal procedures for handling and responding to requests, you will have made significant progress for the CCPA. In addition, any GDPR policies, procedures or training materials you have drafted can also be used as templates for their CCPA equivalents.
From a practical perspective, there are some CCPA-specific requirements you will need to consider. For example, the CCPA mandates that businesses provide consumers with a toll-free number and a web address to submit requests, and while the GDPR encourages controllers to verify an individual’s identity when a request is received, this is a mandatory step under the CCPA. The CCPA also contains different response periods – 45 days for normal requests or 90 days for complex ones, compared to one month and three months under the GDPR. Companies will need to review their processes to see whether and how they will need to be adapted.
In terms of the actual nature and scope of the rights, though, this will require more consideration. Some of the rights will seem familiar – the GDPR also contains rights to access and delete personal data and, although it does not contain a right to opt-out, the right to withdraw consent or object to processing, depending on whether consent or legitimate interests is relied on as the lawful basis for processing, is not dissimilar in terms of its potential application.
However, when and how these rights apply, including the exemptions that are available, are quite different. For example, the CCPA effectively bundles the right of access with a right of data portability by requiring businesses to respond to electronic requests in “a portable and, to the extent technically feasible, in a readily useable format”. As data portability is a separate right under the GDPR and only arises in certain circumstances, this may have an impact on how you respond to access requests, in particular if you have not been required to meet data portability requirements under the GDPR, for example because you do not rely on consent or contractual necessity as your lawful basis.
In terms of non-discrimination, this right has no direct equivalent under the GDPR – it essentially prohibits a business from withholding a service or charging a different price on the basis the consumer has exercised their rights under the CCPA, unless the business can show the use of the individual’s information is tied to the value of the service or is used in accordance with a permitted ‘financial incentive scheme’.
Ultimately, these differences mean that a request under the CCPA and a request under the GDPR will need to be reviewed separately, applying a different legal analysis and, possibly, leading to a different outcome.
Security and data breaches
Unlike the GDPR, the CCPA does not impose direct obligations on businesses around data protection and security. However, the CCPA does give consumers the right to claim damages from businesses that fail to implement and maintain ‘reasonable security procedures and practices’ which cause a data breach. This means that cyber security will be as much of a concern under the CCPA as it is for GDPR-impacted businesses. Apart from your own security practices, you may also need to review your service providers’ practices to ensure they are adequate, and review your agreement terms to assess whether the assurances and liability provisions are fit for purpose.
Service provider agreements
One of the big changes introduced under the GDPR was the requirement to include certain terms in controller-processor agreements, so-called ‘Article 28 terms’. This requirement meant that businesses had to revisit their existing contracts with service providers and customers to ensure they were GDPR-compliant and, where necessary, negotiate new data processing terms. The CCPA also requires that certain terms are included in contracts between businesses and services providers, although these are far less extensive than GDPR requirements. You will need to revisit your arrangements from a CCPA perspective to ensure they are compliant and draft CCPA clauses for use in new contracts. If you completed (or are still in the process of completing) this exercise for the GDPR, you will benefit from having developed the workflow and relationships within the business needed to complete this task.
As with the GDPR, an important part of any CCPA compliance programme will be ensuring that staff understand how the CCPA impacts the business and are aware of their obligations under the law. The CCPA also requires that businesses provide training and guidance to staff members that handle rights requests. This is another area where your previous efforts for the GDPR can be leveraged; in particular, if you have already implemented a GDPR training programme, this could be adapted to include CCPA-specific content.
Given the uncertainty around whether the CCPA will be amended before it comes into effect or if it will be pre-empted by a federal law, many businesses have been playing a waiting game. However, the clock is ticking – the CCPA will become effective on 1 January 2020 – so waiting may no longer be an option. The good news is that your efforts for the GDPR may make the task ahead a lot easier this time around.
Richard Lawne is a solicitor at Fieldfisher. He can be contacted on +44 (0)207 861 4104 or by email: firstname.lastname@example.org.
© Financier Worldwide