The California Consumer Privacy Act and the GDPR: two of a kind?
November 2018 | EXPERT BRIEFING | DATA PRIVACY
While the dust of the entry into force of the European Union’s (EU) General Data Protection Regulation (GDPR) has hardly settled, a new, somewhat similar privacy law has been introduced overseas. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, establishes one of the most comprehensive data privacy regulations in the US. As such, it could be considered the US counterpart of the GDPR.
Given that many global companies are still feverishly working on their GDPR compliance, they rightly wonder if worldwide implementation of the GDPR’s privacy protective measures will be sufficient for them to comply with the CCPA or similar laws across the globe.
Unsurprisingly, the answer to that question is no. Although the CCPA’s focus on consumer data rights has understandably drawn comparisons with the GDPR, compliance with the latter does not necessarily mean compliance with the former. Therefore, in what follows, some of the key differences and similarities between the CCPA and GDPR will be presented, with a view to providing a first glance at what additional efforts companies should consider in the run-up to the Act’s entry into force on 1 January 2020.
Applicability. First of all, global companies will need to verify if, in addition to the GDPR, the CCPA is applicable to them. The GDPR applies to the processing of personal data by controllers and processors established inside the European Union as well as to those established outside the European Union that are processing personal data of subjects inside the Union. The CCPA, however, only regulates companies “doing business” in the State of California. As such, the CCPA does not extend its scope to companies of which “all commercial conduct takes place outside of California”. Moreover, the CCPA only governs the processing of personal information by an entity that decides upon the means and purposes of processing, i.e., a ‘data controller’ in the sense of the GDPR. More importantly, companies that are processing personal information of California residents are not subject to the new Act unless they satisfy one (or more) of the following thresholds: (i) they have annual gross revenues of $25m; (ii) they have obtained the personal information of 50 thousand or more California residents, households or devices annually; or (iii) they have acquired 50 percent or more of their annual revenue from selling California residents’ personal information.
Concept of personal data. Furthermore, the concept of personal data/personal information is not defined in the exact same way under both laws. Although each of them refers to information ‘relating to’ a person/consumer, the CCPA also explicitly includes information “that can be reasonably linked with a household”. Consequently, not only a consumer’s IP address, but also the utility invoices of a Californian household, constitute personal information under the CCPA. That said, one can argue that the GDPR implicitly includes this household-related information as it relates to members of the household as well.
User rights. In terms of rights awarded to the consumer, the CCPA and GDPR show remarkable differences. The CCPA, unlike the GDPR, does not define any legal grounds for processing, nor does it require explicit consent. However, the Act aims at furthering Californians’ right to privacy by giving consumers effective ways to control their personal information. Accordingly, the CCPA attaches great importance to the right of consumers to know which categories of personal information is collected about them and grants them a broad right of access to a copy of their personal information collected. Though these rights might seem similar to the ones found in the GDPR, the CCPA goes further by including certain very prescriptive obligations, such as the duty to make available to consumers a toll-free phone number and website address for submitting information requests.
Equal rights. The CCPA stipulates that Californians have a right to equal service and price, even if they exercise their privacy rights. This means that companies are prohibited from denying goods or services, charging different prices or providing different levels or quality of service to those consumers exercising their privacy rights. On the other hand, businesses are allowed to offer financial incentives for the collection or sale of personal information and may even differentiate the price or quality of goods and services if that difference is directly related to the value provided to the consumer by its data. Since these last exceptions appear to be swallowing the rule, it is still uncertain how the permitted pricing differentials will work in practice. However, given that the CCPA is understood as a work in progress, these provisions are expected to be the object of future amendments.
Some commonalities. As well as differences, the CCPA and GDPR have a lot in common. Both laws deal with the same broad themes, such as transparency, and each of them lays down a similar right to delete personal data (‘right to be forgotten’) as well as a right to data portability.
Data security. When it comes to data security and data breach response, the CCPA tends to be less stringent than the GDPR. Although companies have a duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, they are not required to report data breaches when these occur. Consequently, if a business complies with the GDPR in terms of securing data, it is likely that it will not have to take any further action to comply with the CCPA in that respect.
Fines and financial exposure. Companies should not forget that in case of non-compliance, they may face additional damages, supplementing those provided by the GDPR. In the CCPA, enforcement rests with the California attorney general, who can bring a civil action ordering companies to pay damages of up to $7500 per intentional violation of any provision of the Act. Unintentional violations that are not remedied within 30 days of notice can amount to damages of up to $2500 per violation. Only in case of data theft or data security breach do consumers themselves have a right of private action for statutory damages between $100 and $750 per consumer and incident, or actual damages, whichever is greater, as well as any other relief a court deems proper. In addition to this rather limited consumer right, the Act also authorises the attorney general to bring a civil class action. If combined with the administrative fines of up to €20m or 4 percent of total worldwide annual turnover (whichever is higher) provided by the GDPR, the actual amount payable for violation and/or data breach might wind up being an existential threat to many companies.
It is clear that regardless of any prior GDPR implementations, companies will have to expend a great deal of effort to achieve compliance with the rights and obligations provided by the California Consumer Privacy Act. In essence, companies will have to revisit their data monetisation business models, adapt their privacy policies, improve their internal systems and processes to accommodate consumer rights and keep extensive records of the personal information they process.
For companies operating globally, navigating data protection laws might also prove tricky. Either they can decide to reform their entire data handling practices to comply with both the CCPA and GDPR, or they can set-up a patchwork data protection approach that differentiates between Californians and other consumers. In any case, it is advisable to call upon legal counsel that understands the needs of the company and is versed in both laws. Only then can a well-considered compliance strategy be achieved.
Geert Somers is a partner and Liesa Boghaert an attorney at law at time.lex. Mr Somers can be contacted on +32 (0)474 89 04 20 or by email: email@example.com. Ms Boghaert can be contacted on +32 (0)479 10 36 38 or by email: firstname.lastname@example.org.
© Financier Worldwide
Geert Somers and Liesa Boghaert