1. Why is the CCPA important?
While the GDPR applied a unified privacy law across Europe, the USA has no comparable federal law that compares. There have been ripples of state-led laws, granting similar rights to the CCPA – more of which are below – but the CCPA is the first major privacy legislation in the USA given its scope in introducing how data is handled about Californian residents.
It is important for two reasons; its application is a major step given the absence of privacy laws before it, but also it is paving the way for discussions at a federal level to introduce uniform legislation across the USA.
2. Who has to comply?
Compliance with the CCPA applies to any businesses operating for profit that collect and/or control California residents’ personal data and meets one of the three criteria below:
1. Have annual gross revenues in excess of US$25 million; or
2. Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or
3. Get 50% or more of their annual revenues from selling California residents’ personal information.
The big difference compared to the GDPR is that the GDPR applies to any business (without being limited by CCPA-esque criteria) that determines the means and purposes of processing personal data about EU citizens.
Rights under the CCPA are provided to “consumers”, meaning natural persons who are California residents (i.e. not someone in California for a temporary or transitionary purpose).
The concepts of processing are broadly similar, captured under the CCPA as “collecting or selling” personal data. However, where the GDPR applies to all processing of data, the CCPA is principally focussed on the sharing or selling of information. There are also a number of elements that sit outside of the definition of what personal data is, including publicly available information.
4. Legal basis for processing
The GDPR introduced legal bases for processing personal data under which businesses had to align to their processing of data. This included consent and legitimate interest.
The CCPA does not introduce the concept of legal grounds for processing personal information.
5. Rights for individuals
What the CCPA does introduce is a number of rights for Californian residents. These overlap the GDPR in most respects, including the right to:
- erasure / deletion, free of charge (with exceptions);
- be informed (i.e. the individual must be provided with details of what personal data is collected & why);
- access (i.e. a process allowing individuals to have full visibility of the data an organisation holds about them);
- data portability (i.e. when data is requested under an access request that this is provided in an easy-to-read and portable format); and
- object / opt-out (though there are some notable distinctions here – see below).
Deadlines to respond to consumers exercising their rights are slightly different – the GDPR specifies a response to be sent within a month, where the CCPA specifies a 45-day period. Both may be extended provided the individual is told within the initial timeframe.
One distinction the CCPA provides explicitly (although it can be argued that this is implied in the GPDR) is that individuals must not be discriminated against for exercising their rights.
6. Opting out & not selling data
The CCPA introduces a significant and distinctive requirement that is not mirrored under the GDPR.
The CCPA requires that a link with the title “Do Not Sell My Personal Information” is provided on the homepage of any business that sells personal data. Importantly, Californian residents can only opt-out of the sale of personal data, and not the collection or other uses that do not fall under the definition of “selling.”
By contrast, individuals can object to any type of processing of personal data under the GDPR. This can be done by withdrawing consent, or by objecting to processing that is based on another legal basis.
The right under the CCPA is absolute, whereas under the GDPR a business has the opportunity to demonstrate “compelling legitimate grounds” for the processing that overrides the rights of the individual.
As well as informing Californian consumers of their rights, at least two methods of contact must be made available for them to make requests in exercising their rights. Obviously, organizations must put mechanisms in place to ensure that any such requests are dealt with.
Much was made of the eye-watering penalties that the GDPR introduced of up to the higher of €20m or 4% of worldwide turnover. The CCPA provides for penalties to be issued up to $2,500 per violation or $7,500 per intentional violation, without a maximum amount for several penalties for each violation. Enforcement powers are granted to the Californian Attorney General.
Individuals can also bring actions themselves. Where the GDPR allows claims for material and non-material damages for any violation of the GDPR, the CCPA only allows individuals a right of action where non-encrypted / redacted personal information is subject to unauthorized access; or where it has been disclosed as a result of an organization’s failure to meet its security obligations.
9. Security Obligations?
Given the risk to businesses for a failure to meet security requirements, the CCPA is surprisingly vague on what this means. The Attorney General is likely to publish further guidance, but at the present time it is worth noting that a number of security measures have historically been endorsed by the Attorney General that may be a useful point of reference in order to mitigate any risks by incorporating these into a CCPA compliance program.
10. Just the beginning…
The Attorney General is required to adopt regulations on or before July 1, 2020 so there will certainly be future developments and guidance as a result to keep an eye out for.
While the CCPA is not America’s answer to the GDPR, despite certain similarities, it is important to note that there is a real drive to introduce a harmonized privacy law at a federal level. This is some way off though, despite House and Senate hearings and FTC requests, but the CCPA may well be the first step towards this.
The information in this document is for general guidance and is not legal advice. If you need more details on your obligations or legal advice about what action to take, please contact your legal advisor or attorney.