2018 is likely to be remembered as the year of the consent pop-up. With the introduction of the EU General Data Protection Regulation (GDPR), we were all inundated with emails and notifications for new consent requests and bombarded with a lot of information about privacy policies being updated and other adjustments to the way our data was being processed. 2018 would perhaps be well remembered as the year of GDPR.
This was also the year in which every company started panicking about reaching the May 25th deadline in order not to receive one of the potential fines of up to 4% of their global annual turnover or 20 million euro. This Saturday will mark the first anniversary since GDPR came into effect.
2019, however, will be the year of readying up for the California Consumer Privacy Act (CCPA), while 2020 will be again, for consumers, a year of updated privacy policies and pop-ups for consent. Companies will have to decide if they adopt the same measures only for Californians or for the rest of its US consumers, while the US Government evaluates whether there is a need for a country-wide framework.
But what do these laws have in common, and how do they compare to each other? For a side-by-side of CCPA vs GDPR, keep reading below.
CCPA stands for California Consumer Privacy Act, which is the new piece of legislation passed in 2018 and will come into effect in the State of California from January 1st, 2020.
The main question that businesses who’ve prepared for GDPR are asking themselves is: do I need to be ready for CCPA too or have we done enough with GDPR? The answer depends on a few factors that we’ll analyze below.
Firstly, it’s important to look at the defining factors that will tell whether CCPA will apply to your business. These are the different scopes of application for this legislation:
CCPA applies to any business processing information from consumers who are residents of the state of California. The first step in this test is to determine whether you classify as a ‘business’ under CCPA, and that will happen if your company meets at least one of these conditions:
- You have an annual gross revenue of over 25 million USD.
- You collect, buy, or sell the personal information of over 50 thousand or more consumers, households, or devices.
- You derive 50% or more of your annual revenue from selling consumer’s personal information.
In addition, while GDPR covers any resident of the European Union (and also the EEA), CCPA is geared towards the protection of consumers only. This means that companies who do not profit from the selling of information or who are not providing a service or selling goods will not be covered by this law.
As mentioned in the material scope, the consumers need to be residents of the State of California. If you collect information from consumers who are residents of other states (excluding California), then, even if your company falls under the definition of a business, CCPA will not apply.
GDPR, however, applies in a few different scenarios: for any companies processing personal data within the European Union, for companies outside the EU that are processing personal data of EU residents (if they are offering payments or services or monitoring their behavior), and in cases where any Member State law applies due to International Law.
CCPA was approved by the Senate in June 2018 and will start running from January 2020 onwards.
Once you’ve identified that CCPA will apply to your company, the next step for anyone trying to learn more about CCPA is to understand a few different concepts and terms that each of these laws has and how they compare to those of GDPR.
We have already established the meaning of ‘business’ for CCPA, but there are a few more examples that should be noted:
- While GDPR talks about ‘personal data,’ CCPA uses the term ‘personal information.’ While it might seem to mean the same, it is important to keep in mind that personal information is a broader concept, as it includes personal data and devices in a household and not just those from one single person. Therefore, personal information might include data from a whole family.
- Both GDPR and CCPA talk about ‘processing’ of data, which includes most types of interaction with this data, such as holding, copying, and transferring the data. However, CCPA uses the term ‘collecting’ over and over and, as this refers to the ways in which a company obtains the consumer’s data.
- Under GDPR, anonymized data falls out of the scope of application, where under CCPA, the same happens, but to ‘deidentified’ data, which is any information that cannot be capable of being identified or being associated with a specific consumer.
- Aside from collecting information, CCPA talks about ‘selling,’ which also include releasing, disclosing, disseminating and any other way of communicating or sharing a consumer’s information with another business in exchange for money or a certain benefit.
With these concepts in mind, the next step is to analyze a few different provisions that might affect your business and decide how you will deal with the new changes, such as receiving deletion requests, for example.
One factor that strongly distinguishes CCPA from GDPR is that while under the latter there are different legal basis for processing data, under CCPA, everything is based on the person consenting (or not) to it. With GDPR, if you have a valid reason – a valid legal basis – for processing certain data, such as for example legitimate interest or contractual necessity, then there is no need for a company to request consent from the individuals. However, CCPA gives the customers the power to decide whether they allow companies to sell their information or not; there are no valid grounds aside from consent for them to do so.
Rights of data subjects
Just as with GDPR, under CCPA, consumers have the right to be informed about what data is being processed about them. As well as how and to what third parties this data is being shared with or sold to. In addition, they have the right to request access to their data, and to request the deletion of said data, just as with its European counterpart.
However, unlike GDPR, CCPA also gives customers the right to opt out, which is the right a consumer has to not have that business sell their information. This means, as previously stated, that if the consumer disagrees with their data being sold, that company will have to stop doing so (no matter what reason they might have for doing so). Minors have the right to ‘opt-in’ to have a company collecting and selling their data, by themselves if they are between 13 to 16 years, or their parents can do so for those under those ages.
Obligations for the businesses
GDPR introduced obligations for companies processing personal data such as signing data protection agreements with processors (companies processing data on their behalf and based on their instructions) and ensuring that these also signed them with their sub-processors (companies subcontracted by a processor to process this same data on their behalf, still based on the controller instructions). Using an easily readable format when providing the personal data held from an individual; giving all the relevant information on what data is being processed, for what purpose, how, and where it is sent, etc.
A business that falls under the scope of CCPA has several obligations under this law, such as:
- Answering consumer requests to access their data or to have their information deleted. Unlike GDPR, that has no time limitation; the CCPA states that the business will have to provide the information that was collected on this person.
- To stop selling their information once a consumer has requested so. As mentioned previously, there are no other legal grounds mentioned that could allow the company to keep the information. Thus, once the customer has requested so, the company will have to stop selling their information.
- Including in their agreement with vendors provisions to make it clear that the information cannot be resold (where applicable) and clarifying that they cannot use the information for any other purposes than necessary.
- Informing consumers when the company is selling any personal information to other companies or third parties. As well as explaining the reason for selling, what information is being sold, and to what parties it is being sold.
- Informing consumers also if they have received any financial incentives for doing so, such as sponsors.
- Providing at least two means in which subjects can submit a request, including a toll-free number to which consumers can call.
- Responding to any requests within 45 days: while GDPR provided 30 days, the CCPA has added another half month to give sufficient time for businesses to deal with these. In addition, just as with GDPR, this time may be extended only once, and for an extra 45 days.
At the same time, there are a few obligations that businesses have under GDPR, that they don’t have under CCPA:
The first one is the obligation to sign agreements detailing the processing of personal data, whereas with a processor, controller, or joint controller. CCPA only establishes that companies will have to clearly specify to their vendors whether they are not allowed to use the information provided by them or use it for any other purpose.
- There is no requirement to carry out Data Protection Impact Assessments when there is an activity that poses a risk to the privacy of a data subject.
- There is no equivalent position to a Data Protection Officer (DPO) under CCPA nor an obligation to have such a person within a company to supervise compliance with the law.
- There are no mentions or any provisions related to data transfers outside of California or the United States.
While this is just a general comparison of CCPA and GDPR, these are some points to take into account while implementing any measures to comply with the new Californian legislation.
Since there is still more than half a year to go, it is possible - and likely - that there will be some modifications or clarifications to this law. Specific points are already being reviewed, so there is potential for some provisions to change and to obtain clarification for some that might not be so clear.
For this reason, it’s very important to remain attentive of the new developments regarding this law and to do a review of all the planning and processes and/or policies that might be implemented right before CCPA.
Finally, the fines that can be imposed under CCPA are also different from GDPR, and while at first glance they may seem much lower – up to USD 2,500 per violation – the number might turn out much higher when the information of hundreds or thousands of users is involved. However, this maximum goes up to USD 7,500 for intentional violations.
So, for willing disregards of the legislation, this could, at least for big companies, mean their bankruptcy. Thus, being ready for the January 2020 deadline is not just mandatory but essential.