Has California Just Created GDPR 2.0?
Introduction
Data protection is paramount in an age where cybercrime has reached epic proportions. This is evidenced by the fact that in 2017, there were almost 5 million data records stolen every single day. Laws that protect our personal information and that offer user-centric control over personal data use are now in existence in many countries.
One of the most recent updates to existing laws around data protection is the California Consumer Privacy Act of 2018 (CCPA) which was approved on June 28, 2018. California has always led the way in consumer privacy in the USA and the new law which refers to existing privacy laws in California is another example of the privacy vanguard.
[Free E-book: “California Consumer Privacy Act of 2018: What you need to know”]
Download E-book
Data privacy has also been making the headlines lately because of the EU’s General Data Protection Regulation (GDPR). The California Consumer Privacy Act has been hailed by some as being a more-achievable privacy law than the GDPR. In this article, we’ll take a look at some of the similarities and differences between these two laws.
What is the California Consumer Privacy Act About?
In the U.S., data protection laws are varied in nature. The Federal Trade Commission Act, for example, is applied to the protection of privacy of consumers. They also enforce the Children’s Online Privacy Protection Act (COPPA). Other privacy and data protection laws are on a state-by-state basis or industry-specific, like HIPAA. However, California is a state that has taken data privacy very seriously and has, in the past, taken the lead on several fronts regarding privacy, including requiring an online privacy policy and passing a data breach notification law. The CCPA is just another example of this.
The CCPA is set to be enacted on January 1, 2020 and will increase the requirements of business to protect personal data privacy. The law will affect any commercial entity that is for-profit and operating in California’s jurisdiction.
The new law has been compared to the next version of GDPR as it takes some of the same concepts but broadens them. Below I’ve listed a few similarities and differences between the GDPR and CCPA.
Which Types of Business Are Affected?
GDPR: Affects all businesses, no matter the size, if the business processes personal data. There are some relaxations around documentation if a company is under 250 employees.
CCPA: Aimed at the larger business. Affects those who generate $25 million or more in annual revenue, process the data of more than 50,000 people or make 50 percent or more of revenue from selling consumers’ personal information.
How Entities Who Process Data Are Described
GDPR: The GDPR sets out specific expectations for two distinct entities which are termed “data controllers” and “data processors.”
CCPA: Uses a more coverall term “business” to apply the regulations.
Whom Does It Affect?
GDPR: The GDPR describes “data subjects.” The law offers protection for EU citizens who have data processed anywhere in the world, provided that processing is for the exchange of goods and services or if behavior is monitored within the union.
CCPA: Is all about protecting consumers who are residents of California. Protection extends outside the bounds of being a consumer and includes residents as employees, patients, students, tenants and so on. The law also covers “households” as well as individuals. In the age of smart meters and the Internet of Things, this will cover the data generated by Internet-enabled devices.
How Does Each Law Define Personal Data?
GDPR: The list is quite extensive and separates out the list into two broad categories of personal data and special data, covering many types of data from name and address to biometric and behavioral data.
CCPA: A very broad definition is used to include all aspects of personal data. CCPA also includes data pertaining to commercial information, such as goods or services purchased by the consumer.
One important difference between the GDPR and CCPA is in the definition and scope of data. The CCPA also includes metadata, including data that is associated with personal data such as household-based data (for example, how much water is used by a household), what category the data is in, how it is collected and who it is shared with.
According to the law, “publicly available information” and “commercial conduct [that] takes place wholly outside of California” are excluded.
Dealing With Individual Data Privacy Rights
GDPR: The GDPR has a set of rights that individuals have over the processing of their personal data. This includes the right to access, right to erasure, right to rectification, right to portability and so on.
CCPA: The CCPA has a number of data rights in common with the GDPR, including right to erasure and right to access. These rights must be adhered to within 45 days of the request.
Consent and Disclosure
GDPR: Is not prescriptive other than to state that a business should use clear and unambiguous language about what data processing will take place. Consent should always be opt-in.
CCPA: Has explicit instructions on how to deal with taking consent and disclosing what happens to a person’s data. The CCPA states: “Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.”
The CCPA also requires that if a person makes a request to activate a data right that they are verified as being who they say they are. Consent should always be opt-in.
Penalties for Noncompliance
GDPR: Has two levels of fines based on the type of compliance breach. Level 1 is 2% of global gross revenue or 10 million euros, whichever is higher. Level 2 is 4% of global gross revenue or 20 million euros, whichever is higher.
CCPA: The penalties incurred by non-compliance are $7,500 for an intentional violation of any provision or $2,500 for unintentional violations if the latter is not resolved within 30 days of notice. Twenty percent of collected penalty funds will be awarded to a the “Consumer Privacy Fund” to help with enforcement.
Although CCPA fines are lower than GDPR fines, there is a clause which allows for individuals to bring lawsuits for a breach of “nonencrypted or nonredacted personal information.” An individual can recover between $100 and $750 per incident even without evidence. This may lead to class-action lawsuits with financial costs must greater than $7,500.
Conclusion: GDPR vs. CCPA – Who Will Win?
In many ways, the GDPR is more encompassing of Privacy-by-Design than CCPA. For example, the CCPA does not have the concept of data minimization in the legislation. This may be because the CCPA has more emphasis on the rights of the individual as a consumer rather than a blanket approach to data privacy protection. In addition, the CCPA extends the privacy and rights over data to include metadata that describes and accentuates the personal information it is associated with.
This focus on consumer privacy is also observed in the right to take a “private right of action” against a business that does not comply with the CCPA to protect personal information. Both the GDPR and CCPA do, however, have at their heart the protection of personal data and ensuring that the use of these data is in the hands of the individual that it describes.
When the GDPR was announced, there was mass panic amongst businesses across the globe. However, there are still a significant proportion of companies not in compliance with the GDPR as of July 2018. In the UK, for example, only 21 percent of companies feel they are compliant. It will be interesting to see if the CCPA has better compliance rates when it comes into force in 2020.
Sources
Breach Level Index, Gemalto
Assembly Bill No. 375, California Legislation
GDPR News: Just 20% of UK companies are now compliant with GDPR, ITPro