We are now less than 150 days from January 1, 2020, the effective date of the California Consumer Protection Act (CCPA). It is a leap forward in data protection in the United States. It is shaping up to change the business landscape here, much like the General Data Protection Regulation (GDPR) has done across the European Union.

In this blog post, the second in our series on the CCPA, we will compare the CCPA with GDPR. Although the impetus for both is shared (a need to protect digital data and identities in an increasingly connected and complex environment), these two reflect different approaches.

GDPR and CCPA: A comparison

How are the GDPR and CCPA similar?  Both laws

  1. are digital privacy laws that are couched in terms to provide significant new protections to citizens

  2. provide citizens with more access and transparency in relation to what personal information is being tracked by businesses

  3. provide specific protections for those under the age of 16

  4. are focused on business that collect, store, and share consumer data that is collected either online or offline

  5. are not applicable in the areas of law enforcement or national security

  6. apply to companies outside the borders of the jurisdiction covered in the law

  7. cover a large swath of industries

  8. place the onus in relation to the resources and cost for compliance on businesses.

How do the GDPR and CCPA differ? 

Topic

GDPR

CCPA

What is the purpose of the law?

A comprehensive law that includes numerous specific regulations for the implementation of data security, including record keeping, auditing, reporting, the notification of data breaches to regulators and affected individuals, the transferring of data across EU border, etc.

A state-specific law with a focus on outlining consumer privacy rights and disclosure.

Who is required to meet the requirements of the law?

The law is applicable to all “controller” and “processor” entities that handle personal data, including for-profits, non-profits, public, and private.

The law is specifically aimed at for-profit businesses that meet a threshold set in relation to annual gross profits, number of personal data records, and the percentage of profit generated by sales of consumer’s personal data.

What are the jurisdictional boundaries of the law?

The law applies to organizations inside and outside the EU who provide goods and services to those residing within the EU.

The law applies to  companies who

    • Have subsidiaries or affiliates engaged in business in California
    • Conduct business with contacts or employees who reside in California
    • Over $25 million in annual gross revenues
    • Buy, sell, or receive personal information

Who is covered by the law?

The law covers a “data subject” who is an “identified or identifiable person”.

The law covers a “consumer”, who is a “natural person who is a California resident”.

What data is covered by the law?

The law covers “personal data”, defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”.

The law covers “personal information”, defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

 

Note: Medical and Protected Health Information (PHI) are not covered in the law as not to conflict with the federal-level Health Insurance Portability and Accountability Act (HIPAA).

What activities related to personal data/information are covered by the law?

The law is applicable to the “processing” of data, defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

The law provides a definition of “processing”, but the term is not used in any definitive way in the law.

 

The law focuses on the “collecting” of personal data, defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”

 

The law also applies to the “selling” of personal data, defined as “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration.”

What rights related to data are individuals given under the law?

1. Right to access user-friendly version of data held

2. Right to correction

3. Right to stop processing

4. Right to withdraw consent

5. Right to stop automated decision making

6. Right to stop transfer of data to 3rd party

7. Right to erasure

8. Right to equal pricing and services

9. Right to bring legal action

1. Right to access user-friendly version of data held

2. Right to opt-out of data being sold to a 3rd party

3. Right to deletion

4. Right to withdraw consent

5. Right to equal pricing and services

6. Right to bring legal action

Who in a company is required to attest to compliance?

GDPR requires the naming of a Data Protection Officer (DPO) who is responsible for ensuring compliance in an organization.

No comparable requirement in the CCPA.

What are the financial penalties for violations of the law?

Fines are discretionary and are tiered based on the specific Article breached by the organization.

Administrative fines that can be levied as penalties for GDPR non-compliance RE:

  1. Up to €10 million, or 2% annual global turnover – whichever is greater; or

  2. Up to €20 million, or 4% annual global turnover – whichever is greater.

 

Penalties will not be issued under the CCPA until after July 1, 2020.

 

Private plaintiffs may seek statutory damages of up to $750 per violation for certain violations.

 

The California Attorney General may seek civil penalties up to $2,500 for most violations, although violations that are found to be intentional may have penalties up to $7,500 per incident.

What are the training requirements related to the law?

The DPO must provide  “awareness raising and training of staff involved in the processing operations.”

 

Binding Corporate Rules (BCRs) carry a requirement for “the appropriate data protection training to personnel having permanent or regular access to personal data.”

 

US-EU Privacy Shield also requires personnel training.

Companies must ensure that those responsible for the handling of consumer inquiries in relation to the company’s privacy practices or legal compliance, including opt-out and deletion, are trained in (1) the related sections of the CCPA and (2) how to help consumers exercise their rights for requests.

What is the preparation period for the law?

GDPR allowed a two year time period to prepare for compliance.

CCPA allows for a limited time to prepare for compliance (less than 18 months).

As you can see, the CCPA will be a game changer in data protection laws just as GDPR has been. It is important that companies understand the new law and determine if they fall within its jurisdiction. It is also important to keep track of pending legislation that addresses CCPA amendments.

In the third and final installment on the CCPA, we will look at ways in which you can start to prepare for January 1, 2020 and the CCPA.

What Can You Do?

Data protection is a concern every day, not just on January 1, 2020. Individual users need extra encouragement and training to do their part in protecting your organization’s critical data. Contact Us about our National Cybersecurity Awareness Month Resource Kit. This year’s theme is focused on data protection: “Own It, Secure It, Protect It”. October is approaching fast, so don’t delay!