On June 28, the California Legislature passed the California Consumer Privacy Act (CCPA), a negotiated compromise to avert a related ballot measure. This expansive new state legislation came on the heels of the May 25 General Data Protection Regulation (GDPR) effective date, and is already inspiring data privacy policy conversations in state legislatures across the U.S. and at the federal level. This article addresses how the CCPA lines up against the GDPR, highlights key differences between the two, and outlines how a business’s ongoing efforts to comply with the GDPR can jumpstart efforts to comply with the CCPA in anticipation of its January 1, 2020 effective date.

Changing Landscapes

The core difference between the GDPR and the CCPA is found in the approach each takes to enhance the individual’s privacy and control over their personal data. At its foundation, the GDPR requires businesses to take a privacy by design approach, meaning businesses must embed individual privacy protections into every aspect of their operations. The GDPR uses broad strokes and assesses compliance subjectively under a totality of the circumstances measurement. Offering little in the way of precise mandates, the GDPR is designed to function through the adoption of additional regulations in each EU Member State. As such, the GDPR relies on the discretion of local agencies to bridge the gap between the overall statutory scheme and individual enforcement cases.

In contrast, the CCPA relies on a series of mandates and prohibitions coupled with request-based individual rights, so that most CCPA requirements are reactionary rather than preventative. Even so, companies will have to develop processes and procedures in order to comply with and respond to customer requests within the statutorily-mandated deadlines. While CCPA is narrower in scope and applicability, it offers a greater number of exceptions to its rule, and provides a handful of bright-line requirements to guide businesses in their compliance efforts. However, the CCPA is still very much a work in progress and, as such, subject to extensive change between now when the law takes effect.

 

Code Switching

The GDPR and the CCPA use different language to describe the rights and protections each provides. When referencing individuals, the GDPR protects the “data subject,” or an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an “identifier” (e.g. a name, ID number, handle, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).[1] Meanwhile, the CCPA protects the “consumer,” which is essentially defined as a California resident.[2] Currently, it is unclear whether the CCPA protects all California residents wherever they may be found, or only those present in California at the time the data is collected, processed or used by the business.

The two laws take very different views on what data falls within its scope. The GDPR applies to “personal data,” which the law defines very broadly to include any information related to a data subject, including deidentified and aggregated data.[3] Meanwhile, the CCPA only applies to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly,” to a particular consumer. The CCPA specifically states that it does not apply to deidentified or aggregated data.[4]

Each law also applies differently to the businesses potentially subject to their respective regulation. The GDPR essentially applies to all forms of corporate entities that collect or process data, but distinguishes between those entities as “controllers” or “processors” depending on the role they play in the collection, processing and use of personal data.[5] The CCPA does not distinguish between corporate entities in this manner, but limits its applicability only to businesses that offer products or services to California residents (regardless of the business’s actual location) and meets at least one of the following criteria:[6]

  • Has $25 million or more in annual gross revenues;
  • Possesses the personal data of 50,000 or more consumers, households or devices; or
  • Earns more than 50 percent of its annual revenue from selling consumers’ personal data.

In addition to the qualifiers outlined above, the CCPA does not apply to nonprofit organizations or businesses that conduct all aspect of their activities outside of California. Also, due to a recent amendment to the law, the CCPA provides an exception for personal information that is already covered by HIPAA or the California Confidentiality of Medical Information Act and the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.

To avoid confusion, this article uses the term “individuals” to refer to data subjects and consumers alike and refers to both personal data and personal information simply as “data.”

 

Relating Rights

Both the GDPR and the CCPA are centered on the right of the individual to control the collection, processing and use of their data by corporate entities. The rights afforded to individuals under the GDPR and the CCPA overlap in some respects, including:

  • Requiring businesses to provide individuals with notice that describes what personal data the business collects and how that data is used.
  • The individual right to request information about their data that has been collected by the business and certain details about the sale of that data, if applicable.
  • The individual right to prohibit a business from selling the consumer’s personal data.
  • The individual right to require a business to delete the consumer’s personal data, with some limitations.
  • The individual right to require a business to transfer their data to the consumer or to another business.

This is where the similarities end. Each law positions these individual rights differently in the respective law’s overall framework, which in turn determines whether the rights are fundamental versus incidental or precautionary versus reactive.

Individual rights under the GDPR[7] are fairly expansive in terms of an individual’s options to restrict or opt-out of certain business activities. In addition to the right to opt-out of the sale of their data to third parties, the individual may also opt-out of the processing of their data or restrict the processing to only what is necessary to store the data. This difference is the key to the GDPR anticipating all forms of access to an individual’s data and all ways in which the individual’s data may be monetized or transferred between parties including lead generation, revenue sharing, the application of artificial intelligence and ad placement on social media. In contrast, it is currently unclear whether the CCPA will provide individuals with any similar control over their data outside of a traditional sale scenario. The GDPR also provides that:

  • Individuals have an affirmative right to require a business to rectify incorrect data about the individual that the business possesses; and
  • An individual may object to a business’s data processing activities if the individual believes the business does not have their adequate consent or is wrongfully relying on a claim of legitimate interest.

The CCPA[8] distinguishes itself by offering the right to equal service, meaning a business may not discriminate against an individual because the individual exercised an individual right.[9] Some business activities that qualify as discrimination under the CCPA include:

  • Denying goods or services;
  • Charging different prices or rates or imposing penalties;
  • Providing a different level or quality of goods or services; or
  • Suggesting that the business will provide the individual with unequal service if the individual exercises a privacy right.

In contrast, the GDPR merely hints at a right to equal service by stating that consent is not freely given if “the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”[10] Moreover, there is currently no stated penalty under the GDPR for a business failing to provide equal service to an individual.

Despite offering this unique level of protection, the CCPA’s extensive exceptions to this provision render it less of an individual right and more of an acknowledgement of the value added to business operations by collecting and using an individual’s data. First, a business may, in fact, charge individuals a different price or rate or provide a different level or quality of goods or services, if the difference is reasonably related to the value provided to the individual by the individual’s data. Second, a business may offer consumers financial incentives, a different price, rate, level or quality of goods or services if the difference is directly related to the value provided to the consumer by the consumer’s data. This second exception is somewhat limited by further requirements that the business disclose any incentives, that the incentives must be provided on an opt-in basis only, and that incentives may not be unjust, unreasonable, coercive or otherwise usurious in nature.

 

Planning for the Future

Love it or hate it, the GDPR is here to stay and is serving as the foundation for privacy and data security policymaking at the state and federal levels, the most recent being the CCPA. The central contrast between the GDPR’s privacy by design approach and the CCPA’s mandates and prohibitions begs the question of what steps a business can take to achieve GDPR compliance while also making progress toward compliance with the still fungible CCPA. In short, businesses can start with a foundation of key efforts to address their data-related activities.

First, any effort to comply with privacy laws must begin with an internal audit process called data mapping, or an assessment of what data the business collects, which of the collected data is subject to privacy laws, how the business processes and stores the data, and how the business uses the data. This process helps the business to streamline its internal processes and to determine whether the data the business collects falls within a special category and is therefore subject to heightened protections under state, federal and/or international privacy laws.

After completing the data mapping process, a business can begin addressing the GDPR and CCPA requirements associated with modifying its internal and external policies and procedures. For example, the business should review its internal processes to ensure that data is collected, used and stored appropriately. The business should then establish internal procedures to respond to individuals exercising their privacy law rights and to train its employees to comply with applicable privacy laws.

A third, but in no event final, step toward simultaneous compliance with the GDPR and CCPA, is to update the business’s public-facing policies and notices to reflect the business’s compliance efforts to date. This includes updating all external privacy policies, terms of use, end user agreements, consent notices, and possibly other documents on which the business relies to communicate its activities to the public. While these documents are most often associated with websites, a business may also need to address its privacy related activities pertaining to an individual’s use of the business’s app, physical storefront location, or other product or service.

Businesses that invest early in certain key compliance efforts can realize certain benefits from their efforts by avoiding a late rush when the stakes are much higher. Taking the time to assess the sources, uses and value of data allows the business to quantify its data-related activities within its overall business plan. Additionally, the privacy law compliance process inherently pushes businesses to streamline their internal operations, which serves to alert the business to redundancies and inefficiencies. Finally, but perhaps most importantly, each effort to lay the groundwork for compliance with current and foreseeable privacy laws can enhance a business’s reputation of valuing consumer privacy. Along with the practical steps described above, this intangible benefit will pay dividends over time as anticipated privacy laws continue to develop and new requirements bubble to surface.