On June 28, 2018, California passed the most comprehensive and consumer-friendly privacy law in the United States: the California Consumer Privacy Act (“CCPA”). In many respects, the framework of the CCPA is similar to the Europe Union’s recently enacted General Data Protection Regulation (“GDPR”). While many businesses took measures to comply with the provisions of the GDPR (which went into effect on May 25, 2018), the GDPR was somewhat limited in applicability for US-based businesses that have little to no EU contacts.
The California Consumer Privacy Act, on the other hand, will affect almost all US-based businesses that collect consumer data, in any form, from California State residents, and it contains provisions that differ from the GDPR in important ways. Therefore, all US-businesses should ensure that they are in full compliance with the CCPA, which goes into effect on January 1, 2020.
How Do I Best Ensure that My Business Complies with the California Consumer Privacy Act (CCPA)?
Key Elements of the California Consumer Privacy Act (CCPA)
Like the GDPR before it, the CCPA is consistent with a general worldwide trend to provide consumers with more information about personal data collection, use and sharing practices. Below is a partial list comparing some of the notable provisions of the GDPR and the CCPA, together with some of the similarities and differences between the two laws:
- The definition of personal data/information is similar under both the CCPA and GDPR, and both statutes take an expansive view of what constitutes protected consumer data. However, the CCPA’s definition also includes information that is linked to a given “household,” which could include a physical address that is not directly linked to an individual;
- Both the CCPA and GDPR require that businesses inform consumers about what categories and specific types of personal data that such entities collect from/about consumers, and how that information will be used. In addition, the CCPA requires that additional disclosures are contained in online privacy policies, including the inclusion of three separate lists detailing the categories of personal information that businesses have collected, sold or otherwise disclosed during the preceding twelve (12) month period;
- Both the CCPA and GDPR grant consumers similar rights in terms of accessing, and obtaining copies of, the personal information that businesses are processing. The CCPA also requires that businesses list designated categories of personal information that are shared with certain third parties. Accordingly, businesses that have already complied with the GDPR’s requirements to track the sharing of personal information will likely need to take additional steps to ensure compliance with the GDPR’s data mapping requirements;
- Under the CCPA, businesses must provide consumers with the ability to opt out of any sale of personal information. While the GDPR does not have anything directly analogous, the GDPR allows consumers to object to the use of their data for direct marketing purposes, as well as other data processing activities (unless there is a valid and legitimate countervailing business interest). Coupled with the right to have one’s personal information deleted pursuant to the GDPR (the right to be “forgotten”), the CCPA provisions will result in a similar approach to consumer efforts to curtail the use of their personal information for marketing purposes. The CCPA also requires that business owners post a “clear and conspicuous” opt-out link on their website homepages that allows consumers to exercise their CCPA opt-out rights;
- Although the provisions differ in some respects, in practical terms, under both the CCPA and GDPR, businesses are not permitted to discriminate against, deny services, or offer diminished services, to consumers who opt-out of having their personal information shared with, or sold to, third parties;
- While both the CCPA and GDPR require that businesses adopt organization-wide security protocols that are appropriate to safeguard collected consumer data, the GDPR has several additional requirements that a given business must adopt, internally, in order to remain compliant including, but not limited to: the appointment of a data protection officer; adopting “privacy by design” as a guiding business principle; and undertaking “data protection impact assessments” for any new technology or personal data processing activity that may be adopted by the given business; and
- Both the CCPA and GDPR grant consumers the right to be “forgotten” which requires that, when invoked, the businesses in question fully purge all copies of the consumer’s personal information from their respective databases, and the databases of third parties with which they have shared such information (other than where such businesses are required by law, or the applicable contractual relationship with the consumer, to maintain copies of same).
Liability Under the CCPA and GDPR
While the penalties for violation of the GDPR are considerably higher (the greater of €20 million or 4% of worldwide revenue) than that of the CCPA, if found to be at fault in a CCPA-related matter, businesses can be held liable for up to Seven Thousand Five Hundred Dollars ($7,500.00) for each intentional violation, in addition to other remedies sought by the enforcing regulatory body. While the CCPA does not go into effect until January 1, 2020, given the complexity of ensuring that business entities are in full compliance by that date, it is essential to consult with experienced marketing and privacy counsel well before then.