The Weight of “GDPR Lite”

Mar 19, 2019

By Dawn Ingley


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection.  Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known:

  • California consumers (broadly defined as California residents—this definition is inclusive of both employee data and other data that is not traditionally “consumer” data) may require a covered business to provide them with a copy of their personal information, delete their personal information, and to not sell their personal information.  Under CCPA, personal information includes:
    • real name or alias, physical address, biometric information;
    • IP address, email address, unique personal identifier, online identifiers;
    • account name, driver’s license number, passport number;
    • characteristics of protected classes;
    • records of purchasing history or tendencies;
    • internet browsing or search history, information related to web site interactions, geolocation data;
    • audio or visual data, olfactory data; and
    • employment or education data
  • CCPA applies to for-profit businesses that collect California consumer’s personal information, determine the purposes and means of processing such information, do business in California AND meet or surpass one or more of the following criteria:
    • $25,000,000.00 in annual gross revenues;
    • Buy/sell/share and/or receive, on an annual basis, the personal information of at least 50,000 California consumers, households or devices; OR
    • 50 percent of annual revenue comes from selling California consumers’ personal information.
  • Businesses subject to CCPA must maintain an inventory of personal information collected and advise California consumers as to the categories of personal information collected, along with the purposes of collection of each such category.
  • Businesses subject to CCPA further must provide consumers with the following information:
    • Consumers’ rights under CCPA;
    • Link to its “Do Not Sell My Personal Information” opt-out functionality;
    • Two or more communication methods for consumers to submit requests to the business (but at a minimum, a toll-free telephone number and a website address); and
    • Any incentives to be provided to consumers in exchange for their consent.

For businesses not subject to GDPR, compliance with CCPA is a formidable task with an aggressive deadline that is fast approaching.  For those businesses already subject to and in compliance with GDPR, the leap into CCPA compliance would appear to be far less of a burden, as the overlaps are considerable.  Yet, there are a few notable areas in which those businesses already subject to and already complying with GDPR should take note:

Definition of Personal Information:

  • CCPA: Slightly broader definition than GDPR, in that it covers not only data collected about an individual, but also data collected about a household or at the device level.
  • GDPR: Applies generally to any information related to an identified or identifiable person.

Opt-Out Right for the Sale of Personal Information

  • CCPA: Businesses must comply with a consumer’s request to opt-out of the sale of personal information to third parties, with narrow exceptions.
  • GDPR: No specific right to opt-out of personal data sales, but it does include an opt-out for the processing of data for marketing purposes, as well as the ability to withdraw consent for processing.

Children

  • CCPA: Prohibits selling personal information of a consumer under age 16 without consent.  Children ages 13-16 may provide direct consent.  Parental consent is required for children under 13.  COPPA requirements apply over and above these requirements.
  • GDPR: Default age for consent to any type of data processing is 16, but member state laws may further lower the age (but no lower than 13).   Age-appropriate privacy notices must be used for children. 

Civil Penalties:

  • CCPA: Civil penalties of up to $7,500 per violation.
  • GDPR: A percentage of gross revenues (up to 4% of annual global turnover or 20 million Euros).

“Do Not Sell My Personal Information” Internet Website Page

  • CCPA: Required.
  • GDPR: Not Required.

Breach Notification Obligation:

  • CCPA: Less objective than GDPR—“in the most expedient time possible, without unreasonable delay” (from California’s existing breach notification law).
  • GDPR: 72 hours after becoming aware of the breach.

Private Right of Action

  • CCPA: Consumers may pursue claims, but recovery of damages is limited to the greater of up to $750 (per consumer, per incident), or actual damages.
  • GDPR: European residents may pursue compensatory claims against both controllers and processors of personal data for material or non-material damages.

No Discrimination Resulting from An Exercise of Consumer Rights

  • CCPA: Consumers must not be discriminated against because of any exercise of their rights.
  • GDPR: No explicit provision regarding discrimination.

The areas set forth above illustrate subtle, but important nuances in the requirements of CCPA and GDPR.  In many aspects, the requirements of GDPR are indeed, dramatically more comprehensive than those of CCPA.  Yet, companies that attempt to leverage only their GDPR compliance activities and duties as an “overlay” for CCPA compliance may miss out on small, but critical variations that CCPA presents.

OTHER THOUGHT LEADERSHIP POSTS:

New York City Council Enters the Anti-Surveillance Fray

On Thursday, June 18, 2020 the New York City Council overwhelmingly approved the Public Oversight of Surveillance Technology Act (or “POST Act”) to institute oversight regarding the New York City Police Department’s use of surveillance technologies.

Harm or Deterrence?: FTC Civil Penalty Assessments Under COPPA

The Federal Trade Commission announced its most recent settlement action under the Children’s Online Privacy Protection Act (COPPA) on June 4. The settlement included a $4 million penalty (suspended to $150,000 due to the defendant’s proven inability to pay) against Hyperbeard, Inc. for alleged violations of COPPA.

FTC Provides Guidance on Using Artificial Intelligence and Algorithms

The Director of the Federal Trade Commission (FTC) Bureau of Consumer Protection recently issued guidance in its Tips and Advice blog as to how companies can manage consumer protection risks that may arise as a result of using artificial intelligence and algorithms.

Is Robotic Process Automation Reducing or Increasing your Software Licensing Fees?

While statistics regarding the increase in the use of Robotic Process Automation (RPA) vary, it is clear that the use of RPA is on the rise. Companies are rolling out RPA in an effort to increase productivity, cut costs and reduce errors.

A Few More Thoughts About Improving Our Force Majeure Provisions

The Coronavirus pandemic has brought the force majeure provision into the spotlight. A quick Google search brings up countless articles published in the past few weeks by lawyers worldwide about how to use force majeure provisions offensively and defensively in these uncertain times.

Government Efforts to Fight a Pandemic Challenge Data Privacy Concerns

Media outlets reported this week that representatives from Facebook, Google, Amazon, and Apple are meeting with members of the White House to brainstorm about ways in which the “Big Four,” can leverage the consumer information they possess to help in the war against COVID–19.

School or Parent? Factors Playing into the FTC’s Analysis of who should provide Parental Consent under COPPA in the Age of EdTech

The use of education technologies (EdTech) has exploded in recent years. In fact, between online learning sites, one to one device deployments in school districts and personalized curriculum services, virtually every student today has some online or digital component to their learning.

NYC’s Task Force to Tackle Algorithmic Bias Issues Final Report

In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

While you’ve been focused on CCPA Compliance Efforts, Elon has Been Developing Cyborgs

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”).

DHS Cybersecurity Arm Directs Executive Agencies to Develop Vulnerability Disclosure Policies

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”).