The Weight of “GDPR Lite”
In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection. Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known:
- California consumers (broadly defined as California residents—this definition is inclusive of both employee data and other data that is not traditionally “consumer” data) may require a covered business to provide them with a copy of their personal information, delete their personal information, and to not sell their personal information. Under CCPA, personal information includes:
- real name or alias, physical address, biometric information;
- IP address, email address, unique personal identifier, online identifiers;
- account name, driver’s license number, passport number;
- characteristics of protected classes;
- records of purchasing history or tendencies;
- internet browsing or search history, information related to web site interactions, geolocation data;
- audio or visual data, olfactory data; and
- employment or education data
- CCPA applies to for-profit businesses that collect California consumer’s personal information, determine the purposes and means of processing such information, do business in California AND meet or surpass one or more of the following criteria:
- $25,000,000.00 in annual gross revenues;
- Buy/sell/share and/or receive, on an annual basis, the personal information of at least 50,000 California consumers, households or devices; OR
- 50 percent of annual revenue comes from selling California consumers’ personal information.
- Businesses subject to CCPA must maintain an inventory of personal information collected and advise California consumers as to the categories of personal information collected, along with the purposes of collection of each such category.
- Businesses subject to CCPA further must provide consumers with the following information:
- Consumers’ rights under CCPA;
- Link to its “Do Not Sell My Personal Information” opt-out functionality;
- Two or more communication methods for consumers to submit requests to the business (but at a minimum, a toll-free telephone number and a website address); and
- Any incentives to be provided to consumers in exchange for their consent.
For businesses not subject to GDPR, compliance with CCPA is a formidable task with an aggressive deadline that is fast approaching. For those businesses already subject to and in compliance with GDPR, the leap into CCPA compliance would appear to be far less of a burden, as the overlaps are considerable. Yet, there are a few notable areas in which those businesses already subject to and already complying with GDPR should take note:
Definition of Personal Information:
- CCPA: Slightly broader definition than GDPR, in that it covers not only data collected about an individual, but also data collected about a household or at the device level.
- GDPR: Applies generally to any information related to an identified or identifiable person.
Opt-Out Right for the Sale of Personal Information
- CCPA: Businesses must comply with a consumer’s request to opt-out of the sale of personal information to third parties, with narrow exceptions.
- GDPR: No specific right to opt-out of personal data sales, but it does include an opt-out for the processing of data for marketing purposes, as well as the ability to withdraw consent for processing.
- CCPA: Prohibits selling personal information of a consumer under age 16 without consent. Children ages 13-16 may provide direct consent. Parental consent is required for children under 13. COPPA requirements apply over and above these requirements.
- GDPR: Default age for consent to any type of data processing is 16, but member state laws may further lower the age (but no lower than 13). Age-appropriate privacy notices must be used for children.
- CCPA: Civil penalties of up to $7,500 per violation.
- GDPR: A percentage of gross revenues (up to 4% of annual global turnover or 20 million Euros).
“Do Not Sell My Personal Information” Internet Website Page
- CCPA: Required.
- GDPR: Not Required.
Breach Notification Obligation:
- CCPA: Less objective than GDPR—“in the most expedient time possible, without unreasonable delay” (from California’s existing breach notification law).
- GDPR: 72 hours after becoming aware of the breach.
Private Right of Action
- CCPA: Consumers may pursue claims, but recovery of damages is limited to the greater of up to $750 (per consumer, per incident), or actual damages.
- GDPR: European residents may pursue compensatory claims against both controllers and processors of personal data for material or non-material damages.
No Discrimination Resulting from An Exercise of Consumer Rights
- CCPA: Consumers must not be discriminated against because of any exercise of their rights.
- GDPR: No explicit provision regarding discrimination.
The areas set forth above illustrate subtle, but important nuances in the requirements of CCPA and GDPR. In many aspects, the requirements of GDPR are indeed, dramatically more comprehensive than those of CCPA. Yet, companies that attempt to leverage only their GDPR compliance activities and duties as an “overlay” for CCPA compliance may miss out on small, but critical variations that CCPA presents.