Introduction – Data Protection Laws in the US
The California Consumer Privacy Act 2018 (CCPA) will come into effect on the 1st January 2020. It is stated to be the first comprehensive law in the area of privacy and personal information in the US. Generally the CCPA and the GDPR are similar in regard to their definition of key terms, protection of children and rights to access of information. Conversely, the data protection Laws in the US differ in regard to the scope of their application and accountability obligations. Below is a brief comparison of the CCPA with the GDPR.
In terms of personal scope, both data protection laws in the US protect natural persons and not legal persons. While the CCPA requires a “consumer” to be a resident of California, the GDPR only requires that the person’s data is processed under the regulation: the subject does not have to be a resident within or a citizen of an EU member state or located within the EU. Under the GDPR, a controller may be either a natural or legal person, whether public or private and regardless of its size. Conversely, under the CCPA the covered business must be profit oriented and must operate in California. The business must have gross revenue of more than 25 Million USD; must annually buy or process personal information of 50,000 consumers or more; or derive at least 50% of its annual revenue from selling consumer personal information.
In terms of territorial scope, the GDPR extends its application to entities which do not have a presence in the EU but which offer goods and services or monitor the behaviour of persons in the EU. It is still not clear how “doing business in California” will be interpreted under the CCPA.
Definition of key terms
Both laws are similar in their definitions of “personal data”and “personal information”. Both laws envisage that personal information or data must relate to or be capable of identifying natural persons or consumers. In the case of the CCPA the information could relate to a household. Further, in both laws identifiers such as IP addresses, email addresses, biometric information and geolocation all amount to personal information. However, unlike under the GDPR, personal information as defined in the CCPA does not include information, which is lawfully made available from federal, state and local government records. Also unlike the GDPR, the CCPA does not separately categorise sensitive data.
The two laws also define pseudonymisation in similar terms as the processing of personal data in such a way that it can no longer be attributed to a specific data subject or consumer without the use of additional information which must be kept separately and securely. While the GDPR obliges the controller to re-identify pseudonymised information upon request by a data subject on provision of additional information, the CCPA does not have any such obligation.
While the GDPR provides for a “controller”and“processor”,the CCPA provides for a“business”and “service provider”. It is notable that the GDPR places more direct obligations on processors compared to service providers under the CCPA. In both laws the relationship between the two entities must be regulated by a written contract. Also in both laws, processors and service providers may be liable for infringements of their obligations.
Both the GDPR and the CCPA do not expressly define who a “child” is. Where processing is based on consent under the GDPR, there must be parental consent for children below the age of 16. However, member states may lower this threshold to 13 years. Under the CCPA businesses must have opt-in consent to sell personal information of consumers under the age of 16 if they have knowledge of that fact.
The GDPR provides six grounds for the lawful processing of personal data. Conversely, the CCPA does not outline any grounds for processing. Nevertheless, it provides for a process in which customers are allowed to opt-out of the sale of their personal information or to request the deletion of their personal information.
Both laws provide for the right of individuals to request that their personal data be deleted (right to be forgotten) subject to some exceptions. Similarly, this right in both laws can be exercised against the controller/business and third parties including processors and those to whom the data has been sold or passed on. Also, although the right can be exercised free of charge, a reasonable fee may be charged in some situations. While the GDPR limits this right to situations where the processing is no longer necessary or consent has been withdrawn where it was the only legal basis; the CCPA does not limit the exercise of the right to be forgotten. The deadline for complying under the GDPR is 1 month, which may be extended by two months. Under the CCPA the deadline for complying is 45 days, which may be extended for an additional 45 days.
Both the GDPR and the CCPA entitle data subjects and consumers to a right to information. This operates in tandem with the transparency obligations of the controllers/businesses. Accordingly, information must be provided to individuals in regard to the categories of data being processed, the purpose of the processing and the rights of the data subjects/individuals. Both laws also provide for the right to access to their data. The difference in this regard is that while under the GDPR, the data subject is entitled to access all personal data that is being processed about him or her, the CCPA only applies to personal information collected 12 months prior to the request. Both laws also provide for the right to data portability. This right concerns the right to receive and have the personal data/information transmitted to another controller/business without hindrance. However, while the GDPR treats this right as a separate right, under the CCPA it is part of the right to data access. It is therefore limited to data collected 12 months before the request.
The GDPR gives the enforcement mandate to national supervisory authorities. Heads of the national supervisory authorities form the European Data Protection board. The board has the responsibility to ensure the consistent application of the GDPR among member states.
The CCPA allows the consumer to file a civil action for infringement but they must inform the Attorney General (AG) within 30 days. The Attorney General (AG) may take over prosecution of the claim. The AG may also notify the consumer not to proceed with the action. However, if the AG doesn’t act within 30 days of being notified, then the consumer may proceed with the action.
Administrative fines provided for under the GDPR by a supervisory authority are enormous and could be as much as 4% of the global annual turnover of an organisation or 20 million Euros whichever is higher. In comparison, individual civil penalties under the CCPA are much lower and are issued by the Court: Each violation may be sanctioned for a maximum of 2,500 USD or 7,500 USD for an intentional violation. It is worth noting, however, that in the event of a class action or cumulative claims being made against a single company, the company may become liable for much larger sums.
As discussion continues with regard to the establishment of a federal privacy protection law, the CCPA presents opportunities for businesses to enjoy free movement of personal information in a clearly regulated environment while concurrently affording protection to the privacy of consumers. In many ways the new data protection laws in the US are on the same footing with the GDPR.