Jordan Fischer, XPAN Law Group
A common question that we receive at our firm is: will the U.S. adopt legislation similar to the GDPR? And, if yes, what will that look at? Well, let us look into our “magic-8” ball … And, no surprise, it looks like privacy is moving (slowly) across the pond to the US — and the most recent example is the adoption of the California Consumer Privacy Act of 2018 (CCPA).
While the CCPA is grabbing headlines, one does not need promethean sight to predict that privacy protections are gaining traction at the state level. Many states have already started to address privacy issues, each with unique nuances. Check out our recent “Privacy is the New Black” post for a more detailed discussion on these changes.
The reason the CCPA has received so much attention is because it is the first domestic legislation that looks *somewhat* like the European Union’s General Data Protection Regulation (“GDPR”). If you have been under a rock, the GDPR caused (and continues to cause) panic regarding how companies are collecting, processing, and using personal data. It has brought privacy to the forefront for many entities who, up until now, have had free reign to do with data as they see fit.
For many US based companies, the GDPR seems scary but once-removed so as not to cause true change. We hear all the time: “but how can the EU come after me in the United States?” For those companies who kept minimizing the impact of the GDPR, the CCPA brings many of the issues directly home in the United States.
And, the CCPA does track, in some key ways, the rights and the goals of the GDPR. Similar to the GDPR, the CCPA derives from a right to privacy, recognized by the California Constitution, Article 1, Section 1. Further, the CCPA parallels the GDPR to focus on “giving consumers an effective way to control their personal information, thereby affording better protection for their own privacy and autonomy.” See Sec. 2(i).
However, while the origin and intent behind both pieces of legislation are similar, the CCPA is more narrowly focused, and does not go as far the GDPR in providing the transparency in data processing and giving the data subject/consumer control over her data.
The CCPA provides the following rights:
- Right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer (1798.100 & 1798.110);
- Right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer the categories of personal information that the business sold/disclosed about the consumer and the identity of the third parties to whom such personal information was sold/disclosed (1798.115);
- Right to opt-out of a business’s sale of personal information about the consumer (1798.120);
- Right to equal service and price, so that a business is prohibited from discriminating against a consumer because of that consumer’s exercise of her rights under the CCPA (1798.125); and
- Right to deletion of any personal information about the consumer which the business has collected from the consumer (1798.105).
These rights outlined by the CCPA align with the GDPR’s right of access by the data subject (Article 15), the right to erasure (Article 17); and loosely, the right to restriction of processing (Article 18) and the right to object (Article 21). However, there are a number of rights under the GDPR that are missing, including: (1) the right to rectification (Article 16); (3) the right to data portability (Article 20); and (3) the right to object to automated processing (Article 22). Further, the CCPA provides for nine (9) exceptions to the right to deletion (1798.105(d)).
Additionally, the CCPA appears to places a very short timeframe on those rights it does provide: the rights to request certain information are limited to “the preceding 12 months” of when the request is made (1798.130(a)(3)(B); 1798.130(a)(4)(B-C); 1798.130(a)(5)(B-C)). The GDPR places no such limitation on when the data was collected — it applies to all data collected. As such, as drafted, the CCPA could only scratch the surface of data collected by businesses.
Speaking of businesses, the CCPA applies to any for-profit business
“that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
Combining the definition of “businesses” with the CCPA’s definition of consumer (i.e., “natural person who is a California resident” (1798.140(g)), the CCPA carves out smaller businesses as an exception to its requirements. This type of exemption is not found in the GDPR, further differentiating these two regulations. However, the definition of a business, as either an entity that collects data or on whose behalf data is collected does align with the definition of a “controller” under the GDPR (Article 4(7)).
If you are familiar with the California Breach Notification requirements (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business]), the granular details outlined in the CCPA will come as no surprise. The CCPA includes detailed requirements for websites, notifications to consumers, and the way information is displayed (e.g., 1798.135). For example, businesses are required to “[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address” (1798.130(a)(1)).
In some instances, the CCPA is more detailed in its express requirements than the GDPR, laying out the exact information to be supplied and how to provide that information. The GDPR, while intensive in its many requirements, leaves a lot of discretion to the individual company to determine how to comply. And, even though the CCPA is the first of its kind in the United States that is beginning to incorporate GDPR-type requirements, it by no means is as extensive or invasive as the GDPR. Another wrinkle is that the CCPA is still up for debate: many California-based companies are weighing in, and changes to the law may still be seen. However, what is clear is that the GDPR has started a trend toward data privacy that is here to stay — it is just the exact form it will take as the trend takes hold across the US is still to be seen.
Jordan is a co-founder and managing partner of XPAN Law Group, LLC, a Women-Owned boutique law firm. She focuses her practice on international data privacy and cybersecurity and cross-border data management, with a special emphasis in European Union data privacy regulations and the General Data Protection Regulation (GDPR).