What to Know about the CCPA — Even if You’ve Achieved GDPR Compliance

As a response to the GDPR, Facebook’s Cambridge Analytica scandal and the overall upsurge in personal data breaches, California passed a new data protection and data privacy law, the California Consumer Privacy Act (CCPA). Although the CCPA does not become effective until January 1, 2020, organizations need to know that, as of that date, consumers will be able to request personal data for the preceding 12 months. That means that no later than January 1, 2019, organizations need to have categorized the data they store and gotten a complete view of information protected by CCPA; otherwise, they won’t be able to comply on the effective date.

You might think that because you’ve implemented GDPR controls, complying with the CCPA will be a piece of cake. Unfortunately, that’s simply not the case. The laws are two unique snowflakes that require some different approaches. Let’s take a closer look at their similarities and differences.

What’s in common

Both the CCPA and the GDPR are aimed at protecting individuals’ personal information, granting them certain rights regarding how organizations may collect and use their personal information. In particular, both standards include the following requirements:

  • Data subjects have the right to know whether their personal information is being collected and processed, for what reasons, and with whom it is shared.
  • Data subjects have the right to require an organization to delete the personal data they hold about them.
  • Organizations are required to implement appropriate data protection measures over personal information, including both organizational and technical measures.
  • Both standards have extraterritorial effect; that is, they can apply to organizations outside of their respective jurisdictions.

What’s different

The CCPA differs from the GDPR in other respects. Let’s take a look at the key differences you should know about.

Who it protects

The CCPA safeguards the personal data of consumers who are California residents, while the GDPR protects data subjects in the European Union. Both definitions are broad, but the CCPA provides a clearer explanation of its key term.

According to the CCPA, a “consumer” means any natural person who is a resident of California as defined in tax provisions — that is, every individual who is in California for other than a temporary or transitory purpose as well as every individual who is domiciled in California but who is temporary outside the state.

 Unlike the CCPA, the GDPR does not define the term of data subject directly and uses inconsistent qualifiers when referring to data subjects. Thus, it can be applied to at least three types of persons: persons located in the EU, EU residents, and EU citizen located either in the EU or outside of it.

Definition of personal information

Both regulations protect information that relates to a natural person who can be identified, i.e., personal information (PI). However, there are some nuances to understand.

The GDPR provides the following examples of personal data: name, identification number, location data, physical address, email address, IP address, radio frequency identification tag, photograph, video and voice recordings, and biometric data. Certain online identifiers provided by devices that, when combined with other information, can be used to identify a natural person are also protected by the standard. Thus, under GDPR, the concept of PI is tied very closely to an individual.

The CCPA has a broader definition of PI. In particular, it includes information that could be used to identify a person’s behavior as a consumer, such as preferences, characteristics, psychological trends, attitudes, intelligence, abilities and aptitudes. Plus, in addition to regulating data about individual consumers, the CCPA also applies to any data that can identify a household.

However, what “personal data” includes under both standards depends on the context and likelihood that a data subject / a consumer can be identified by the given data. With such an ambiguous definition of PI, organizations should make sure to cover all possible types of personal data.

Entities that have to comply

The GDPR applies to every data controller (an organization that determines the purposes and means of processing EU residents’ PI) and data processor (an organization that processes the data for a data controller). The CCPA has a narrower scope; it applies to organizations that operate for profit, collect PI on California consumers and meet at least one of the following criteria:

  • Have annual gross revenues exceeding $25 million
  • Trade in the data of 50,000 or more California consumers, households, or devices
  • Derive more than 50% of their annual revenue from selling the PI of California consumers

Note that any organization controlled by a for-profit entity that meets these criteria and shares common branding will also have to comply with the CCPA. Therefore, many small businesses and nonprofit organizations can breathe a sigh of relief.

Rights granted

One of the fundamental elements of the CCPA is a requirement that organizations must inform consumers when their data is being sold to a third party and give them the opportunity to opt out. The GDPR does not regulate the process of selling data subjects’ PI.

 However, overall, compared to the GDPR, the Californian regulation cuts businesses some slack in regards to certain data subject rights. First, although both the GDPR and the CCPA grant consumers the fundamental right to delete their data, the CCPA has far more restrictions. The GDPR applies to all data concerning a data subject, whereas the CCPA’s deletion right applies only to data collected from the consumer and not to data about the consumer collected from third-party sources.

In addition, both standards exempt organizations from complying with a request to delete data if that data is necessary for them to exercise free speech or another legal right; comply with a legal obligation; or meet the public interest, scientific or historical research purposes, or statistical purposes. However, the CCPA includes more exceptions, such as if data is needed to perform a contract between the business and consumer or to identify and repair errors that impair existing intended functionality. In fact, the CCPA’s exceptions are broad enough to potentially eliminate a consumer’s deletion rights in most, if not all, circumstances.

Second, while the GDPR obliges organizations to limit personal data collection, storage and usage to the minimum necessary for it’s the specified purpose, the CCPA does not impose a data minimization mandate. Third, the CCPA does not grant consumers the right to rectification or correction of their personal data that is held by an organization.

Basis for consent

Under the CCPA, businesses are allowed to process and sell an individual’s PI if they make an online purchase or sign up, though the person has the right to opt out of the sale of their data. The CCPA also requires companies to create a channel, such as a website or a toll-free number, that consumers can use to exercise their rights, including the right to deletion and opt-out.

The GDPR approaches consent in a more nuanced way, requiring organizations to obtain consent prior to collecting a person’s data and granting  data subjects broader rights to restrict the processing of their personal data (that is, allow an organization to store but not process it). Therefore, despite the absence of an express right to opt out of data sale, the GDPR presents more significant challenges to any business that deals with personal data.

DPO appointment

Under the GDPR, with some exceptions, data controllers and data processors must appoint a data protection officer (DPO). The DPO’s role is to advise the organization on data protection obligations, monitor internal compliance, and act as a contact point for data subjects and the supervisory authority. He or she must have expertise in the field of data protection.

The CCPA does not require businesses to appoint a DPO or another designated employee to deal with compliance and data protection. Thus, businesses do not have to hire an arbitrator to monitor whether they protect consumers’ rights and do business in full compliance with the standard. But we hope that businesses will approach CCPA compliance in a sensible way and ask for legal advice to ensure that they have all controls in place.

Fines

Both regulations provide for significant financial penalties in case of non-compliance. GDPR fines can reach €20 million or 4% annual global turnover, whichever is higher. The CCPA allows for fines of up to $2,500 per violation or $7,500 per intentional violation. On top of that, the CCPA grants consumers the right to take private action, such as filing class-action lawsuits against businesses seeking compensation of $100 to $750 per consumer, per incident. Unlike the GDPR, the CCPA provides businesses with 30 days to cure alleged violations and avoid penalties.

Summary of differences

CategoryGDPRCCPA
Who it protectsEU data subjectsCalifornia consumers
Definition of personal information Any information relating to an identified or identifiable natural person, directly or indirectly. Examples include name, identification number, location data and biometric data.“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application or advertisement; and biometric or geolocation data.
Entities that have to complyData controllers (organizations that determine the purposes and means of the processing of personal data) and data processors (organizations that process the data for data controllers)Medium and large businesses (in terms of revenue and number of consumers affected) that process the PI of California consumers
Right to deletionApplies to all data collected about the data subject; has few restrictionsApplies only to data collected directly from and about consumers; has broad
Data minimization mandateYesNo
Right to rectification or correctionYesNo
Basis for consentRequires organizations to obtain consent prior to collecting data.Businesses are allowed to process and sell the PI of all consumers who make an online purchase or sign up. They must enable consumers to exercise their rights to opt out of the sale of their PI or request its deletion.
DPO appointmentYesNo
FinesUp to €20 million or 4% of worldwide turnover, whichever is greater Up to $2,500 per violation or $7,500 per intentional violation, as well as $100 – $750 per incident in compensations to individuals

It is yet to be seen how regulators will interpret the scope and provisions of the CCPA and the GDPR. In the future, we may see more instances of how these two regulations overlap. What we can state firmly is that achieving compliance with the GDPR does not mean that you have also met all the requirements of the CCPA. The CCPA covers a broader range of types of personal data and imposes additional obligations on companies, such as notifying consumers when their data is sold and providing the right to opt out of those sales.

The best approach to ensuring compliance with the CCPA is to establish a solid data privacy strategy that takes its requirements into account and to initiate data classification and record-keeping processes by January 1, 2019.