Come 1st January 2020, a new online privacy law, the California Consumer Privacy Act (CCPA) that will control how major tech businesses—like Facebook, Google, Amazon, and Uber —collect and use the personal data of their users will come into force.
The Act officially passed on 28 June 2018 allowing residents of California to know what personal information companies have collected on them, and opt out of having their data sold without being charged a fee or provided less service upon asking. Additionally, California’s attorney general would have the power to fine businesses that don’t secure consumers’ personal data against cyber attacks.
Given that many global companies are still feverishly working on their GDPR compliance, they rightly wonder if worldwide implementation of the GDPR’s privacy protective measures will be sufficient for them to comply with the CCPA or similar laws across the globe.
Could the CCPA be considered the US counterpart of the GDPR? The answer is no. Although the CCPA’s focus on consumer data rights has understandably drawn comparisons with the GDPR, compliance with the latter does not necessarily mean compliance with the former especially in the following areas:-
Applicability. The GDPR applies to the processing of personal data by controllers and processors established inside the European Union as well as to those established outside the European Union that are processing personal data of subjects inside the Union. The CCPA, however, only regulates companies “doing business” in the State of California. As such, the CCPA does not extend its scope to companies of which “all commercial conduct takes place outside of California”. Companies that are processing personal information of California residents are not subject to the new Act unless they satisfy one (or more) of the following thresholds: (i) they have annual gross revenues of US$25m; (ii) they have obtained the personal information of 50 thousand or more California residents, households or devices annually; or (iii) they have acquired 50 percent or more of their annual revenue from selling California residents’ personal information.
Concept of personal data. The CCPA explicitly includes information “that can be reasonably linked with a household”. Consequently, not only a consumer’s IP address, but also the utility invoices of a Californian household, constitute personal information under the CCPA. The GDPR does not state this explicitly.
User rights. The CCPA, unlike the GDPR, does not define any legal grounds for processing, nor does it require explicit consent. However, the Act aims at furthering Californians’ right to privacy by giving consumers effective ways to control their personal information. The CCPA goes further by including certain very prescriptive obligations, such as the duty to make available to consumers a toll-free phone number and website address for submitting information requests.
Commercial use. While sharing personal information relating to California residents with third parties is not prohibited as such, Californians are given the right to opt out of the selling of their personal information. To reinforce this right, businesses are obliged to provide a clear link on their homepage titled ‘Do Not Sell My Personal Information’, that enables the consumer to opt out. This link also needs to be incorporated in the online privacy policy, together with a description of the right itself.
Equal rights. The CCPA stipulates that Californians have a right to equal service and price, even if they exercise their privacy rights. This means that companies are prohibited from denying goods or services, charging different prices or providing different levels or quality of service to those consumers exercising their privacy rights. On the other hand, businesses are allowed to offer financial incentives for the collection or sale of personal information and may even differentiate the price or quality of goods and services if that difference is directly related to the value provided to the consumer by its data.
Data security. When it comes to data security and data breach response, the CCPA tends to be less stringent than the GDPR. Although companies have a duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, they are not required to report data breaches when these occur. Consequently, if a business complies with the GDPR in terms of securing data, it is likely that it will not have to take any further action to comply with the CCPA in that respect.
Fines and financial exposure. Companies should not forget that in case of non-compliance, they may face additional damages, supplementing those provided by the GDPR. In the CCPA, enforcement rests with the California attorney general, who can bring a civil action ordering companies to pay damages of up to US$7500 per intentional violation of any provision of the Act. Unintentional violations that are not remedied within 30 days of notice can amount to damages of up to US$2500 per violation. Only in case of data theft or data security breach do consumers themselves have a right of private action for statutory damages between US$100 and US$750 per consumer and incident, or actual damages, whichever is greater, as well as any other relief a court deems proper. In addition to this rather limited consumer right, the Act also authorises the attorney general to bring a civil class action. If combined with the administrative fines of up to €20m or 4 percent of total worldwide annual turnover (whichever is higher) provided by the GDPR, the actual amount payable for violation and/or data breach might wind up being an existential threat to many companies.
The CCPA and GDPR do however, have a lot in common. Both laws deal with transparency and each of them lays down a similar right to delete personal data (‘right to be forgotten’) as well as a right to data portability.
For organisations in Malaysia that have operations or businesses in the sunshine state of California, do take note when the clock ticks past 12am and goes into the new year of 1st January 2020.