On June 28, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) of 2018 into law, considered by many to be one of the toughest data privacy laws in the U.S.
Overview of CCPA
The CCPA protects Californians’ rights to have access to and to delete the data companies collect about them. It also allows them to opt out of their data being sold. It is clearly a response to a ballot initiative that was due to be voted on this November. Although not everyone is pleased with the new law, the ballot initiative has now been withdrawn. However, the State of California will conduct a period of public consultation before 2020 which will provide an opportunity to strengthen the law.
The ink is hardly dry on the Act, and it will doubtless be the subject of a lot of analysis, but here is an initial take on it.
While there are a number of laws and regulations about data in the U.S., the CCPA is very clear in what it sets out to do and is probably the toughest law that any state has enacted. California often leads in innovations, and we can expect other states, and possibly the Federal government, to follow this initiative. In any case, California is such a huge market that most U.S. businesses are active there and will need to ensure they are following the CCPA.
The CCPA is directed at businesses that have $25 million or more in annual revenue, or trade in the data of 50,000 or more persons or endpoints or derive 50% or more revenue from selling consumers’ personal information. So very small businesses can breathe a sigh of relief, but the universe of businesses that are covered in the scope of CCPA is still extremely large.
CCPA vs. GDPR
The CCPA was clearly influenced by the General Data Protection Regulation (GDPR) of the European Union (EU), and it is interesting to compare and contrast the two pieces of legislation. For instance, the CCPA has a right to be forgotten, a right to portability and a right to access to data, which are clearly recognizable to anyone familiar with the GDPR. But there are differences too, such as explicit damages in the CCPA that can be awarded to individuals in the event of a data breach.
The CCPA does not speak of a “data subject,” as the GDPR does, but rather a “consumer,” meaning a natural person who is a California resident. “Person” means something else in the CCPA — an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
It is the “consumer,” not the “person,” whose rights are safeguarded in the CCPA. Similarly, the GDPR speaks of “Data Controllers” and “Data Processors,” but the CCPA just deals with “businesses” (although the spirit of distinction between the Data Controller and the Data Processor does seem to be present in the CCPA).
One interesting difference between the CCPA and the GDPR is a difference between metadata and data. The CCPA explicitly states that a consumer has the right to be informed of the categories of personal data, categories of sources of data and categories of third parties that a business shares personal data with.
The GDPR really only speaks about data and the need for plain language in terms of disclosures to data subjects. The emphasis on categories in the CCPA raises some interesting metadata concerns, like what the categories are, how they are defined, and how information, sources and third parties are actually categorized. All of this is metadata. Of course, as noted above, consumers also have rights to actual data in the CCPA.
Another interesting difference is specificity about disclosures. The GDPR states that data subjects must be provided with an explanation that is clear and specific of what purposes the data will be used for. The Data Controller has some latitude in how this is to be done.
The CCPA is more prescriptive. It states that a business will “provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.”
The CCPA calls out inferences in a way that the GDPR does not. The GDPR has language about building a “profile” of a Data Subject. However, the CCPA seems to go further and includes inferences about consumers as part of personal information. Specifically, personal information includes “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
Yet another distinction between the CCPA and GDPR is that damages can be awarded to individuals. In the GDPR, fines can be levied for failure to comply that are four percent of global revenue or EUR 20 million (whichever is greater). The CCPA provides that in the event of a data breach, a business may have to compensate a consumer from $100 to $750. Estimates of what a data breach costs an organization have in the past previously been in the $100 to $200 range, so this could now rise significantly.
But what the CCPA gives with one hand it takes back with the other. Consumers can bring actions, but there are a set of conditions that have to be met for them to proceed, such as informing the Attorney General, who can prosecute in place of the consumer. There is some discussion of class action lawsuits in the CCPA, and clearly the State of California does not want this law to bring on a “feeding frenzy” of class action litigators. That may be difficult to achieve, and it is a pretty safe bet to expect that in the public consultation period in 2019, there will be some intense lobbying from legal groups to allow businesses to be more open to class action lawsuits.
Data Privacy is Here to Stay
There is much more that can be written about the CCPA, but we will end our brief survey here. What we can now see by comparing the GDPR and CCPA is that the area of data privacy is something that governments are taking very seriously. We can also see that there are different legal and cultural heritages that affect how the provisions of these laws are presented in different jurisdictions.
It is also beginning to be clear that “data” is so broad an area that different laws address (or ignore) different parts of it, without any of them being truly comprehensive.
We certainly live in interesting times.