The California Consumer Privacy Act from a European perspective

28th September 2020
Reading Time: 7 minutes

Introduction

The California Consumer Privacy Act (CCPA) is a Californian state statute intended to enhance privacy rights and consumer protection for residents of California. The CCPA was adopted in June 2018 and entered into force on 1 January 2020.

Companies offering services in California and in the European Union (EU) must comply with both CCPA and the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The CCPA post-dated the GDPR (which applied from 25 May 2018). Companies which reach Californian consumers will – provided they come within the scope of the CCPA – need to comply with the Californian legislation irrespective of whether they already comply with GDPR.

Which companies are subject to the CCPA?

The CCPA applies to any for-profit entity with a business in California that collects consumer personal data and comes into any of the following three gateways:

  • has annual gross sales over $25 million; or
  • holds data relating to more than 50,000 users or devices (ie, any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device); or
  • makes more than 50% of its revenue from selling data (sale is defined to include any form of transfer of consumers’ personal information to a third party for money or other valuable consideration).

Who is a consumer under the CCPA?

In the CCPA definition, a consumer is a natural person who is a California resident, i.e:

  • every individual who is in California for other than a temporary or transitory purpose; and
  • every individual who is domiciled in California who is outside the state for a temporary or transitory purpose.

Consumers’ Rights under CCPA

The CCPA provides California consumers with the following rights:

  • Right to know – consumers may ask for disclosure of the categories of personal information which are collected; whether their personal data is sold or disclosed and to whom;
  • Right to access – consumers may request access, free of charge, to the personal information  collected  about them. The information may be delivered in hard copy or electronically. If provided electronically, the information must be in a portable and readily usable format that allows the consumer to port this information to another business unhindered.
  • Right to deletion – in certain circumstances, a consumer may request that any personal information held about them be deleted. The right to deletion is not absolute and can be limited, eg may be refused  if the continued holding of data is required to perform a legal obligation.
  • Right to opt-out from sale – consumers may prohibit the sale of their personal information at any time.
  • Right to nondiscrimination – companies shall not discriminate against consumers on the basis of their exercising their rights, eg by denying goods or services to the consumer; charging different prices or rates for goods or services.

Compliance

To encourage compliance with the CCPA, businesses must:

  • Guarantee the exercise of consumers’ rights – including:
    • designate how to submit requests for disclosure, deletion, etc. If the company maintains a website, consumers must be able to submit requests through it;
    • any websites must also implement a process for obtaining parental or guardian’s consent to data sharing for minors under 13, and the consent of minors between 13 and 16;
    • ensure that all employees responsible for handling privacy inquiries are aware of the existing privacy practices and able to direct consumers to exercise their rights.
  • Implement and maintain reasonable security – this includes adoption or update of a Privacy Policy, Cookies Policy (where relevant), operational rules and procedures.
  • Provide specific information. This includes:
    • detailed information about the collection of personal information and its purposes not dissimilar to the Privacy Policy disclosures compliant with the GDPR;
    • a “Do Not Sell My Personal Information” link on the homepage of the website, that directs users to a web page enabling them to opt out of sale;
    • link to its online privacy policy;
  • Not limit consumers’ rights – pursuant to the CCPA any provision of a contract of any kind that purports to waive or limit in any way consumer’s rights given under the CCPA are deemed contrary to public policy and void and unenforceable.

Sanctions and remedies

Breach of the CCPA may lead to claims or sanctions. For example, a fine up to $7,500 for each intentional breach and $2,500 for each unintentional breach can be levied.

Also, in case of data security breaches, the CCPA facilitates the bringing of a civil class action lawsuits. This tends to result in a large total claim size and facilitates the claims of similarly-situated individuals. In addition, the company in breach may be ordered to pay statutory damages between $100 to $750 per California resident affected and per incident.

CCPA vs GDPR

Companies providing services in California and the EU must be compliant with both the CCPA and the GDPR.

Despite the fact that the GDPR and the CCPA have a lot of in common (e.g. both acts encourage transparency; require companies to report data breaches; bear similarity in relation to their definitions of certain terminology), they have their differences (e.g. CCPA applies only to certain companies and the GDPR applies to any data controllers and data processors which hold personal data of EU citizens; they relate to different types of personal information).

For this reason, compliance with one of them does not guarantee compliance with the other. This is especially important in the light of the substantial financial sanctions each of the CCPA and the GDPR sets up.

CCPA consumers’ rights vs GDPR data subjects’ rights

At a first glance, the CCPA consumers’ right to know, right to access, right to deletion, right to nondiscrimination and right to opt-out may look identical to the GDPR data subjects’ right to information, right to access, right to erasure (or “right to be forgotten”) and right to object, but on a closer look, differences appear. We have set out these in the schedule below.

Table 1: Differences between CCPA consumers’ rights vs GDPR data subjects’ rights

CCPA consumers’ rights GDPR data subjects’ rights
Right to know Right to information
On application, a processor company must disclose the categories of personal information collected, sold or disclosed for business purposes in the previous 12 months. Controllers must provide data subjects with information on the following: controller’s identification details; contact details of the data protection officer; legitimate interests for data processing (If any); data retention period; recipients of the collected personal data; existence of automated decision-making; right to file a complaint before the local data protection authority.
Right to access Right to access
  • Applies only to personal information collected in the 12 months prior to the request.
  • Companies are not required to provide access to personal information more than twice in 12 months.
  • Requests must be responded to within 45 days of receipt of request.
  • Applies to all personal data collected and processed held about the data subject regardless of time of collection.
  • Controllers must include in response to a SAR the holding period, the right to lodge a complaint with the respective data protection authority, the existence of automated decision making, and any data transfers.
  • Controllers may refuse to act on a request when it is manifestly unfounded, excessive or has a repetitive character. Data subjects’ requests must be compiled without undue delay and in any event within 1 month from the receipt of the request.
Right to opt-out Right to object
  • It concerns situations where personal information is sold or disclosed for business purposes of their personal information.
  • The opt-out can stop provision of personal information, and it does not impact other uses of their information.
  • The right to opt-out of the sale is absolute and companies cannot reject an opt-out request on the basis of their compelling grounds.
  • Data subjects may object to the processing of their personal data when the processing is based on legitimate interests.
  • The controller shall no longer process the personal data if not able to prove that there are compelling legitimate grounds to continue the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • There is no specific language for the objection.
Right to nondiscrimination Right to nondiscrimination
Consumers must not be discriminated against because of the exercise of their rights, which means they must not be:

  • denied goods or services;
  • charged different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • provided a different level or quality of goods or services; and
  • suggested they will receive a different price or rate for goods or services

in connection with their exercise of their rights under the CCPA.

  • Such right is not expressly contained in the GDPR. However, it is implicit from the principles of the GDPR (par. 71, 75 and 85 of the Preamble) that individuals must be protected from discriminatory consequences derived from the processing of their personal data.
Right to deletion Right to erasure (“right to be forgotten”)
  • The scope is not limited to specific situations, categories of personal information or purposes.
  • Applies to personal information that a business has collected from the consumer; the consumer does not have to justify his or her request.
  • Response to a request for deletion must be produced within 45 days of the receipt of the request.
  • Companies must provide at least two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address.
  • Companies are not required to delete in the following circumstances:
  • when there is outstanding performance of a contract between the business and the consumer;
  • to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible;
  • debug to identify and repair errors;
  • to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
  • otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
  • when non-deletion protects freedom of expression (free speech) or freedom of information;
  • when the processing is for research purposes and erasure of the personal data would frustrate the research;
  • to establish, exercise or defend legal claims;
  • when complying with a legal obligation.
  • The right to erasure only applies if any of the following grounds apply:
  • where consent is withdrawn and there is no other legal ground for processing, or
  • when personal data is no longer necessary for the purpose for which it was collected.
  • Requests for erasure must be replied to without undue delay and in any event within 1 month from receipt of the request.
  • A request may be made by any appropriate means
  • If the controller has made the personal data public, he must take reasonable steps, including technical measures, to inform other controllers that erasure has been requested
  • Exemptions:
  • free speech or another right provided by law;
  • processing for research purposes, if the deletion of personal information would render impossible or seriously impair the achievement of such research;
  • processing of that personal information is necessary to protect against illegal activity or prosecute those responsible for the activity;
  • for complying with a legal obligation;
  • for reasons of public interest in the area of public health.

Conclusion    

In conclusion, in order to be both CCPA and GDPR compliant, companies must consider carefully their situation and take steps to implement or adapt their Privacy Policy, Cookies Policy, internal rules and procedures, website information and others.

Further questions

NBLO regularly advises and assists European and international companies on cross-border data protection enquiries, including, preparation of Privacy Policies, Cookies Policies, operation rules and procedures. Our lawyers are also specialised at gap analysis and risks assessment in order to find a tailored fit solution. If you have any further questions regarding data protection and cross-border data protection compliance, please do not hesitate to contact us at [email protected].

© New Balkans Law Office 2020

The Bulgarian and dual-qualified lawyers of New Balkans Law Office are regulated by the respective Bar of their registration. New Balkans Law Office is a brand name of Legal Services EOOD, a company registered under Bulgarian law. Reg’d No. 202331677. Further details are available here.

© New Balkans Law Office 2020