The California Consumer Privacy Act from a European perspective28th September 2020
The California Consumer Privacy Act (CCPA) is a Californian state statute intended to enhance privacy rights and consumer protection for residents of California. The CCPA was adopted in June 2018 and entered into force on 1 January 2020.
Companies offering services in California and in the European Union (EU) must comply with both CCPA and the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The CCPA post-dated the GDPR (which applied from 25 May 2018). Companies which reach Californian consumers will – provided they come within the scope of the CCPA – need to comply with the Californian legislation irrespective of whether they already comply with GDPR.
Which companies are subject to the CCPA?
The CCPA applies to any for-profit entity with a business in California that collects consumer personal data and comes into any of the following three gateways:
- has annual gross sales over $25 million; or
- holds data relating to more than 50,000 users or devices (ie, any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device); or
- makes more than 50% of its revenue from selling data (sale is defined to include any form of transfer of consumers’ personal information to a third party for money or other valuable consideration).
Who is a consumer under the CCPA?
In the CCPA definition, a consumer is a natural person who is a California resident, i.e:
- every individual who is in California for other than a temporary or transitory purpose; and
- every individual who is domiciled in California who is outside the state for a temporary or transitory purpose.
Consumers’ Rights under CCPA
The CCPA provides California consumers with the following rights:
- Right to know – consumers may ask for disclosure of the categories of personal information which are collected; whether their personal data is sold or disclosed and to whom;
- Right to access – consumers may request access, free of charge, to the personal information collected about them. The information may be delivered in hard copy or electronically. If provided electronically, the information must be in a portable and readily usable format that allows the consumer to port this information to another business unhindered.
- Right to deletion – in certain circumstances, a consumer may request that any personal information held about them be deleted. The right to deletion is not absolute and can be limited, eg may be refused if the continued holding of data is required to perform a legal obligation.
- Right to opt-out from sale – consumers may prohibit the sale of their personal information at any time.
- Right to nondiscrimination – companies shall not discriminate against consumers on the basis of their exercising their rights, eg by denying goods or services to the consumer; charging different prices or rates for goods or services.
To encourage compliance with the CCPA, businesses must:
- Guarantee the exercise of consumers’ rights – including:
- designate how to submit requests for disclosure, deletion, etc. If the company maintains a website, consumers must be able to submit requests through it;
- any websites must also implement a process for obtaining parental or guardian’s consent to data sharing for minors under 13, and the consent of minors between 13 and 16;
- ensure that all employees responsible for handling privacy inquiries are aware of the existing privacy practices and able to direct consumers to exercise their rights.
- Provide specific information. This includes:
- a “Do Not Sell My Personal Information” link on the homepage of the website, that directs users to a web page enabling them to opt out of sale;
- Not limit consumers’ rights – pursuant to the CCPA any provision of a contract of any kind that purports to waive or limit in any way consumer’s rights given under the CCPA are deemed contrary to public policy and void and unenforceable.
Sanctions and remedies
Breach of the CCPA may lead to claims or sanctions. For example, a fine up to $7,500 for each intentional breach and $2,500 for each unintentional breach can be levied.
Also, in case of data security breaches, the CCPA facilitates the bringing of a civil class action lawsuits. This tends to result in a large total claim size and facilitates the claims of similarly-situated individuals. In addition, the company in breach may be ordered to pay statutory damages between $100 to $750 per California resident affected and per incident.
CCPA vs GDPR
Companies providing services in California and the EU must be compliant with both the CCPA and the GDPR.
Despite the fact that the GDPR and the CCPA have a lot of in common (e.g. both acts encourage transparency; require companies to report data breaches; bear similarity in relation to their definitions of certain terminology), they have their differences (e.g. CCPA applies only to certain companies and the GDPR applies to any data controllers and data processors which hold personal data of EU citizens; they relate to different types of personal information).
For this reason, compliance with one of them does not guarantee compliance with the other. This is especially important in the light of the substantial financial sanctions each of the CCPA and the GDPR sets up.
CCPA consumers’ rights vs GDPR data subjects’ rights
At a first glance, the CCPA consumers’ right to know, right to access, right to deletion, right to nondiscrimination and right to opt-out may look identical to the GDPR data subjects’ right to information, right to access, right to erasure (or “right to be forgotten”) and right to object, but on a closer look, differences appear. We have set out these in the schedule below.
Table 1: Differences between CCPA consumers’ rights vs GDPR data subjects’ rights
|CCPA consumers’ rights||GDPR data subjects’ rights|
|Right to know||Right to information|
|On application, a processor company must disclose the categories of personal information collected, sold or disclosed for business purposes in the previous 12 months.||Controllers must provide data subjects with information on the following: controller’s identification details; contact details of the data protection officer; legitimate interests for data processing (If any); data retention period; recipients of the collected personal data; existence of automated decision-making; right to file a complaint before the local data protection authority.|
|Right to access||Right to access|
|Right to opt-out||Right to object|
|Right to nondiscrimination||Right to nondiscrimination|
|Consumers must not be discriminated against because of the exercise of their rights, which means they must not be:
in connection with their exercise of their rights under the CCPA.
|Right to deletion||Right to erasure (“right to be forgotten”)|
NBLO regularly advises and assists European and international companies on cross-border data protection enquiries, including, preparation of Privacy Policies, Cookies Policies, operation rules and procedures. Our lawyers are also specialised at gap analysis and risks assessment in order to find a tailored fit solution. If you have any further questions regarding data protection and cross-border data protection compliance, please do not hesitate to contact us at [email protected].