The GDPR team has new challenges with the California Consumer Privacy Act (CCPA) compliance and many more to come from other states. The CCPA law was adopted on 28th June 2018 just a month after GDPR effective date by the California state legislature and has been signed into the act. As of 1st January 2020, Californian consumers and households will enjoy a higher level of data protection with several provisions exceeding those in GDPR. Privacy experts often compare the CCPA to the GDPR because the CCPA borrows certain concepts from the EU law. The five new rights that have been awarded to Californians by CCPA:
- A right to know what personal information is being collected about them;
- A right to know whether their personal information is sold or disclosed and to whom;
- A right to say no to the sale of personal information;
- A right to access their personal information; and
- A right to equal service and price, even if they exercise their privacy rights.
CCPA – Personal Information Categories
The CCPA assessment defines personal information more broadly than California’s other laws. It includes any information that directly or indirectly identifies, describes, relates to, is capable of being associated with, or can reasonably link to a particular consumer or household. Households are included in the threshold for a covered business under the law. If a business alone or in combination, annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, then the CCPA applies. The listed below are specific categories included in the statutory definition that businesses must use when providing their required disclosures.
- Identifiers, such as:
- real name
- an alias
- postal address
- email address
- unique personal or online identifier
- internet protocol (IP) address
- account name
- social security number (SSN)
- driver’s license or passport number
- other similar identifiers
- Personal information categories described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), lists a person’s:
- physical characteristics or description
- state identification card number
- insurance policy number
- employment or employment history
- bank account number, credit card number, debit card number, or any other financial information.
- medical information or health insurance information
- Characteristics of protected classifications under California or federal law, like
- race, religion, gender, national origin, or sexual orientation (reference State Q&A, Anti-Discrimination Laws: California).
- Commercial information, including records of:
- personal property;
- products or services purchased, obtained, or considered; or
- other purchasing or consuming histories or tendencies.
- Biometric information
- Internet or other electronic network activity information, including browsing history, search history or information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as nonpublic personally identifiable information under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g and 34 C.F.R. Part 99).
- A very important one is Inferences drawn from any of these personal information categories to create a profile about a consumer reflecting the consumers:
- psychological trends
The comparison between the GDPR and CCPA for a few selective categories:
|Law applies to||Data controllers and data processors: The data controller determines the purposes for which and how personal data is processed. The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the companyEstablished in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU. Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU or monitoring their behavior.||Any for-profit entity doing business in California, that meets one of the following: Has a gross revenue greater than $25 million.Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes. Derives 50 percent or more of its annual revenues from selling consumers’ personal information. The law also applies to any entity that either: Controls or is controlled by a covered business.Shares common branding with a covered business, such as a shared name, service mark, or trademark. Parts of the CCPA apply specifically to: Service providers. Third parties|
|Protects||Data subjects, defined as identified or identifiable persons to which personal data relates.||Consumers, defined as California residents that are either: In California for other than a temporary or transitory purpose.Domiciled in California but are currently outside the State for a temporary or transitory purpose. Consumers includes, Customers of household goods and services, Employees, and Business-to-Business transactions.|
|Protected Information||Personal data is any information relating to an identified or identifiable data subject. The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies. Refer to an earlier post on GDPR covered data categories.||Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.The statutory definition includes a list of specific categories of personal information. Personal information does not include certain publicly available government records. The CCPA also excludes certain personal information covered by other sectors specific legislation from its coverage scope.|
|Security||The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.||The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement.|
Source: Thomson Reuters
The comparison between the GDPR and CCPA for a few selective categories continued in the Next Part IV.
The significant changes in GDPR assessment are related to the design which has the objective of providing rights as well as giving control to the personal data owner in deciding how the third party could use his/her personal information. Hence the rules are designed to ensure the data owner decides whether the third party can process his personal information, make changes, stop the use of information, etc. and have the right to receive the information requested, obtain his consent, restrict processing, provide visibility on the processing of information, etc.