The California Consumer Privacy Act 2018 (CCPA) v. GDPR: The matchup
JULY 2018: This article was written for the IAPP and was originally published here
We all found out the results of the World Cup July 15, but there is a different matchup in the data protection world, the results of which will remain unknown until 2020: the EU General Data Protection Regulation and the California Consumer Privacy Act 2018.
Most data protection professionals would agree that the GDPR sets the global “gold-standard” for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs. Many would likely dispute whether the CaCPA deserves to be placed at the same level, Honestly, it may be too early to tell. As the first U.S. attempt at a comprehensive data protection law, the CaCPA has the potential to become as consequential as the GDPR. After all, California is the fifth largest economy in the world, the home of many technology titans, and traditionally a trend-setting state for data protection and privacy in the U.S.
Although the CaCPA incorporates some concepts that data protection professionals are familiar with, it is not modeled after the GDPR. Thus, compliance with the GDPR does not equate compliance with the CaCPA. This article compares the scope and main features of both laws.
Territorial scope
The territorial scope of both the CaCPA and the GDPR extends well beyond the physical borders of their respective jurisdictions.
Under the GDPR, entities established in the EU are subject to the GDPR for all their processing activities (Article 3.1.), Entities that are not established in the EU but offer goods and services or monitor the behavior of individuals within the EU are subject to the GDPR only to the extent they process the personal data of those individuals (Article 3.2.).
The CaCPA applies to certain controllers that “do business in the State of California” regardless of where they are located but only to the extent that they process data of California residents. In other words, the “do business in California” test is the CaCPA equivalent to the GDPR’s “activities of an establishment,” but it only subjects entities to the CaCPA to the extent they process data of California residents. There is an exception in the CaCPA for conduct that takes place wholly outside of California but it is very narrow. Controllers that do not “do business in California” are outside of the scope of the CaCPA, even if they monitor the behavior of residents, so long as such monitoring cannot be considered “doing business in California.” Processors that provide services to controllers subject to the CaCPA are subject to the CaCPA themselves but their obligations are limited.
Material scope
Although both the GDPR and the CaCPA regulate the handling of personal information there are significant differences in terms of the material scope.
For starters, the CaCPA does not expressly limit applicability to automated processing of data unlike most (if not all) data protection laws around the world do. There is potential, however, that the legislature will add this requirement or it will be read into the statute by courts.
The GDPR is built on three roles: controller, processor and data subject. The distinction between controller and processor is based on a factual determination. Any entity that de-facto “determines the purposes and means of the processing” of personal data takes the role of controller as to that data and any entity that process personal data on behalf of a controller takes the role of processor as to that processing. Controllers take on the bulk of data protection responsibilities under the GDPR, but there are many requirements that apply to processors, as well.
Under the CaCPA there are four concepts: “businesses,” “service providers,” “third parties” and “consumers.” Consumers are California residents and they have rights under the CaCPA vis-a-vis organizations that hold their data — whether they have a direct relationship with them or not.
Most the CaCPA obligations apply only to “businesses,” which are for-profit controllers (see reference to “alone, or jointly with others, determines the purposes and means of the processing” in Sec. 1798.140(c) of the California Civil Code) that meet certain thresholds (annual gross revenue over $25M; buys, sells or receives/shares for “commercial purposes” the data of 50,000 California residents; or derives 50 percent of revenue from “selling” personal data of California residents). Once an entity in a company group qualifies as a controller, parent companies and subsidiaries may automatically qualify even if they do not meet the thresholds or act as controllers.
A “service provider” is a processor to a “business” that receives the data for “business purposes” under a written contract containing certain provisions. Only for-profit entities can be “service providers” under the current drafting of the CaCPA.
“Third parties” are entities other than “businesses” or “service providers” and they are only subject to the CaCPA to the extent that they receive data from a “business.”
To summarize, if we were to translate the CaCPA into GDPR jargon, a “consumer” is a data subject, a “business” is a controller that meets certain requirements, and also includes some entities in the controller’s group; a “service provider” is a processor for a “business” that meets certain requirements; and a “third party” is any entity that is neither a“business” nor a “service provider.”
Another definitional difference concerns “personal data.” The definition of personal data is expansive in the CaCPA. The CaCPA states that personal data “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and then provides a long list of examples of specific pieces of information that are to be considered personal data — including not only IP addresses, cookies, beacons and pixel tags that can be used to recognize a data subject but also things like “probabilistic identifiers” and “gait patterns.” This definition is potentially broader than the definition of personal data under the GDPR.
Data processing principles
One of the most striking differences between the CaCPA and the GDPR is that the CaCPA does not contain data processing principles and, in fact, imposes few restrictions on what a “business” can do internally with personal data. However, the CaCPA authorizes the California Attorney General to issue guidance on the law. It would make sense for that guidance to describe the CaCPA data protection principles, we will have to wait on that though.
Lawful basis
The GDPR, like the 1995 Data Protection Directive, sets the rule that processing personal data is illegal unless the processing can be justified under one of six lawful bases. The CaCPA does not contain any similar provision; the general rule is that processing is allowed. It does, however, allow California residents to opt out of certain types of processing (what the CaCPA defines as a “sell”).
Data subject rights
The GDPR contains the traditional rights of access, rectification, correction and opposition, which are a common feature of most comprehensive data protection frameworks around the world. It also includes additional rights such as the right to data portability and the so-called “right to an explanation.”
The CaCPA confers six rights on California residents. The first one, the right to access personal data, is very similar to the access rights under the GDPR but the others are not. For example, the CaCPA contains a right to cancel (erase) data but it only applies to data that is collected by a “business” “from” the California resident exercising the right. What exactly that means is not clear at this point but we can anticipate a debate over whether data collected by CCTV cameras or data scraped from online public profiles is subject to the CaCPA’s erasure right. One thing we can know for sure is that the CaCPA would not support a case like Spain’s Costeja case, because Google did not collect the now famous (or infamous) newspaper bankruptcy report from Mr. Costeja but from a third party. One final point: The exceptions to the right to erase under CaCPA are also very different from the grounds that justify erasure and the balancing tests built into the GDPR and will require separate analysis.
The CaCPA contains two rights to know: The right to know what information has been collected, and the right to know what information has been shared. These rights are fairly prescriptive; however, the current version of the CaCPA contains contradictions that make providing a clear interpretation of exactly what will have to be disclosed impossible. What seems clear is that businesses will have to evaluate their practices to identify what sharing is to be considered for “business purposes” and what sharing is to be considered for “commercial purposes” under the CaCPA, as those two purposes will need to be separately disclosed.
As opposed to the GDPR, the CaCPA allows businesses to “sell” personal data but gives individuals the right to opt out of (or, in the case of minors under 16, the option to opt in to) the selling of their data (referred to as “the right to say no”). In GDPR terms, this right would be a limited version of the right to restrict processing under Article 18. The definition of a “sale” is not clear, it refers to transfers to “third parties” or “other businesses” for “monetary or other valuable consideration,” and guidance from the California attorney general on this point is expected.
As with the GDPR, the CaCPA does not allow for discrimination against individuals who exercise their rights under the act. The CaCPA expressly allows for financial incentives so long as they are not “unjust, unreasonable, coercive, or usurious in nature.” The CaCPA’s provisions on discrimination are unclear and somewhat contradictory. For example, the CaCPA states specifically that business are not prohibited from “charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” It is unclear exactly what is the value provided to the consumer by their own data.
Enforcement
Similar to the GDPR, the CaCPA assigns responsibility for enforcement to a governmental authority: the California Attorney General’s Office. Civil penalties can be significant under the CaCPA as they may reach up to $7,500 per violation. We will have to wait and see whether the attorney general will pursue a hard-line approach to enforcement or whether it will be moderate — since the attorney general is an elected position, we can anticipate that the approach will be somewhat dependent on the political winds at the time.
As opposed to the GDPR, the CaCPA does not create a private right of action except for data breaches. Specifically, the CaCPA allows any consumer whose “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” to sue to recover statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, and obtain other forms of relief. Service providers are not exposed to the private cause of action as it only applies to “businesses.” The plaintiff’s bar likely has high hopes for this provision. Companies that suffer a breach will see litigation on the basis of the CaCPA and face significant potential exposure in terms of damages awards (think “TCPA-plus”).
The private cause of action has many requirements, the most important being that potential plaintiffs must first notify the attorney general of their desire to sue, and they cannot proceed with their lawsuits if the attorney general prosecutes within six months. There is debate about the legality of these requirements, and we will likely see it challenged in court by the plaintiff’s bar.
In short, the CaCPA is the first overarching U.S. data protection law but it is significantly different from other data protection laws like the GDPR. It will require companies doing business in California to invest in compliance. Nobody should assume that being GDPR compliant makes them CaCPA compliant.
