Dec 6, 2019 12:00:00 AM | US Is CCPA (California Consumer Privacy Act) The Same as GDPR?

Under CCPA, consumers will enjoy significant control over the ways in which businesses utilize their data.  These expanded rights to data control are largely in line with the GDPR’s objectives.  However, the California law  differs from its European cousin in several important ways.

Under CCPA, consumers will enjoy significant control over the ways in which businesses utilize their data.  These expanded rights to data control are largely in line with the GDPR’s objectives.  However, the California law  differs from its European cousin in several important ways.

1. Under CCPA, not only individuals, but also households are considered identifiable entities. GDPR’s focus is on individuals only.
2. The scope of CCPA is narrower than that of GDPR, which targets any entity processing the data of individuals in the European Economic Area. CCPA on the other hand, targets larger corporations doing business in that state. Specifically, to be subject to CCPA, the entity must be a business that:
           a) Has gross revenues in excess of $25 million;
           b) Annually buys, receives, sells, or shares the personal information of at least 50,000 consumers,                  households, or devices; or
           c) Derives at least 50% of its annual revenues from selling consumers’ personal information.
3. CCPA provides stronger information protection for minors,
4. GDPR provides data subjects with greater control over their personal information including rights to correct and modify data.
5. Under both GDPR and CCPA, users hold certain opt-out legal rights, but the legal rights affected are different under each regime.  For example, CCPA addresses opt-out rights regarding the sale of personal information, whereas GDPR’s opt-out affects marketing-related rights. 

With regard to 3^rd party contracts, like the cascading effect of GDPR, it is likely that entities complying with CCPA will also require 3^rd parties with whom they enter into contracts to abide by the CCPA-compliant data collection and retention policies as a minimum.

Subsidiary companies, who may not in their own right have the characteristics as outlined above, but are under the control of a eligible parent company,  will need to develop and implement CCPA-compliant policies and protocols for the data they collect.  

The same applies to joint ventures, both entitities will likely need to agree on how data will be collected, stored, used, retained, or deleted.  Then as revenue is generated by their efforts, they both will bear some responsibility to ensure that CCPA-compliant data privacy protocols are developed and respected during the course of the collaboration.  

The provisions of GDPR have established a new privacy security standard globally for data-processing.  Businesses cannot afford not to be aligned, since such failure to comply with GDPR limits access to clients, resources, partners, business opportunities, and the revenues generated therefrom.  Similarly, CCPA, because of the statute’s sweeping nature and California’s economic prominence, stands to become the benchmark for operational data privacy protocols, and is being considered, in some quarters, as the template for a US federal privacy law.  

RECOMMENDED ACTIONS and CONCLUSION

As discussed above, the data privacy trend is clear.  GDPR, CCPA, and similar laws are likely to become the standard for “best practices in handling personal data”.  The new data privacy milieu will enshrine greater consumer data privacy regulations.

1. Disclosures.  Organisations need to develop accurate online disclosures of specific ways in which they use personal data, and the legitimate business reasons for the use of such personal information.  Online privacy policies should be regularly updated to accurately reflect organizational handling of personal information.
2. Opt-Out.  As discussed above, GDPR and CCPA differ on the legal rights implicated in opt-out provisions.  Organisations should assess the degree to which their operations affect EU and California citizens in order to implement appropriate opt-out opportunities for users. 
3. Children.  Both CCPA and GDPR provide for special notice and handling requirements of children, with differing requirements at age 13 and ager 16 thresholds.  Businesses are generally well-advised to exercise special care in handling the information of children, but especially under these new laws. 
4. Self-Assessment.  There are numerous legal contexts which could implicate legal requirements for organisations of all sizes, therefore all businesses should, in concert with qualified counsel, assess the degree to which their structures and activities may trigger CCPA and GDPR legal compliance obligations. 
5. Data Control.  Update and reorient data collection, retention, and deletion policies and protocols towards protection of consumer/donor/use data and empowering them to control its use.
6. Data Protection Assessment.  Assess how digital information is collected and stored, and ensure that all related and requested records could easily be located, transferred, or deleted when necessary.
7. Prioritize Data Protection.  Start viewing data privacy regulations and cybersecurity best practices as aspects of the operational landscape, to the same degree as corporate and tax laws and physical building and personnel security requirements.

These recommendations are consistent with well-structured data collection, data retention, and privacy policies, and should be accompanied by the appropriate policies and procedures. Cybersecurity and other considerations like data storage and communication encryption, data portability, and data breach responsiveness should be proactively addressed, in anticipation of greater scrutiny and legislative regulation over consumer data. Adopting such “best practices” approaches should help organizations exercise effective protection of sensitive data, wise stewardship, and avoidance of costly penalties.