Does the US have anything like GDPR? Has privacy regulation that businesses are subject to doubled, or are the new regulations following GDPR similar to it? Here is what you need to know about California’s CCPA vs Europe’s GDPR.
What is the CCPA?
Only two months after the GDPR went into effect in May of 2018, the California legislature passed the CCPA (full original text), a new privacy bill largely based on the GDPR. The quick turnaround on the bill was enabled by growing popularity around a ballot initiative started by Californians for Consumer Privacy. Since 2018, the CCPA has gone through many revisions (find the final text here) amid public hearings and lobbying by businesses, though many of the core requirements and rights remain untouched. At a high level, the CCPA requires businesses to adhere to certain privacy practices and grants consumers the right to request or delete their data from businesses and send businesses a request to opt out of their data being sold.
Who does the CCPA apply to? Who must comply with the CCPA?
The CCPA has an extraterritorial reach. It applies to businesses that collect personal information from California consumers and do business in California for profit or for the financial benefit of shareholders in California and meet one of three minimum thresholds, regardless of whether they have an office or any other physical presence in the state or not.
The CCPA has three thresholds businesses must meet in order to fall under the statute. To be within the scope of the statute they must fall under one or more of the following situations:
- Have in excess of $25 million in annual gross revenue or
- Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or households or
- Derive 50 percent or more of their annual revenue from selling consumers’ personal information.
As a result, small businesses in large part are exempt from compliance, and businesses do not need to collect information directly from California consumers to be covered. If consumer data is collected on their behalf by a service provider or other third party and the other criteria are satisfied, businesses could fall under the statute.
Outside of small and niche businesses, most companies that do business in California are required to comply with the CCPA. In a recent article, What you need to know about CCPA Enforcement, beginning July 1st, we covered which companies should be the most concerned based on recent studies and notices sent out by California Attorney General Xavier Becerra. The office of the Attorney General also recently released commentary on proposed CCPA regulations that could provide more insight into what to expect with early enforcement and what companies are expected to have covered at this point.
What data is covered by the CCPA?
The CCPA governs consumer’s rights with regard to various aspects of their “personal information.” Under the law “personal information” is not necessarily restricted to traditional notions of “sensitive information” or “personally identifiable information.”
What is the GDPR?
GDPR fundamentally reshaped how companies collect and process personal data, and it’s crucial to understand how personal data is treated under this regulation. Personal data has become a broad term, and in the regulation, refers to a wide range of rights granted to individuals regarding their data. A data subject’s rights include access to their own data, the ability to correct inaccuracies and restrict the use of their data as well as the right to be forgotten. With all these rights granted to EU citizens, it’s an absolute necessity for businesses to quickly access and manipulate data sets.
In conjunction with understanding GDPR, businesses must also recognize their role as either a controller or processor of a data set. Under GDPR, controllers and processors have different regulations to follow, and in certain cases, a business can be both the controller and the processor. The controller’s role is to determine the purposes and means of processing data, while a processor simply works with the data on behalf of the controller. Further, controllers primarily interface with data subjects and must respond promptly to requests from the subjects by providing necessary information and acting on the data. Then, processors assist the controller in deleting, manipulating, or sharing a subject’s data.
Who Does the GDPR apply to?
The GDPR applies to companies or entities that process personal data and either have an established branch in the EU or offer products or services (paid or free) to EU residents. Although this will include practically any company that sells to EU residents, not all obligations of the GDPR are applied to small and medium enterprises if they do not process personal data as a core part of their business. One such example is the appointment of a Data Protection Officer (DPO).
Examples (via The European Commission)
When the GDPR applies
“Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.”
When the regulation does not apply
“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
What are the 7 principles of GDPR?
The GDPR sets out to fulfill 7 key principles, stated early in the legislation that provide a purpose for the 99 articles that follow. The principles are not specific rules that can be measured but rather show what the law seeks to achieve. Compliance with the principles is key to building a privacy program for a company and integrating these principles into a company is part of creating privacy by design.
The seven principles are as follows:
- Lawfulness, fairness and transparency
- Identify valid grounds for collecting and using personal data (known as lawful basis)
- Use personal data in a fair manner; do not process the data in a way that could be detrimental, unexpected, or misleading to the individual
- Communicate openly and honestly with users from the first contact about how their personal data will be used
- Purpose limitation
- State clear purposes for processing data
- Personal data can only be used for new purposes if it is compatible with the originally stated purposes or consent is given by users
- Data minimisation
- Ensure personal data processed is:
- Adequate and sufficient to fulfill the purpose
- Relevant – has a link to the purpose
- Limited – excess data is not retained and necessary data is not kept past when needed
- Ensure personal data processed is:
- Take all reasonable steps to ensure personal data kept is correct
- Depending on use, personal data may need to be updated regularly
- If personal data is identified as incorrect or misleading, it must be correct or erased
- Storage limitation
- Personal data must not be kept longer than necessary
- Companies must be able to justify how long they keep personal data, which will depend on the purpose of collection and holding
- Wherever possible, a policy setting standard for retention periods should be in place, with documentation
- Individuals have the right to have data deleted if it is no longer needed
- Data kept should be periodically reviewed, and erased or anonymized if no longer needed
- Integrity and confidentiality (security)
- Theme: You must ensure that you have appropriate security measures in place to protect the personal data you hold.
- The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
- You must have appropriate measures and records in place to be able to demonstrate your compliance.
Timeline and Enforcement History
Top 5 violations with the highest sum of fines:
- Insufficient technical and organisational measures to ensure information security
- € 335,186,607 (at 80 fines)
- Insufficient legal basis for data processing
- € 128,791,480 (at 150 fines)
- Non-compliance with general data processing principles
- € 17,550,565 (at 61 fines)
- Insufficient fulfilment of data subjects rights
- € 9,531,197 (at 40 fines)
- Insufficient fulfilment of information obligations
- € 568,305 (at 20 fines)
Highest individual fines
- British Airways, UK, July 8, 2019
- € 204,600,000 (Insufficient technical and organisational measures to ensure information security)
- Marriott International, UK, July 9, 2019
- € 110,390,200 (Insufficient technical and organisational measures to ensure information security)
- Google, France, Jan 21, 2019
- € 50,000,000 (Insufficient legal basis for data processing)
- TIM (telecommunications operator), Italy, January 15, 2020
- € 27,800,000 (Insufficient legal basis for data processing)
- Austrian Post, Austria, October 23, 2019
- € 18,000,000 (Insufficient legal basis for data processing)
CCPA vs GDPR Summary