By: George Gelinas
Businesses that deal with the collection or sale of personal information are faced with increasing regulation and data privacy laws both abroad and domestically. Companies that have taken steps to comply with the European General Data Protection Regulation (“GDPR”) have an advantage when it comes to compliance with California Consumer Protection Act (“CCPA”), however, additional measures are necessary.
California’s data privacy protection law, which was enacted in 2018, went into effect on January 1st 2020. The CCPA resembles the GDPR because it gives users more control over their personal data that is stored by companies. California residents are now able to find out what personal data is being collected, how that data is used, who the data is sold to or shared with, and they now have the right to have data deleted.
Companies outside of California are also subject to the CCPA if the business has (i) more than $25 million in gross revenue, (ii) derives more than 50% of revenue from the sale of California residents’ data, or (iii) processes data from more than 50,000 California residents.
The GDPR and CCPA have similar goals and requirements. However, just because a company might be GDPR compliant does not mean they also comply with the CCPA. A metaphor widely used is that the GDPR creates a door for the EU user to lock before any data is collected or processed while the CCPA creates a window for the Californian user to open, which allows the user to determine what data has already been collected by a business or sold to a third party and subsequently take action. Herein lies the main difference between the GDPR and the CCPA: the former requires prior consent while the latter allows an opt-out mechanism.
One compliance factor that requires clear, proactive steps from companies is the “users’ right to be informed.” Both the GDPR and the CCPA contain provisions addressing the information that organizations must provide to individuals when collecting and processing personal data. Specifically, both the GDPR and CCPA state that information must be provided to users concerning the (i) categories of data collected, (ii) the purpose for which collected data is used, and (iii) if a user’s information is sold to a third party then the user must be given the opportunity to exercise his or her right to opt-out. Unlike the GDPR, the CCPA does not differentiate between the notice for information collected from the user directly and a user’s information collected from a third party.
Under the CCPA, individuals have a private right of action to enforce violations while the GDPR also provides for civil class actions.Most importantly, a class action right is created without having to prove actual loss. When it comes to enforcement, the CCPA and the GDPR are enforced by the primary regulator. In California, the Attorney General must provide a notice of noncompliance 30 days prior to bringing an action and may recover fines of $2,500 per violation and $7,500 for willful violations. Individuals may recover penalties of $100 to $750 per violation.
The changes in the regulatory landscape are challenging for any business to navigate. However, with penalties so severe, small and medium businesses must be aware that even if they are GDPR compliant CCPA compliance does not necessarily follow. Further, businesses should make sure they are aware of other states possibly enacting similar legislation in the future.
California Consumer Privacy Act of 2018, §§ 1798.100 -1798.199 (2018).
See generally Alex Marini et al., Comparing privacy laws: GDPR v. CCPA, Future of Privacy Forum (2018), https://fpf.org/wpcontent/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf.
Matt Binder, Major new privacy law in 2020: What you need to know about the CCPA, Mashable(Dec. 31, 2019), https://mashable.com/article/what-is-the-ccpa/.
California Consumer Privacy Act of 2018, §§ 1798.140 (2018).
CCPA vs GDPR, https://www.cookiebot.com/en/ccpa-vs-gdpr/ (last visited Feb. 2, 2020).
Alex Marini et al., Comparing privacy laws: GDPR v. CCPA, Future of Privacy Forum 2, 28 (2018), https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf.
Catherine D. Meyer et al.,Countdown to CCPA #2: GDPR Compliance Does Not Equal CCPA Compliance, Pillsbury(Jun. 3, 2019), https://www.pillsburylaw.com/en/news-and-insights/ccpa-compliance-gdpr.html.