California Consumer Privacy Act vs GDPR:

Transcription

1 Your Customers Privacy, Protected! California Consumer Privacy Act vs GDPR: What You Need To Know

2 California Consumer Privacy Act vs GDPR: What You Need To Know Debra J. Farber The California Consumer Privacy Act of 2018 (CCPA) is the first of its kind law in the US that will give greater privacy rights to consumers who reside in the state. The California Consumer Privacy Act comes soon after the enactment of the European Union General Data Protection Regulation (GDPR) and borrows many of its core principles. The Act, which goes into effect Jan , also grants consumers unprecedented control over their personal information and enshrines in California law a significant number of data subject rights that GDPR provides for. The Act also imitates GDPR s emphasis with fines for violations and the provision for private right to action to ensure that law has teeth. For enterprises operating in the U.S. and EU understanding the differences and similarities will be important to effective preparation and compliance. The following summary provides an introduction to frame conversations inside the enterprise. Privacy Scope CCPA vs GDPR The material scope of the CCPA's definitions for collection" and selling" information in the CCPA are similar to the GDPR definition of processing. However, while there are many overlapping elements, the GDPR definition of processing is much broader. GDPR applies to all organizations that process the personal data of EU data subjects and covers much more than collecting and selling/renting of data and operations related to collection. The CCPA doesn t apply to all businesses. Instead, it applies only to for-profit businesses that have annual gross revenues of at least $25 million; purchase personal information on "50,000 or more customers, households, or devices; or derive 50% or more of its annual revenues from selling the consumers personal information."

3 Nevertheless, the CCPA, like GDPR, introduces hefty fines and consumer rights of action to sue for noncompliance. Therefore, covered organizations must ensure that they know where all personal information is stored within the organization's IT environment in order to appropriately and timely respond to requests. They must also be able to easily identify or infer which individuals live in California. This will be quite a challenge for many companies who have not collected state residency or inferable address information to begin with. In addition, CCPA like GDPR grants residents personal data rights like right of access or delete their personal information. This will require companies to easily locate and report on any individual s data across their data landscape. Moreover, because of heightened awareness around unauthorized data sharing thanks to the Cambridge Analytica revelations, companies will want to reconsider whether they want to use third-party data sources to enrich their data sets and how they track and regulate data sharing data with third parties to ensure appropriate consent. Penalties: CCPA Vs GDPR A business is in violation of CCPA only when it fails to cure a violation within 30 days after being notified of its noncompliance. The California Attorney General may impose penalties for violations, with a maximum of $7,500 per violation for intentional violations. However, in the event of a breach, any consumer may bring a civil action to recover damages between $100-$750 per consumer per incident or actual damages, whichever is greater and to obtain injunctive or declaratory relief. While the Act reduces litigation by limiting private actions, businesses should still brace themselves for an active enforcement climate. CCPA fines can be very steep and consumers actions are likely to be plentiful. While the legislature will continue to make amendments to the CCPA before the January 1, 2020 enforcement date, covered businesses should start preparing now to achieve compliance.

4 Beyond PII, CCPA s "Personal Information vs. GDPR s "Personal Data" The CCPA defines "personal Information much more broadly than most previous U.S. privacy laws. Personal information under the Act includes information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. The CCPA definition includes IP addresses, geolocation data, biometric information, and unique identifiers such as device and cookie IDs, Internet activity information like browsing history, commercial information such as products or services purchased or consuming histories or tendencies, and characteristics concerning an individual s race, color, sex (including pregnancy, childbirth, and related medical conditions), age (40 or older), religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status. Inferences that have been drawn from personal information to create a profile about a consumer reflecting the consumer s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes are also considered personal information. The GDPR applies to personal data that is publicly available while the CCPA does not apply to publicly available information sourced from government records as long as the commercial data use is compatible with the underlying governmental purpose. Because the definition of personal information goes far beyond the certain categories of personal identifiable information (PII) that we see in U.S. state data breach notification laws, companies that have not been affected by GDPR, or those that are affected and have not yet begun compliance efforts, will likely have much work to do to disambiguate PI from PII towards ensuring compliance with CCPA.

5 CCPA Rights of the Consumer vs GDPR Data Subject Rights The personal data rights that the CCPA grants to consumers are very similar to those that are afforded by the GDPR. In fact, some wording has been directly copied from GDPR. Under certain conditions, a resident of California will have the right to request deletion of personal information (akin to the right to be forgotten"), to request access to his or her own data collected by a covered business, to obtain that data in a portable format, to know about the collection of personal information without requesting it first (i.e. notice") and also a right to opt out of selling personal data. It is notable that the CCPA does not grant a GDPR-style "right not to be subject to automated decision-making that has a legal or a significant effect on the person nor a more general right to object to processing or to easily withdraw consent at any time. When a consumer access request - akin to the GDPR data subject access request - is made, a business must disclose and deliver to the consumer the required information within 45 days, inclusive of consumer request verification. There is a 45-day extension when reasonably necessary, subject to consumer notification. There is also a 90 day extension available to businesses when necessary. Enumerated, the personal data rights granted to California residents by CCPA include: 1. Right to Know: Similar to the GDPR, the Act requires requires businesses to expand their existing website privacy policy or other California-specific descriptions of privacy rights to include a description of a consumer's rights under the CCPA and the information required to be disclosed in response to consumer requests for information. This includes the categories of personal information collected, sold, or disclosed for a business purpose. This information must be updated at least every 12 months. Additional uses or collection of additional data require notice to the consumer. Consumers have the right to request that companies that collect a consumer s personal information disclose to the consumer the categories and specific pieces of data the business has collected.

6 2. Right to Access and an Implied Right of Data Portability: Both the CCPA and the GDPR require organizations to provide access to personal data and to respond to other requests in the exercise of the data subjects rights free of charge. Upon receipt of a verifiable request, a business must provide a California consumer with access to personal information held by the business and to obtain it in a readily useable format that allows porting the data to another entity without hindrance. Consumers may make this request to a business no more than twice in a calendar year. A business is not required to include data that are obtained in a one-time transaction or to re-identify or link information that is not in identifiable form. While this access right provides transparency to consumers, many privacy experts are scratching their heads wondering why the California legislature failed to include a right to amend one s inaccurate personal information like the GDPR provides with its "right of rectification. "The right to portability is both wider and more restricted in the CCPA than in the GDPR. It is wider in that each response to a consumer access request for collected data, if given electronically, must contain the data in a portable format, without the consumer having to specifically request this. It is more restricted in the sense that the GDPR also provides for direct portability between businesses ( data controllers ) so the data subject need not be an intermediary. 3. Right to Disclosure (i.e., notice) and Choice Regarding Sale of Personal Information to a Third Party: SCompanies are required to provide notice and opt-out consent prior to selling or disclosing personal information to third-parties. Consumers have the right to request, and business have the obligation to provide, the categories of personal information about the consumer that are sold or disclosed. CCPA Opt Out vs GDPR Right to Withdraw Consent The CCPA opt-out provision for selling data is more similar to the GDPR's "right to withdraw consent" than to the general "right to object to processing," since both of them can occur at any time and without justification. Where an organization buys, rents, or sells personal information to other companies, the Act requires them to keep a record of all sales for 12 months and to provide a clear and conspicuous link on its website

7 12 months and to provide a clear and conspicuous link on its website with the call-to-action Do Not Sell My Personal Information so that people may easily opt-out of that practice if they so choose. The Act requires even more of those that sell the personal information of children who are 16-years-old and younger. Such a link or button and other permission requests would surely raise privacy concerns for many prospects, which will likely result in loss of their trust. The passage of CCPA shines a light on data brokers' practices. Therefore, data brokers and advertisers should expect that a great many consumers will make requests that their data not be sold, begin re-evaluating their business models now, and implement changes before the 2020 enforcement date. Furthermore, the Act appears to undercut the current self-regulatory advertising framework in the United States, as the CCPA appears to give consumers the right to optout of sharing for online advertising purposes. It will be interesting to watch how these industries' practices will evolve. Special Rule for Children Under 16 Both the CCPA and GDPR have specific requirements for processing personal information of children before the age of 16, which involve obtaining consent of a parent or a guardian. However, the scope of the CCPA s provision is different from that of the GDPR and very narrow. Under the Act, a covered business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless "affirmative authorization of the sale of personal information has been granted. Similar to the Children s Online Privacy Protection Act ( COPPA ), businesses are required to get opt-in consent for children under the age of 13 from their parents or guardian. Though, the CCPA carves out a notable exception unlike the GDPR - a child between the ages of may affirmatively authorize" a business to sell their personal information without parental consent.

8 To comply with this provision of the CCPA, companies (like data brokers and some advertisers) that sell personal data should put in place processes and technology that can detect whether they capture or infer the ages of children under 16 years old. Next, decide whether to stop selling data from these consumers or implement effective consent management and auditing processes to manage opt-in affirmative authorization to sell personal information. Advertisers, data brokers, gaming companies, social media companies, and any other business that sell personal information (which includes behavioral data and other derived data) will suffer from hearty fines and lawsuits if they fail to put in place an appropriate consent mechanism for children under Right to Request Deletion: Similar to the GDPR s right to erasure, the CCPA provides a right to request that a business delete any personal information about a California resident that the business has collected from that individual. A business that receives a verifiable request from a California resident to delete their personal information must delete the individual s data from its records and direct any service providers to do the same. This right is subject to a number of exceptions, including, for example, completing a transaction with the individual, detecting security incidents, complying with legal obligations, or using the data for other internal purposes that align with the expectations of the individual based on the applicable relationship with the business. However, there is no clear exception for such data held in back-ups or disaster recovery storage, which will make compliance more complicated. 5. Right to Request Deletion: Both the CCPA and the GDPR seek to prevent companies from requiring the processing of personal information in order to access a service (i.e., take it or leave it or paying for privacy). However, the Act is far more specific regarding how this must be achieved. The GDPR requires that consent must be freely given in order for it to be valid and processed fairly, while the CCPA provides very detailed requirements around equal service and price.

9 In response to a consumer exercising his or her rights, the CCPA prohibits companies from: denying goods or services to the consumer; charging different prices or rates for goods or services; providing a different level or quality of goods or services to the consumer; or suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. How Businesses Should Prepare While the CCPA adds more complexity for companies that conduct business in California, and despite the fact that there will likely be some tweaks to the Act prior to the enforcement date, organizations should begin taking key steps towards compliance. Broaden Data Governance Efforts to Include Personal Information The CCPA s first-of-its-kind personal data rights in the U.S. - Right to Know, Right to Access, Right to Disclosure, Right to Opt Out and Right to Delete - will require organizations to map their data estate, identify all personal information as compared with the current standard of directly identifiable attributes and clearly inventory the data by person and state of residence. Those organizations that have implemented GDPR requirements will be further ahead towards compliance than companies who have not, given the similarity in requirements. Effectively Manage Consent and Monitor Processing To prove compliance with the CCPA and to strengthen consumer trust around unauthorized data sharing - with a heightened awareness thanks to the Cambridge Analytica revelations - businesses should consider what controls they currently have in place to manage downstream uses of consumers data with an ability to monitor, manage, and assure that appropriate consents have been obtained and the uses of personal information are appropriate. Smart companies that leverage privacy technology can more easily avoid the accidental sharing or selling of personal information without

10 accidental sharing or selling of personal information without permission and thus the fines, lawsuits, and regulatory fines associated with that misstep. Effectively Manage Consent and Monitor Processing To prove compliance with the CCPA and to strengthen consumer trust around unauthorized data sharing - with a heightened awareness thanks to the Cambridge Analytica revelations - businesses should consider what controls they currently have in place to manage downstream uses of consumers data with an ability to monitor, manage, and assure that appropriate consents have been obtained and the uses of personal information are appropriate. Smart companies that leverage privacy technology can more easily avoid the accidental sharing or selling of personal information without permission and thus the fines, lawsuits, and regulatory fines associated with that misstep.