AS CALIFORNIA LEADS THE US IN IMPLEMENTING ITS OWN VERSION OF THE GDPR, WE EXPLAIN HOW THE TWO ACTS DIFFER AND WHAT INTERNATIONAL COMPANIES SHOULD KNOW.
Over a year has passed since the General Data Protection Regulation (GDPR) saw the EU hand back control of personal data to consumers. For International businesses during this period, the initial scramble of frantic preparation has gradually given way to greater clarity around the day-to-day implications and implementation of the new rules, how to maintain and provide evidence of processes implemented into everyday operations.
Long before our 2018 deadline, California had already announced its own version of the regulation, known as the California Consumer Privacy Act (CCPA). Its own implementation date of 1 January 2020 now looms, and with less than 3 months to go, it’s crucial to understand how this new state law will impact businesses on both sides of the Atlantic.
Not only is it considered the strictest data protection law in US history, it is expected to set a precedent for similar acts across other states in coming years.
WILL MY COMPANY BE AFFECTED BY THE CCPA?
Regardless of where in the world you are based, if you have a profit-making business with customers or employees in California – and you hold their personal data – then the answer is yes, as long as you meet one of the following criteria:
- Have a gross annual revenue totalling over $25 million.
- Hold the data of more than 50,000 California residents.
- Derive more than half of annual revenues from selling California residents’ personal data.
EXEMPTIONS FROM THE CCPA?
Although the CCPA contains a number of broad requirements, there are certain exceptions to its application that should be noted. Specifically, the obligations imposed by the CCPA do not restrict a Business’ ability to:
- comply with federal, state or local laws;
- comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities;
- cooperate with law enforcement agencies concerning conduct or activity
that the business, service provider or third party reasonably and in good faith
- believes may violate federal, state or local law;
- exercise or defend legal claims;
- collect, use, retain, sell or disclose consumer information that is deidentified
or aggregate consumer information (see above for how “deidentified” and
“aggregate consumer information” are defined); or collect or sell a consumer’s Personal Information if every aspect of that commercial conduct takes place wholly outside of California.
A Business also does not need to honour a request to disclose information collected or sold where it would violate an evidentiary privilege under California law. A Business can also provide the Personal Information of a Consumer to
a person covered by an evidentiary privilege under California law, as part of a privileged communication.
Additionally, the CCPA does not apply to:
- medical information governed by the California Confidentiality of Medical
Information Act (CMIA), or protected health information collected by a
covered entity or business associate governed by the privacy, security and
breach notification rules established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology
- for Economic and Clinical Health Act (HITECH);
- a provider of health care governed by the CMIA or a covered entity governed
by HIPAA, to the extent the provider or covered entity maintains patient
information in the same manner as it protects medical information or
protected health information under HIPAA and HITECH;
WHAT DOES ‘SELLING’ PERSONAL DATA MEAN?
Selling is defined as disclosing, disseminating, making available or transferring personal data. In its broadest terms, personal data as defined under the GDPR is any information via which a living individual could be identified.
What are the differences between the GDPR and the CCPA?
The CCPA is far from a direct copy of the GDPR – the two differ fundamentally in a number of ways:
OPTING IN VS. OPTING OUT
The GDPR operates on an opt-in basis, where companies must actively request permission from consumers to retain and use their data. Under the CCPA, not only can any of California’s 40 million residents expressly forbid the sale of their personal data, but they can ask a particular company to disclose how their data is being used. That company then has 45 days to produce a report detailing usage of the person’s data over the last twelve months.
PENALTIES FOR BREACHING THE CCPA
Fines differ from the GDPR in not just size but structure. The highest tier of GDPR fine sees companies pay €20 million or 4% of global annual turnover, whichever is greater. Businesses in breach of the CCPA will pay a civil penalty of up to $2500 per violation, or $7500 per intentional violation. Individual consumers may also bring a civil action of $100 to $750 or actual damages, whichever is greater.
COMPANIES IMPACTED BY THE CCPA
As outlined above, only for-profit companies doing business in California and satisfying certain criteria are regulated under the CCPA. The GDPR, on the other hand, applies to organisations of any size, profit-making or not, that process personal data of EU citizens.
THE NEED FOR ONGOING REVIEW
While the GDPR continues to shape new and existing company policies, much of last year’s flurry of activity centred on a single deadline. The CCPA demands immediate action, but also continuous monitoring long after New Year’s Day 2020. Companies will need to track personal data usage on a year-round basis so that the twelve-month record can be provided on request – effectively meaning that data from 1 January 2019 should now be readily available.
Companies will also have to engage in data mapping in order to be able to delete consumer data on request, and continuously evolve their privacy policies according to what personal data they are selling.
What rights do consumers have under the CCPA?
California residents can, once verified, request that a business:
- Discloses what categories and specific pieces of their personal data it has.
- Discloses the categories of sources from which their data was collected.
- Discloses the purpose for which it has collected or sold their data.
- Discloses the categories of third parties with whom it has shared their data.
- Deletes their personal data in its entirety (subject to certain exceptions).
- Does not sell their data (by clicking a “do not sell” opt-out).
The legal requirement to act within 45 days applies to all of these requests.
HOW CAN MY COMPANY COMPLY WITH THE CCPA?
The main ways to comply with the CCPA are, as outlined above, the disclosure and deletion of data upon request. Companies must also obtain the express authorisation of consumers under 16 before selling their data (for consumers under 13, consent must be obtained from their parents).
In addition to this, however, companies must update their privacy policies to include:
- A full description of California consumers’ rights under the CCPA.
- The categories of all personal data collected and sold by the business in the last twelve months.
- The business purposes for which all data is collected.
- The categories of third parties with whom all data is shared.
- A clear link to the “do not sell” opt-out tool.
- Any financial incentives, such as discounts, offered to consumers for permitting the collection or sale of their data.
- At least two methods for submitting disclosure or deletion requests, including a phone number and email address.
What are the consequences of failing to comply with the CCPA?As with the GDPR, it’s well worth making sure your business is fully compliant, as the consequences of breaching the CCPA go far beyond the strictly enforced financial penalties. Companies may face further legal action, significant reputational damage and erosion of trust in their business as a direct result of non-compliance.
Interested in learning more? Contact us today and we will be very happy to discuss your options.