In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In this installment, Lydia De La Torre, CIPP/US, compares the new California Consumer Privacy Act 2018 to the GDPR.
We all found out the results of the World Cup July 15, but there is a different matchup in the data protection world, the results of which will remain unknown until 2020: the EU General Data Protection Regulation and the California Consumer Privacy Act 2018.
Most data protection professionals would agree that the GDPR sets the global “gold-standard” for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs. Many would likely dispute whether the CaCPA deserves to be placed at the same level, Honestly, it may be too early to tell. As the first U.S. attempt at a comprehensive data protection law, the CaCPA has the potential to become as consequential as the GDPR. After all, California is the fifth largest economy in the world, the home of many technology titans, and traditionally a trend-setting state for data protection and privacy in the U.S.
Although the CaCPA incorporates some concepts that data protection professionals are familiar with, it is not modeled after the GDPR. Thus, compliance with the GDPR does not equate compliance with the CaCPA. This article compares the scope and main features of both laws.
The territorial scope of both the CaCPA and the GDPR extends well beyond the physical borders of their respective jurisdictions.
Under the GDPR, entities established in the EU are subject to the GDPR for all their processing activities (Article 3.1.), Entities that are not established in the EU but offer goods and services or monitor the behavior of individuals within the EU are subject to the GDPR only to the extent they process the personal data of those individuals (Article 3.2.).
The CaCPA applies to certain controllers that “do business in the State of California” regardless of where they are located but only to the extent that they process data of California residents. In other words, the “do business in California” test is the CaCPA equivalent to the GDPR’s “activities of an establishment,” but it only subjects entities to the CaCPA to the extent they process data of California residents. There is an exception in the CaCPA for conduct that takes place wholly outside of California but it is very narrow. Controllers that do not “do business in California” are outside of the scope of the CaCPA, even if they monitor the behavior of residents, so long as such monitoring cannot be considered “doing business in California.” Processors that provide services to controllers subject to the CaCPA are subject to the CaCPA themselves but their obligations are limited.
Although both the GDPR and the CaCPA regulate the handling of personal information there are significant differences in terms of the material scope.
For starters, the CaCPA does not expressly limit applicability to automated processing of data unlike most (if not all) data protection laws around the world do. There is potential, however, that the legislature will add this requirement or it will be read into the statute by courts.
The GDPR is built on three roles: controller, processor and data subject. The distinction between controller and processor is based on a factual determination. Any entity that de-facto “determines the purposes and means of the processing” of personal data takes the role of controller as to that data and any entity that process personal data on behalf of a controller takes the role of processor as to that processing. Controllers take on the bulk of data protection responsibilities under the GDPR, but there are many requirements that apply to processors, as well.
Under the CaCPA there are four concepts: “businesses,” “service providers,” “third parties” and “consumers.” Consumers are California residents and they have rights under the CaCPA vis-a-vis organizations that hold their data — whether they have a direct relationship with them or not.
Most the CaCPA obligations apply only to “businesses,” which are for-profit controllers (see reference to “alone, or jointly with others, determines the purposes and means of the processing” in Sec. 1798.140(c) of the California Civil Code) that meet certain thresholds (annual gross revenue over $25M; buys, sells or receives/shares for “commercial purposes” the data of 50,000 California residents; or derives 50 percent of revenue from “selling” personal data of California residents). Once an entity in a company group qualifies as a controller, parent companies and subsidiaries may automatically qualify even if they do not meet the thresholds or act as controllers.
A “service provider” is a processor to a “business” that receives the data for “business purposes” under a written contract containing certain provisions. Only for-profit entities can be “service providers” under the current drafting of the CaCPA.
“Third parties” are entities other than "businesses" or “service providers” and they are only subject to the CaCPA to the extent that they receive data from a “business.”
To summarize, if we were to translate the CaCPA into GDPR jargon, a “consumer” is a data subject, a “business” is a controller that meets certain requirements, and also includes some entities in the controller’s group; a “service provider” is a processor for a “business” that meets certain requirements; and a “third party” is any entity that is neither a“business” nor a “service provider.”
Another definitional difference concerns “personal data.” The definition of personal data is expansive in the CaCPA. The CaCPA states that personal data “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and then provides a long list of examples of specific pieces of information that are to be considered personal data — including not only IP addresses, cookies, beacons and pixel tags that can be used to recognize a data subject but also things like “probabilistic identifiers” and “gait patterns.” This definition is potentially broader than the definition of personal data under the GDPR.
Data processing principles
One of the most striking differences between the CaCPA and the GDPR is that the CaCPA does not contain data processing principles and, in fact, imposes few restrictions on what a “business” can do internally with personal data. However, the CaCPA authorizes the California Attorney General to issue guidance on the law. It would make sense for that guidance to describe the CaCPA data protection principles, we will have to wait on that though.
The GDPR, like the 1995 Data Protection Directive, sets the rule that processing personal data is illegal unless the processing can be justified under one of six lawful bases. The CaCPA does not contain any similar provision; the general rule is that processing is allowed. It does, however, allow California residents to opt out of certain types of processing (what the CaCPA defines as a “sell”).
Data subject rights
The GDPR contains the traditional rights of access, rectification, correction and opposition, which are a common feature of most comprehensive data protection frameworks around the world. It also includes additional rights such as the right to data portability and the so-called “right to an explanation.”
The CaCPA confers six rights on California residents. The first one, the right to access personal data, is very similar to the access rights under the GDPR but the others are not. For example, the CaCPA contains a right to cancel (erase) data but it only applies to data that is collected by a “business” “from” the California resident exercising the right. What exactly that means is not clear at this point but we can anticipate a debate over whether data collected by CCTV cameras or data scraped from online public profiles is subject to the CaCPA's erasure right. One thing we can know for sure is that the CaCPA would not support a case like Spain's Costeja case, because Google did not collect the now famous (or infamous) newspaper bankruptcy report from Mr. Costeja but from a third party. One final point: The exceptions to the right to erase under CaCPA are also very different from the grounds that justify erasure and the balancing tests built into the GDPR and will require separate analysis.
The CaCPA contains two rights to know: The right to know what information has been collected, and the right to know what information has been shared. These rights are fairly prescriptive; however, the current version of the CaCPA contains contradictions that make providing a clear interpretation of exactly what will have to be disclosed impossible. What seems clear is that businesses will have to evaluate their practices to identify what sharing is to be considered for “business purposes” and what sharing is to be considered for “commercial purposes” under the CaCPA, as those two purposes will need to be separately disclosed.
As opposed to the GDPR, the CaCPA allows businesses to “sell” personal data but gives individuals the right to opt out of (or, in the case of minors under 16, the option to opt in to) the selling of their data (referred to as "the right to say no"). In GDPR terms, this right would be a limited version of the right to restrict processing under Article 18. The definition of a “sale” is not clear, it refers to transfers to “third parties” or “other businesses” for “monetary or other valuable consideration," and guidance from the California attorney general on this point is expected.
As with the GDPR, the CaCPA does not allow for discrimination against individuals who exercise their rights under the act. The CaCPA expressly allows for financial incentives so long as they are not “unjust, unreasonable, coercive, or usurious in nature.” The CaCPA's provisions on discrimination are unclear and somewhat contradictory. For example, the CaCPA states specifically that business are not prohibited from “charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” It is unclear exactly what is the value provided to the consumer by their own data.
Similar to the GDPR, the CaCPA assigns responsibility for enforcement to a governmental authority: the California Attorney General’s Office. Civil penalties can be significant under the CaCPA as they may reach up to $7,500 per violation. We will have to wait and see whether the attorney general will pursue a hard-line approach to enforcement or whether it will be moderate —since the attorney general is an elected position, we can anticipate that the approach will be somewhat dependent on the political winds at the time.
As opposed to the GDPR, the CaCPA does not create a private right of action except for data breaches. Specifically, the CaCPA allows any consumer whose “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” to sue to recover statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, and obtain other forms of relief. Service providers are not exposed to the private cause of action as it only applies to “businesses.” The plaintiff’s bar likely has high hopes for this provision. Companies that suffer a breach will see litigation on the basis of the CaCPA and face significant potential exposure in terms of damages awards (think “TCPA-plus”).
The private cause of action has many requirements, the most important being that potential plaintiffs must first notify the attorney general of their desire to sue, and they cannot proceed with their lawsuits if the attorney general prosecutes within six months. There is debate about the legality of these requirements, and we will likely see it challenged in court by the plaintiff’s bar.
In short, the CaCPA is the first overarching U.S. data protection law but it is significantly different from other data protection laws like the GDPR. It will require companies doing business in California to invest in compliance. Nobody should assume that being GDPR compliant makes them CaCPA compliant.
|Personal Data||Any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with particular consumer or household” A “consumers” is a California resident. The definition is developed through examples, exclusions and cross-references to other laws. Data subject to HIPAA is exempted from CaCPA but data subject to FCRA, and GLBA is excluded only to the extent those statutes conflict with the CaCPA.||Any information:
(a) Relating to an identified or identifiable natural person;
(b) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|Data Subject||A California resident as defined under California tax law||Relating to an identified or identifiable natural person.|
|Controller||For-profit controllers that meet the following thresholds:
- Annual gross revenue over $25M.
- Buys/sells or receives/shares for “commercial purposes” the data of 50,000 California residents.
- Derives 50 percent of revenue from “selling” personal data of California residents.
If a controller qualifies under the thresholds, parent companies and subsidiaries in the same corporate group operating under the same brand also qualify.
|The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.|
|Processor||A “service provider” is a for profit entity that acts as a processor to a “business” and that receives the data for “business purposes” under a written contract containing certain provisions.
In addition, the CaCPA uses the term “third party” to refer to entities that are neither business nor service providers.
|A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. However, the GDPR does also have a definition for "third party": A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.|
|Sensitive Data||There is no sensitive data under the CaCPA.||Article 9: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.|
|Transfer of Personal Data to third countries or international organizations||Cross-border data transfers are not restricted.
All transfers to “service providers” require a written agreement containing certain provisions (that is, there is the CaCPA equivalent to Article 28 of the GDPR)
|Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the conditions laid down in Article 44 – 50 are complied with by the controller and processor to ensure that the level of protection of natural persons guaranteed by the GDPR. Transfers on the basis of an adequacy decision and methods such as BCR, Contract Clauses, etc. or in the case of EU-US transfer, the Privacy Shield.|
|Data Portability||There is a limited recognition of this right under the CaCPA. Specifically, Cal. Civ. Code Sec. 1798.100 provides that data subjects that exercise their right to access, must receive the data “by mail or electronically and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transit this information to another entity without hindrance” There is a related and somewhat contradictory provision on this under Cal. Civ. Code Sec. 1798.130(a)(2).||Article 20: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.|
|Penalties||No private right of action for most provisions with the AG of California taking the role of DPA and being able to impose civil penalties up to $7,500 for each violation with no maximum cap. Violators may avoid prosecution by curing alleged violations within 30 days of notification.
For certain data breaches there is private right of action with statutory damages set between $100 and $750 per data subject per incident with a requirement to notify the AG before filing a lawsuit and refraining from pursuing the action if the AG office prosecutes within six months of the notification.
|Under Article 83:
• Up to 10 000 000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body.
• Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etcetera
• Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements which are not subject to Article 83, and can take all measures necessary to ensure that they are implemented.
By Makaristos [Public domain], from Wikimedia Commons
If you want to comment on this post, you need to login.