California Consumer Privacy Act (CCPA) - Status at the end of 2019 and comparison with the GDPR
Since in the federally organised USA the area of data protection is primarily the responsibility of the federal states, there is currently no law at national level comparable to the General Data Protection Regulation (GDPR) for the comprehensive regulation of data protection. In this respect, the state of California plays both an outsider and pioneering role. With the "California Consumer Privacy Act" (CCPA), California's legislature has enacted a law that is intended to provide consumers with a level of data protection previously unknown. The law will come into force on January 1, 2020 (the text of the law can be downloaded here.
Apart from the fact that the CCPA originated in the home of various Silicon Valley giants, it is above all remarkable that the law was based on a citizens' initiative. This unmistakably reflects the interest of citizens in a functioning data protection system to control the handling of personal information. In contrast to earlier attempts to anchor data protection in the consciousness of companies and consumers in the USA, the Californian legislator was able to use the opportunity presented by the "Cambridge Analytica" scandal to establish consumer protection in spite of various critical voices.
Scope of the CCPA
The CCPA applies to all companies that process personal information from Californian consumers. The company does not have to be in California. This means that not only American but also European companies can fall within the scope of the CCPA (the so-called marketplace principle), which, for example, offer goods or services in California via the Internet. Indirectly, the law is also likely to apply to internet service providers (ISP) who address the Californian market as their customers. Companies will be exempt from the application only if they collected the personal information at a time when the consumer was located outside California, no part of the sale or transfer of the personal information took place in California, and no personal information collected from the consumer at a time when the consumer was located in California was sold (Section 1798.145 (a) (6)).
The CCPA is only applicable to companies that reach at least one of the following thresholds (Section 1798.140 (c) (1) (A) – (C)):
- annual gross revenues in excess of twenty-five million dollars ($25,000,000),
- alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Under recent legislative amendments, Assembly Bill No. 25 (see here) of 11 October 2019 exempted from the application of the CCPA until 1 January 2021 personal data processed about an individual as an applicant, employee, owner, director, officer, medical employee or contractor of that entity, personal data collected and used solely for the purpose of maintaining emergency contact, and finally personal data collected and used solely for the administration of services to an individual's dependents.
Comparison GDPR and CCPA
In substance, the CCPA mainly concerns the consumer protection sector. The GDPR, on the other hand, contains comprehensive requirements with regard to compliance and correct implementation of data protection. For example, the CCPA does not contain any information on the appointment of a data protection officer.
A fundamental difference becomes clear when looking at the regulations governing the sale of personal data. While the GDPR regularly requires the consumer's express consent to the disclosure, under the CCPA an option to opt out is sufficient. Section 1798.135 (a) (1) stipulates that companies must display a clearly visible link on their website entitled "Do Not Sell My Personal Information", which prohibits the sale of personal data. If children are consumers, stricter rules apply. Children between the age of 13 and 16 must give their express consent. In the case of children under 12 years of age, the parent or guardian decides.
This has a particular impact on advertisers. In contrast to the GDPR, no cookie banner with the possibility of consent needs to be displayed on the website. However, since the CCPA also classifies cookies (first-party and third-party cookies) as personal data, consumers can now use the legally required opt-out option to prevent advertisers from displaying suitable product placements using tracking. This can lead to a significant reduction in advertising revenue for website operators. As a result, the quality of free offers could decline and/or "paywalls" could be used for financing.
The two laws are similar in terms of the definition of personal information. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household“) (Section 1798.140 (o) (1)).
The last part of the standard is particularly interesting, as it goes beyond the definition of the GDPR. This not only protects the individual consumer from misuse of his or her data, but also his or her family, for example, if they form a household and if it is possible to draw conclusions about the household from appliance data.
Section 1798.140 (o) (1) (A) - (K) lists, by way of example, indicators that capture all commercial information relating to purchasing history and consumption trends, Internet or other electronic network activities such as browsing history, interactions with apps, websites, geolocation data and interference resulting from other personal data in order to create a consumer profile describing preferences, behaviour and characteristics.
In contrast to the GDPR, the CCPA stipulates in Section 1798.140 (o) (2) that generally accessible data held by public authorities are not covered by the scope of the CCPA. Also, unlike the GDPR (Art. 9 (1)), the CCPA does not provide for increased protection for sensitive categories of data, such as the political opinion or sexual orientation of individuals.
California consumer rights under CCPA
In addition to information requirements comparable to those of the GDPR the CCPA includes rights of data subjects comparable to the level in the European Union. These include the rights to access and copy a "specific part" of the data, the right to be forgotten, the right to non-discrimination and, last but not least, the above-mentioned right to opt out to prevent the sale of personal data to third parties.
1. Deletion – Section 1798.105
The CCPA grants the consumer a generous right to delete his personal data. In contrast to Art. 17 (1) lit. a) - f) GDPR, no standardised requirement is necessary for this. According to the CCPA, the consumer's request alone is sufficient. The company can only refuse to do so if one of the reasons listed in Section 1798.105 (d) (1) - (9) applies, for example if it is necessary to use the personal information within the framework of a contractual relationship.
2. Information Right – Section 1798.110, 1798.115
A company may be required by the consumer to disclose information about the nature and the personal information explicitly concerned by a storage. It is also essential to communicate the purpose of storage as well as the names of the companies from which the data was collected. This is comparable with the right to data portability under Artt. 13, 14 GDPR.
3. Opt Out Right – Section 1798.120
As mentioned above, unlike the GDPR, the CCPA does not require the express consent of the consumer. However, consumers have the right to prevent the sale or disclosure of their personal information. As a matter of principle, disclosure is only possible with express consent. If a consumer decides to opt out, the company must respect this and, pursuant to Section 1798.135 (a) (5), may only attempt to obtain consent again after twelve months.
4. Antidiscrimination – Section 1798.125
The CCPA expressly states that consumers should not be discriminated against by businesses on the basis when they make use of their rights conferred on them by the CCPA. In this respect, the CCPA is identical to the GDPR, which also prohibits companies from discriminating against consumers who wish to assert their rights.
5. Right of Data Portability – Section 1798.130
The right to data portability ensures that, upon request, the data subject shall receive the data which he or she has supplied to a company in a portable and, where technically feasible, easily usable format in order to be able to communicate that information freely to other companies. The company must comply with this within 25 days free of charge. In contrast to the GDPR, where it is not explicitly regulated what time frame the right to information from Art. 15 GDPR covers (see article), the right to information of the CCPA according to Section 1798.130 (a) (2) only applies to the last twelve months.
6. Right of Action – Section 1798.150 (a) (1)
In order to enforce these rights, consumers have a right of action in California. A private individual can only take legal action against a company if personal nonencrypted and non-redacted data has been unlawfully circulated and the company has failed to meet its obligation to provide an adequate level of security. In all other cases, only the Attorney General has the authority to bring an action. The GDPR, on the other hand, allows affected parties to take legal action against any infringement of rights in accordance with Art. 79 GDPR.
Obligations for companies
Companies are encouraged to take appropriate measures to implement the CCPA. The focus here is on adapting the data protection regulations. Companies have a duty to inform consumers of the categories of personal information that are affected by the storage. Consumers must also be informed of their rights under the CCPA.
Although the CCPA does not provide for commissioned data processing such as the GDPR, Section 1798.140 (v) regulates so-called "service providers", i.e. processors who provide services on behalf of a California-based company. Although the requirements are not as extensive as Art. 28 GDPR, the two are similar in that the personal data may not be used for any purpose other than the agreed purpose:
“Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
This passage must be included in the contract concluded. Although the CCPA does not prescribe a detailed list of technical and organisational measures comparable to Artt. 28, 32 GDPR, Section 17898.150 (a) (1) states that"Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:" that a company is subject to criminal sanctions if personal unencrypted and non-redacted data has been unlawfully circulated and the company has not fulfilled its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:"that a company is subject to criminal sanctions if personal unencrypted and non-redacted data has been unlawfully circulated and the company has not fulfilled its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
Consequences of violations of the law
Violations in the form of an intentional breach of the CCPA's data protection obligations will result in a penalty of USD 7,500.00. A penalty can only be prevented if the company meets the consumer's demands within 30 days. In the event of a negligent breach, a penalty payment of USD 2,500.00 is due. In addition, a statutory compensation of USD 100.00 to USD 750.00 per inhabitant and incident is also standardized, should companies become victims of data theft or other forms of data loss due to inadequate data security. In the case of larger companies with a large number of customers, data breaches can quickly add up to millions of dollars - without taking image damage into account.
The CCPA is expected to bring about a significant improvement in the rights and freedoms of California consumers. The CCPA will give California citizens the opportunity to freely choose how their personal information is handled. If there is a desire to delete the data or prevent the sale of the data, the citizen is entitled to exercise the rights arising from the CCPA. Consistent application of the CCPA can create confidence among consumers, possibly with the effect that they will be more willing to give out personal data in the future if they can use high-quality services in return.
However, the CCPA is also subject to criticism – Californian Internet companies see their ability to act as limited and the California business location as being at risk. They do not want to see the danger and the consequences of data misuse. In their opinion, California's ability to act in its role as a business location could possibly be impaired. These companies are calling for a corresponding amendment to the law that prevents the aforementioned concerns from arising.
There are also data protection concerns. In contrast to European Union law, the CCPA does not set out any provisions of Articles 44 et seq. GDPR comparable to Articles 44 et seq. This means that the transfer of personal data from California to the EU – unlike from the EU to the USA – is not subject to any special legal requirements. Without an "adequate level of protection" within the meaning of the DS Block Exemption Regulation, data transfers from the EU to California will for the time being not enjoy privileged treatment.
It is therefore incumbent on the US government to develop a data protection system at the federal level as well, which may well be based on the CCPA as a central model, but which at the same time also meets the strict requirements of the GDPR with regard to the exchange of personal data of EU citizens with the USA.
This would be desirable, since the EU-US Privacy Shield is a successor agreement to the Safe Harbour Agreement, which was declared ineffective by the European Court of Justice, but its effectiveness is now also being tested by the European Court of Justice and it is uncertain how it will decide, even though the EU Attorney General issued no problems on 19 December 2019.