Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR. 

It’s not quite right to call the CCPA a “mini-GDPR,” as some news reports have dubbed the Act. The GDPR contains 99 Articles, 173 recitals and is over 100 pages long whereas the CCPA is 16 pages long (on my printer).  Substantively the GDPR contains many provisions that are absent from the CCPA, including: requirements for lawful processing; data and storage limitations; provisions for the appointment of data protection officers, local representatives, and performing a  data protection impact analysis; specific requirements for data processors (service providers under the CCPA), business process mapping and documentation generally, and a draconian civil penalty structure.

That being said, there is some overlap between the two privacy laws, particularly regarding disclosure requirements and subject access rights. Understanding these areas of overlap is important for US companies wondering what they should be doing over the next year and five months to prepare for the launch of the CCPA in January 2020.  Leveraging a company’s compliance process may be Step 1

We begin the analysis by noting overlap between the definition of key terms under the GDPR and CCPA. As you see below, both laws broadly define key concepts in very similar ways.

Term CCPA GDPR
Personal Information Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Very similar to GDPR.

CCPA expands definition to include “households” which are not specifically called out by GDPR. Both CCPA and GDPR cover unique identifiers such as IP address and mobile device identifiers.

 
Processing Any operation or set of operations that are performed on personal data or on sets of personal data

 

 Similarly broad under GDPR.
De-identified Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked directly  or indirectly to a particular consumer  provided that a business that used de-identified information has implemented technical safeguards to prohibit re-identification, and implements processes to prevent inadvertent release of de-identified information.

 

 Similar to concept of “anonymization” under GDPR.     One difference is that CCPA uses “reasonably” as a qualifier, where no such limitation exists in WP29 Guidelines.
Consumer A natural person who is a California resident. GDPR speaks in terms of “data subjects”, who are identifiable individuals.

 
Business Only applies to for-profit entities; doing business in California; that satisfy one of three (3) requirements:

  • Annual gross revenues in excess of $25 mm;
  • Buys, receives, sells or shares for commercial purposes PI of 50,000 or more consumers, households, or devices; or
  • Derives 50% or more of its annual revenues from sale of personal information.
 Applies to for profit and non-profit enterprises. Some relaxation of obligations where an enterprise has less than 300 employees in the EU.

There are some important differences between the laws though. For one, the CCPA has an express carve-out for “public information” that doesn’t appear in the GDPR, though the exception is applicable only if using the public information for the same purpose for which it was collected.  And while both laws provide exceptions for aggregate or deidentified data, the definition of deidentification under the CCPA contains the word “reasonably”, making it arguably broader than the GDPR, which treats any data that could be re-identified – no matter how remote the risk  – as personal information.

Still, one can reasonably assume that the same processing of the same personal information will likely trigger compliance obligations under both laws. So where do those obligations overlap? Primarily in two areas: disclosure and subject access rights.

With regard to the former, both laws follow the principle that consumers/data subjects have a right to know what personal data a business is processing about them at or before the time the data is collected. The CCPA has a specific requirement for website disclosures that address processing of personal information.  Both laws also require specific disclosures concerning the sale or sharing of personal information with third parties.   The chart below provides a side by side comparison of these obligations.

CCPA GDPR
Businesses must disclose categories of PI collected and the purposes for which the PI shall be used at or before the point of collection. (1798.100(b))

Online privacy policy or website must advise consumers of subject access rights and identify for prior 12 months:

  • The categories of PI collected about the consumer;
  • The categories of sources of such PI;
  • Purpose for collection or sale of PI;
  • Categories of third parties that the business shares PI with (1798.110(c) and 1798.130(5))
 Similar disclosure obligations under Articles 13 and 14, except that a lawful basis, cross-border transfer, and retention period does not have to be identified under CCPA.

California limits disclosure requirements to preceding 12 month period (1798.130(a)(2)), whereas GDPR has no time limits.

The next area of overlap is subject access rights. Notably the CCPA, like the GDPR, provides a right of access and right of erasure to consumers.  The CCPA however does not provide a right of rectification or broad right of objection as the GDPR does.

On the flip side, the CCPA provides consumers with an explicit opt-out right for the sale of personal information. Under the GDPR, data subjects can opt out of data selling if a business relied on consent as a lawful basis (as they liked would need to do) and could object to the practice, under certain circumstances, but don’t have an explicit right to opt-out of the selling of their personal information,

Right CCPA GDPR
Right of Access/Portability

 

 

 

 

 

 

 

 Consumers have a right to request that businesses disclose, in portable electronic format, for prior 12 month period:

  • The categories of PI collected about the consumer;
  • The categories of sources of such PI;
  • Purpose for collection or sale of PI;
  • Categories of third parties that the business shares PI with;
  • and specific pieces of PI the business has collected.
 Similar obligations under Article 15 and 20 except that:

California requires response within 45 days, whereas GDPR requires response without undue delay. California only requires disclosure covering prior 12 month period.
Right of Erasure Consumers have a right to request a business delete PI collected about them.   Exceptions exist for, among others:

  • Fulfillment of a contract with the consumer;
  • Data security;
  • Repair errors;
  • Scientific and statistical research in public interest;
  • Solely internal uses reasonably aligned with expectation of consumers;
  • Compliance with legal obligations;
  • Otherwise use consumers’ PI internally in a lawful manner. (1798.105).
 Similar obligations and exceptions under Article 16 except that:

 

California (seemingly) requires response within 45 days (1798(a)(2)), whereas GDPR requires response without undue delay.

 

 
Sale or Sharing of Consumer PI Consumers have the right to request that a business that sells or discloses PI for a business reason disclose to the consumer for the prior 12 month period:

  • Categories of PI that the business collected about the consumer;
  • Categories of PI about consumer sold or shared for a business reason;
  • Categories of third parties to whom the business sold or shared PI about the consumer for a business reason. (1798.115 and 1798.130(4) and 130(5)(C)).
 Similar obligation under Article 15(c), which provides a right of access to categories of PI that will be shared with third parties, except that:

California requires response within 45 days (1798.130(a)(2)), whereas GDPR requires response without undue delay. California only requires disclosure covering prior 12 month period (1798.130(4) and (5)(C)).
Opt Out Rights Consumers have the right to opt out from the sale of PI. (1798.120). Businesses must disclose opt-out rights in online privacy policy, and provide mechanism to opt out on homepage and via online privacy policy (1798.135(a)). Under GDPR, sale of PI likely requires consent (opt in) which data subjects can revoke  at any time (Art.6).  Data subjects can also object to processing based on legitimate interests, direct marketing, and automated decision making (all of which are subject to some exceptions)(Art. 21-22).

The CCPA is likely to be amended, at a minimum, to address the drafting errors. There are numerous provisions in the Act that are superfluous, appear to be missing words, or contradict other provisions, creating inconsistent and unclear obligations for businesses.

Assuming there are no significant amendments to the CCPA’s substantive requirements, however, companies that do business in California will need to consider how to address the Act’s disclosure requirements and accommodate subject access rights. One obvious approach is for such businesses to leverage any GDPR compliance work they have done to date.  Revising online privacy policies, data mapping, developing a process for addressing subject access requests, and revising agreements with service providers are all projects typically needed to reach GDPR compliance.  Businesses covered by the CCPA as well as the GDPR may be able to utilize work done for the latter to reach compliance with the former.  Compliance with the GDPR however does not ensure compliance with the CCPA.