CALIFORNIA’S CONSUMER PRIVACY ACT BEING HAILED THE AMERICAN VERSION OF THE GDPR, BUT IS THAT ACCURATE?





Written by Victorianne C. Musonza, Esq, CISA, CAMS, CIPP, CIPM, FIP

I.        INTRODUCTION
By the close of 2018, all fifty U.S. states had data breach notification laws[1] on the books. California was the first to pass a data breach notification law in 2003;[2] New York was not that far behind passing a data breach notification law[3] that was signed into law in August 10, 2005. New York has always had a more proactive approach to privacy with several privacy statutes that include information security,[4] employee privacy,[5] wiretapping,[6] ease dropping,[7] and confidentiality related to HIV related records.[8] Additionally, last year the New York legislature passed a cyber security law that imposes additional requirements on businesses that are regulated the Department of financial services. In additional to federal statutes, New York businesses who do business in certain parts of Europe[9] or in California, provide services to residents in these areas and or meet certain criteria will have yet more statutes to comply with.

II.      BACKGROUND
In June of 2018, the California Legislature narrowly passed the California Consumer Privacy Act (CCPA)[10]  as an amendment to California’s general privacy law, the California Security Breach Information Act (SB-1386).[11]  The CCPA becomes effect on January of 2020. The act applies to the protection of the personal information of California residents and the duty of businesses that store, use and maintain the personal information of state residents.  This amendment came about for a number of reasons: consumer mistrust, a series of recent large data breaches and an international movement for individual data protection.

This year, data protection took center stage as it was backed by heavy legislation. Recently, a number of important data protection/privacy laws were either passed, became effective and/or updated. For example:

      Chinas Cybersecurity Law[12] passed in 2015 and went into effect in 2017;
      EU General Data Protection Regulation[13] (GDPR) become effective on May 25, 2018, replacing the 1996 EU Directive[14];
      This year the two final U.S. States, Alabama[15] and South Dakota,[16] passed data protection Laws; and
      Vietnams Cybersecurity law[17] was passed in June of this year.

Let’s delve a little deeper into California’s history of individual data protection and privacy. First, Californias state constitution provides for the right of privacy.[18] Second, California was the first state to pass a state data protection law in 2002.  It appears that recent large data breaches were a source of inspiration for the amendment. Incidents include the Facebook/Cambridge Analytica scandal and the Equifax, Target, Anthem, and Sony data breaches, among others.

I will go through the most notable sections of the CCPA, discuss the purpose of the bill, outline key additions and changes, and, finally, draw parallels and distinctions to the General Data Protection Regulation (GDPR).

II.  WHAT THE BILL COVERS 
Similar to the original act, the CCPA provides for the confidentiality of personal data and requires a business or individual who experiences a breach of security of computerized data, including personal information as defined below, to disclose that breach to individuals and the Attorney General under certain circumstances.

“Personal information[19] is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household.” Personal information includes, but is not limited to, the following:
      Identifiers such as real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, drivers license number, passport number, or similar terms.
      Any categories of personal information described in subdivision (e) of Section 1798.80.
      Characteristics of protected classifications under California or federal law.
      Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
      Biometric information.
      Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumers interaction with an Internet Web site, application, or advertisement.
      Geolocation data.
      Audio, electronic, visual, thermal, olfactory, or similar information.
      Professional or employment-related information.
      Education information that is not publicly available and personally identifiable, as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)
      Inferences drawn from any of the information identified in this subdivision to create a profile reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities, and/or aptitude.

CCPA excludes the following in the definition of personal information:
      Publicly available information.[20]
      Health information as defined by the Health Insurance Portability Accountability Act (HIPAA). [21]
      Sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report under the Federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).[22]

The term for personal information under the GDPR is “personal data.” The meaning of “personal data” under the GDPR is much broader than personal information as defined by the CCPA. “Personal data” is defined as “...any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”[23]

III. WHO MUST COMPLY
Compliance with the CCPA is restricted to businesses that meet certain criteria. A business[24] is defined as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial gain that collects consumers’ personal information, determines the purposes and means of the processing of consumers’ personal information” and meets one or more of the following conditions:
·       Has annual gross revenues in excess of $25,000,000.
·       Buys, receives, and/or sells the personal information of 50,000 or more consumers.
·       Derives 50 percent or more it's annual revenues from selling consumers' personal information.

IV.  KEY FACTORS OF THE LAW

a.     Safe Harbor
Under the CCPA, encryption and/or redaction are treated as safe harbors, in the event of unauthorized disclosure.[25] Therefore, in such a situation where the data is encrypted or redacted, and unauthorized access or disclosure occurs, then notification is not required.

b.     Risk of Harm
Additionally, the new bill adds the risk of harm analysis. Unauthorized disclosure of personal information and loss of privacy can have devastating effects on individuals. This can range from financial fraud, identity theft, and unnecessary costs to personal time and finances, the destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm. The risk of harm to the individual is an additional factor that is used to determine if an unauthorized disclosure rises to a level of a breach and requires notice to individuals and DPAs.[26]

c.     Data Brokers
The practice of selling and/or purchasing personal data is often referred to as data brokering. The CCPA now defines the sale of such data and places obligations on businesses that engage in the business of selling personal data. This practice is defined by the statute as “sell,” “selling,” “sale,” or “sold,” meaning selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by a business to another business or third party for monetary or other valuable consideration.[27] Consumers now have the right to request that a business selling personal information must disclose the categories of information it collects and the categories of information; as well as the identity of the third parties to whom the information was sold or disclosed.[28] Additionally, a third party cannot sell personal information about a consumer unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out.[29]

V. CONCEPTS INTRODUCED BY THE GDPR
In addition, the bill introduces some new concepts borrowed from the GDPR.

a.     Lawful Basis
Businesses now need to have a business purpose for the collection and processing of personal information. This use must be compatible with the business purpose for which the personal information was collected.[30]

b.     Pseudonymization
Pseudonymization refers to the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer.[31] Rather than redacting or encrypting information, identifiable traits are removed from the personal information.

Pseudonymization reduces risk to individuals and provides businesses with the means to sell, disclose, and change the uses of collected data without the need to provide notice to individuals or the option for them to opt-out.

c.     Subject Access Requests
Individuals can make requests to obtain copies of their personal information that a business collects, stores, uses, discloses and/or sells. Individuals will receive this free of charge, up to twice a year.[32] After verifying the identity of an individual, businesses have 45 days to respond to any subject access requests, but this period may be extended by an additional 45 days (up to 90 days).[33]

d.     Data Portability 
Upon the verified request of an individual, businesses are now required to ensure that personal information can be delivered to individuals in a portable format to an extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.[34]

e.     Transparency Principle
Businesses are now required to notify individuals of their intent to sell their personal information in a conspicuous manner.[35] Businesses must inform individuals “as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” A business cannot collect additional categories of personal information or use the personal information collected for additional purposes without providing the consumer with notice.[36]

f.      Right to be Forgotten / Erasure
Under the CCPA, a consumer shall have the right to request that a business delete any personal information which the business has collected from the consumer. A business that receives a verifiable request from an individual to delete their personal information must delete the information and direct any service providers to delete the consumer’s personal information from their records.[37] 

There are some limitations to this right where a business cannot or does not have to comply with the request[38] :
      If the information is necessary to complete or fulfill a contract or transaction.
      If the information has been pseudonymized and is being used for scientific research, statistics and or historical information purposes.
      If the information is being used to detect and prevent security incidents.
      If the information is needed to perform routine maintenance on a site or application.
      If the business must retain the information to meet a legal obligation.
      Where the information affects the right of another individual to express their right to free speech.
      If the use of the information is aligned with expectations of the consumer based on the consumer’s relationship with the business.
      If the use is the information is compatible with the context in which the consumer provided the information.

The right to be forgotten (Erasure) under the GDPR[39] extends to the following situations:
      When the individual withdraws consent;
      When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
      The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR);
      The personal data has to be erased in order to comply with a legal obligation;
      The personal data is processed in relation to the offer of information services to a child.

VI. KEY DISTINCTIONS 

a.     Special Categories of data
The GDPR classifies certain categories of personal data as sensitive and requiring further protection. These include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life/sexual orientation, and criminal convictions. There are ten conditions for processing special category data in the GDPR itself, although member countries may provide additional basis for processing.[40]

The CCPA makes no such distinction between categories of data and excludes health data under HIPAA[41], which would be considered sensitive under the GDPR.

b.     Cross-Border Transfers
The CCPA makes no mention or reference to the location where data can be stored or transferred to or from.

Cross-Border Transfers are major topics surrounding the GDPR. Personal data may be transferred out of the EU if one of these conditions are met:
      The country where the business transfers the data is deemed to have adequate protection ;[42] or
      The business has entered into Model Contracts or Standard Contractual Clauses (where appropriate); or
      The business has entered into binding contracts [43] (where appropriate); or
      The business has adhered to a code of conduct [44]; or
      The business is part of a GDPR certification program.[45]

Individuals Exercising Rights 
As in the prior California statute, individuals have a private right of action against businesses for violation of this statute although the individuals must provide the business with written notice and 30 days to cure the violation.[46]

The Attorney General may take civil action against a business as well for violations of the statute.  Additionally, a business cannot discriminate against individuals who exercise their rights, either to make requests for information, port their data, or opt-out of the sale of their data.[47]

Under the GDPR, individuals have a number of options for enforcement; they may:
      Contact the business.
      Contact their local Data Protection Authority[48].
      Initiate civil procedures[49].
      Additional rights and remedies as prescribed by their countrys law. The GDPR does not provide a safe harbor for curing a violation, but it may help mitigate damages a business would be liable for as a result of their violation.[50]

OPT-IN Consent
The GDPR is an opt-in regime where individuals must be given the opportunity to provide unbiased informed consent to uses and disclosures of their personal data.[51] If there is a change in the purpose and use of the data, the business can either pseudonymize the data, delete it, get re-consent of the individuals for the new purpose, or find another lawful basis for processing.[52]

OPT-OUT withdrawal of Consent
However, the CCPA is essentially an opt-out regime. Individuals can opt-out of the sale of their personal data.

One notable exception to the opt-out regime is financial incentive. A business may provide an individual with a financial incentive program only if the consumer gives the business prior opt-in consent, which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.[53]  A financial incentive program cannot be unjust, unreasonable, coercive, or usurious in nature.[54]

Another exception to this rule is the sale of the data of children under the age of 16.[55] The sale of such data for children under the age of 16 requires parental opt-in consent.[56]

An exception to this is when there is a change in the purpose and use of the data in which case the business must provide that individual with notice.[57] This is a much lower standard than the GDPR.

The GDPR has a broader application of individual rights and the designated duties for data controllers and processors. The writers of the CCPA were clearly influenced by the GDPR. Nonetheless, the CCPA does provide individuals with a number of new rights; however, the application of the law is much more narrowly focused and mainly targeted at data sellers and brokers. The CCPA is definitely the most prescriptive data protection law in the United States, but it is in no way as detailed and stringent as the GDPR. The CCPA is not the GDPR, but it does have a few minor compliance exceptions such that the latter will ensure compliance with the former.


[1] Foley & Lardner LLP, State Data Breach Notification Laws, https://www.foley.com/files/Publication/c31703ac-ee93-40a5-b295-7e1d9fe45814/Presentation/PublicationAttachment/dd197c52-6ac0-4635-bdd0-78364c667344/18.MC12803%20Data%20Breach%20Chart%20012019.pdf, citing Alabama (SB-318) and South Dakota (SB-62) as the final two states to pass data breach notification laws.
[2] Cal. SB-1386 : Personal Information Privacy
[3] N.Y. Gen. Bus. Law § 899-aa
[4] N.Y. State Tech. Law 208
[5] NY Labor Law Sec. 203-c
[6] NY Penal Law Sec. 250.00
[7] NY Penal Law Sec. 250.05
[8] NY Pub Health § 2782
[9] GDPR applies to the processing of data of European Union (EU)  and the European Economic Area (EEA) see https://www.gov.uk/eu-eea
[10]  California Consumer Privacy Act of 2018 (“CCPA”), CAL CIV CODE § 1798,  See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
[11] See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=200120020SB1386
[12] http://www.npc.gov.cn/npc/xinwen/lfgz/flca/2015-07/06/content_1940614.htm
[13] General Data Protection Regulation, see https://gdpr-info.eu/
[14] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31996L0009
[15] Ala. Code § 8-38-1
[16] SDCL §§ 22-40-19 - 22-40-26
[17] http://duthaoonline.quochoi.vn/DuThao/Lists/DT_DUTHAO_LUAT/View_Detail.aspx?ItemID=1382
[18] Art 1 § 1 California Constitution (1972) see https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CONS&division=&title=&part=&chapter=&article=I
[19] Cal Civil Code Section 1798.140 (o)(1)(A)-(K)
[20]  Cal Civil Code Section Section 3-1798.140 (o)(1)(K)(2)
[21] Cal Civil Code Section 1798.145 (c)
[22] Cal Civil Code Section 1798.145 (d)
[23] Art 4 GDPR
[24] Cal Civil Code Section 1798.140 (c)(1)(A)-(C)
[25] Cal Civil Code Section Section 3-1798.150 (a) (1)
[26]  Cal Civil Code Section Section 2(f)
[27]  Cal Civil Code Section Sections 3-1798.140(t)(1)
[28]  Cal Civil Code Section Sections 3-1798.110. (a)(3); 1798.115. (a)
[29] Cal Civil Code Section ec 3-1798.115 (a)
[30] Cal Civil Code Section 1798.140 (d) & (t)(2)(B)-C), see also Art Art 6
[31] Cal Civil Code Sections 3-1798.140 (r),  see also Art 4 of GDPR
[32] Cal Civil Code Section 1798.100(d)
[33] Cal Civil Code Section 3-1798.145 (g)(1); 1798.130. (a)(2);
1798.140 (y); 1798.185. (a)(7), see also Art 15 of GDPR
[34] Cal Civil Code Section 1798.100. (d), see also Art 20 of GDPR
[35] Cal Civil Code Section 1798.135. (a)
[36] Cal Civil Code Section 1798.100 (b), see also 1798.140 (t)(2)(D);
[37] Cal Civil Code Section 1798.105 (c)
[38] Cal Civil Code Section 1798.105 (d) (1) - (9)
[39] Art 17 GDPR
[40] Art. 9 GDPR
[41] Cal Civil Code Section 1798.145 (c)
[42] Art. 45 GDPR
[43] Art. 47 GDPR
[44] Art. 40 GDPR
[45] Art. 42 GDPR
[46] Cal Civil Code Section 1798.150 (b)(1)
[47] Cal Civil Code Section 1798.125. (a) (1)
[48] Art. 77 GDPR, see https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en
[49] Art. 79 GDPR
[50] Art. 84 GDPR
[51] Art. 7 GDPR
[52] Art 5 GDPR
[53] Cal Civil Code Section 1798.125. (a)(3)
[54] Cal Civil Code Section 1798.125. (a)(4)
[55] Cal Civil Code Section 1798.120 (a)
[56] Cal Civil Code Section 1798.120 (d)
[57] Cal Civil Code Section 1798.140 (t)(2)(D)

Comments

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

Cross Border Transfer Mechanism: Model Clauses