CALIFORNIA’S CONSUMER PRIVACY ACT BEING HAILED THE AMERICAN VERSION OF THE GDPR, BUT IS THAT ACCURATE?
Written by Victorianne
C. Musonza, Esq, CISA, CAMS, CIPP, CIPM, FIP
I.
INTRODUCTION
By
the close of 2018, all fifty U.S. states had data breach notification laws[1]
on the books. California was the first to pass a data breach notification law
in 2003;[2]
New York was not that far behind passing a data breach notification law[3]
that was signed into law in August 10, 2005. New York has always had a more
proactive approach to privacy with several privacy statutes that include
information security,[4]
employee privacy,[5]
wiretapping,[6]
ease dropping,[7]
and confidentiality related to HIV related records.[8]
Additionally, last year the New York legislature passed a cyber security law
that imposes additional requirements on businesses that are regulated the
Department of financial services. In additional to federal statutes, New York
businesses who do business in certain parts of Europe[9]
or in California, provide services to residents in these areas and or meet
certain criteria will have yet more statutes to comply with.
II.
BACKGROUND
In June of 2018, the
California Legislature narrowly passed the California Consumer Privacy
Act (CCPA)[10] as an amendment to
California’s general privacy law, the California Security Breach Information
Act (SB-1386).[11] The CCPA becomes effect on January
of 2020. The act applies to the protection of the personal information of
California residents and the duty of businesses that store, use and maintain
the personal information of state residents.
This amendment came about for a number of reasons: consumer mistrust, a series
of recent large data breaches and an international movement for individual data
protection.
This
year, data protection took center stage as it was backed by heavy
legislation. Recently, a number of important data protection/privacy laws were
either passed, became effective and/or updated. For example:
●
EU General Data Protection Regulation[13] (GDPR)
become effective on May 25, 2018, replacing the
1996 EU Directive[14];
●
This
year the two final U.S. States, Alabama[15] and South Dakota,[16] passed data protection Laws; and
Let’s
delve a little deeper into California’s history of individual data protection
and privacy. First, California’s state constitution provides for the right of
privacy.[18] Second, California was
the first state to pass a state data protection law in 2002. It appears that recent large data breaches
were a source of inspiration for the amendment. Incidents include the
Facebook/Cambridge Analytica scandal and the Equifax, Target, Anthem, and Sony
data breaches, among others.
I
will go through the most notable sections of the CCPA, discuss the purpose of
the bill, outline key additions and changes, and, finally, draw parallels and
distinctions to the General Data Protection Regulation (GDPR).
II. WHAT THE BILL COVERS
Similar to the original act, the CCPA provides for the
confidentiality of personal data and requires a business or individual who
experiences a breach of security of computerized data, including personal
information as defined below, to disclose that breach to individuals and the
Attorney General under certain circumstances.
“Personal
information[19] is information that
identifies, relates to, describes, is capable of being associated with, or
could reasonably be linked, directly or indirectly, to a particular consumer or
household.” Personal information includes, but is not limited to, the
following:
●
Identifiers
such as real name, alias, postal address, unique personal identifier, online
identifier Internet Protocol address, email address, account name, social
security number, driver’s license number, passport
number, or similar terms.
●
Any
categories of personal information described in subdivision (e) of Section
1798.80.
●
Characteristics
of protected classifications under California or federal law.
●
Commercial
information, including records of personal property, products or services
purchased, obtained or considered, or other purchasing or consuming histories
or tendencies.
●
Biometric
information.
●
Internet
or other electronic network activity information, including but not limited to,
browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or
advertisement.
●
Geolocation
data.
●
Audio,
electronic, visual, thermal, olfactory, or similar information.
●
Professional
or employment-related information.
●
Education
information that is not publicly available and personally
identifiable, as defined in the Family Educational Rights and Privacy Act (20
U.S.C. § 1232g, 34 C.F.R. Part 99)
●
Inferences
drawn from any of the information identified in this subdivision to create a
profile reflecting the consumer’s preferences, characteristics, psychological
trends, predispositions, behaviors, attitudes, intelligence, abilities, and/or
aptitude.
CCPA
excludes the following in the definition of personal information:
●
Health
information as defined by the Health Insurance Portability Accountability Act
(HIPAA). [21]
●
Sale
of personal information to or from a consumer reporting agency if that
information is to be reported in, or used to generate, a consumer report under
the Federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).[22]
The term for personal information under the GDPR is “personal
data.” The meaning of “personal data” under the GDPR is much broader than
personal information as defined by the CCPA. “Personal data” is defined as “...any
information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.”[23]
III. WHO MUST COMPLY
Compliance
with the CCPA is restricted to businesses that meet certain criteria. A
business[24] is defined as “a sole
proprietorship, partnership, limited liability company, corporation,
association, or other legal entity that is organized or operated for profit or
financial gain that collects consumers’ personal information, determines the
purposes and means of the processing of consumers’ personal information” and
meets one or more of the following conditions:
·
Has annual gross revenues in excess of $25,000,000.
·
Buys, receives, and/or sells the personal information of
50,000 or more consumers.
·
Derives 50 percent or more it's annual revenues from selling
consumers' personal information.
IV. KEY FACTORS OF THE LAW
a.
Safe Harbor
Under
the CCPA, encryption and/or redaction are treated as safe harbors, in the event
of unauthorized disclosure.[25] Therefore, in such a
situation where the data is encrypted or redacted, and unauthorized access or
disclosure occurs, then notification is not required.
b.
Risk of Harm
Additionally,
the new bill adds the risk of harm analysis. Unauthorized
disclosure of personal information and loss of privacy can have devastating
effects on individuals. This can range from financial fraud, identity
theft, and unnecessary costs to personal time and finances, the destruction
of property, harassment, reputational damage, emotional stress, and even
potential physical harm. The risk of harm to the individual is an additional
factor that is used to determine if an unauthorized disclosure rises to
a level of a breach and requires notice to individuals and DPAs.[26]
c.
Data Brokers
The
practice of selling and/or purchasing personal data is often referred to as
data brokering. The CCPA now defines the sale of such data and places
obligations on businesses that engage in the business of selling personal data.
This practice is defined by the statute as “sell,” “selling,” “sale,” or
“sold,” meaning selling, renting, releasing, disclosing, disseminating, making
available, transferring, or otherwise communicating orally, in writing, or by
electronic or other means, a consumer’s personal information by a business to
another business or third party for monetary or other valuable consideration.[27] Consumers now have the right to request that a business selling personal
information must disclose the categories of information it collects and the categories
of information; as well as the identity of the third parties to whom the
information was sold or disclosed.[28]
Additionally, a third party cannot sell personal information about a consumer
unless the consumer has received explicit notice and is provided an opportunity
to exercise the right to opt-out.[29]
V.
CONCEPTS INTRODUCED BY THE GDPR
In
addition, the bill introduces some new concepts borrowed from the GDPR.
a.
Lawful Basis
Businesses
now need to have a business purpose for the collection and processing of personal
information. This use must be compatible with
the business purpose for which the personal information was collected.[30]
b.
Pseudonymization
Pseudonymization
refers to the processing of personal information in a manner that renders the
personal information no longer attributable to a specific consumer.[31] Rather than redacting or
encrypting information, identifiable traits are removed from the personal
information.
Pseudonymization
reduces risk to individuals and provides businesses with the means to sell,
disclose, and change the uses of collected data without the need to
provide notice to individuals or the option for them to opt-out.
c.
Subject Access Requests
Individuals
can make requests to obtain copies of their personal information that a business
collects, stores, uses, discloses and/or sells. Individuals will receive this
free of charge, up to twice a year.[32] After verifying the
identity of an individual, businesses have 45 days to respond to any subject
access requests, but this period may be extended by an additional 45 days (up
to 90 days).[33]
d.
Data Portability
Upon
the verified request of an individual, businesses are now required to ensure
that personal information can be delivered to individuals in a portable format
to an extent technically feasible, in a readily useable format that allows the
consumer to transmit this information to another entity without hindrance.[34]
e.
Transparency Principle
Businesses
are now required to notify individuals of their intent to sell their personal
information in a conspicuous manner.[35] Businesses must inform
individuals “as to the categories of personal information to be collected and
the purposes for which the categories of personal information shall be used.” A
business cannot collect additional categories of personal information or use the
personal information collected for additional purposes without providing the
consumer with notice.[36]
f.
Right to be Forgotten / Erasure
Under the CCPA, a consumer shall have the right to request
that a business delete any personal information which the business has
collected from the consumer. A business that receives a verifiable request from
an individual to delete their personal information must delete the information
and direct any service providers to delete the consumer’s personal
information from their records.[37]
There are some limitations to this right where a business
cannot or does not have to comply with the request[38] :
●
If
the information is necessary to complete or fulfill a contract or transaction.
●
If the
information has been pseudonymized and is being used for scientific research,
statistics and or historical information purposes.
●
If the
information is being used to detect and prevent security incidents.
●
If
the information is needed to perform routine maintenance on a site or
application.
●
If the
business must retain the information to meet a legal obligation.
● Where the
information affects the right of another individual to express their right to
free speech.
●
If the use of the information is aligned with expectations of
the consumer based on the consumer’s relationship with the business.
●
If the
use is the information is compatible with the
context in which the consumer provided the information.
●
When
the individual withdraws consent;
●
When
the individual objects to the processing and there is no overriding
legitimate interest for continuing the processing;
●
The
personal data was unlawfully processed (i.e. otherwise in breach of the
GDPR);
●
The
personal data has to be erased in order to comply with a legal obligation;
● The personal data is processed
in relation to the offer of information services to a child.
VI.
KEY DISTINCTIONS
a.
Special Categories of data
The GDPR
classifies certain categories of personal data as sensitive and requiring
further protection. These include racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, health or sex
life/sexual orientation, and criminal convictions. There are ten conditions for
processing special category data in the GDPR itself, although member countries
may provide additional basis for processing.[40]
The CCPA
makes no such distinction between categories of data and excludes health data
under HIPAA[41], which would be
considered sensitive under the GDPR.
b.
Cross-Border Transfers
The CCPA
makes no mention or reference to the location where data can be stored or
transferred to or from.
Cross-Border
Transfers are major topics surrounding the GDPR. Personal data may be
transferred out of the EU if one of these conditions are met:
●
The business
has entered into Model Contracts or Standard Contractual Clauses (where appropriate); or
Individuals
Exercising Rights
As in
the prior California statute, individuals have a private right of action
against businesses for violation of this statute although the individuals must
provide the business with written notice and 30 days to cure the violation.[46]
The
Attorney General may take civil action against a business as well for
violations of the statute. Additionally,
a business cannot discriminate against individuals who exercise their rights,
either to make requests for information, port their data, or opt-out of the
sale of their data.[47]
Under
the GDPR, individuals have a number of options for enforcement; they may:
●
Contact
the business.
●
Additional
rights and remedies as prescribed by their country’s
law. The GDPR does not provide a safe harbor for curing a violation, but it may
help mitigate damages a business would be liable for as a result of their
violation.[50]
OPT-IN
Consent
The GDPR
is an opt-in regime where individuals must be given the opportunity to provide
unbiased informed consent to uses and disclosures of their personal data.[51] If there is a change in
the purpose and use of the data, the business can either pseudonymize the data,
delete it, get re-consent of the individuals for the new purpose, or find
another lawful basis for processing.[52]
OPT-OUT
withdrawal of Consent
However,
the CCPA is essentially an opt-out regime. Individuals can opt-out of the sale
of their personal data.
One
notable exception to the opt-out regime is financial incentive. A business may
provide an individual with a financial incentive program only if the consumer
gives the business prior opt-in consent, which clearly describes the material
terms of the financial incentive program, and which may be revoked by the
consumer at any time.[53] A financial incentive program cannot be
unjust, unreasonable, coercive, or usurious in nature.[54]
Another
exception to this rule is the sale of the data of children under the age of 16.[55] The sale of such data for
children under the age of 16 requires parental opt-in consent.[56]
An
exception to this is when there is a change in the purpose and use of the data
in which case the business must provide that individual with notice.[57] This is a much lower
standard than the GDPR.
The GDPR
has a broader application of individual rights and the designated duties for
data controllers and processors. The writers of the CCPA were clearly
influenced by the GDPR. Nonetheless, the CCPA does provide individuals with a
number of new rights; however, the application of the law is much more narrowly
focused and mainly targeted at data sellers and brokers. The CCPA is definitely
the most prescriptive data protection law in the United States, but it is in no
way as detailed and stringent as the GDPR. The CCPA is not the GDPR, but it does
have a few minor compliance exceptions such that the latter will ensure
compliance with the former.
[1] Foley
& Lardner LLP, State Data Breach Notification Laws, https://www.foley.com/files/Publication/c31703ac-ee93-40a5-b295-7e1d9fe45814/Presentation/PublicationAttachment/dd197c52-6ac0-4635-bdd0-78364c667344/18.MC12803%20Data%20Breach%20Chart%20012019.pdf,
citing Alabama (SB-318) and South Dakota (SB-62) as the final two states to
pass data breach notification laws.
[2] Cal. SB-1386
: Personal Information Privacy
[3] N.Y.
Gen. Bus. Law § 899-aa
[4] N.Y.
State Tech. Law 208
[5] NY Labor
Law Sec. 203-c
[6] NY Penal
Law Sec. 250.00
[7] NY Penal
Law Sec. 250.05
[8] NY Pub
Health § 2782
[9] GDPR
applies to the processing of data of European
Union (EU) and the European Economic Area (EEA) see https://www.gov.uk/eu-eea
[10] California Consumer Privacy Act of 2018
(“CCPA”), CAL CIV CODE § 1798, See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
[11] See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=200120020SB1386
[12] http://www.npc.gov.cn/npc/xinwen/lfgz/flca/2015-07/06/content_1940614.htm
[13] General
Data Protection Regulation, see https://gdpr-info.eu/
[14] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31996L0009
[17] http://duthaoonline.quochoi.vn/DuThao/Lists/DT_DUTHAO_LUAT/View_Detail.aspx?ItemID=1382
[18]
Art 1 § 1 California Constitution (1972)
see https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CONS&division=&title=&part=&chapter=&article=I
[19] Cal Civil Code Section
1798.140 (o)(1)(A)-(K)
[20] Cal Civil Code Section Section 3-1798.140
(o)(1)(K)(2)
[21] Cal Civil Code Section 1798.145
(c)
[22] Cal Civil Code Section 1798.145
(d)
[23]
Art 4 GDPR
[25] Cal Civil Code Section Section
3-1798.150 (a) (1)
[28] Cal Civil Code Section Sections 3-1798.110.
(a)(3); 1798.115. (a)
[29] Cal Civil Code Section ec
3-1798.115 (a)
[30] Cal Civil Code Section 1798.140
(d) & (t)(2)(B)-C), see also Art Art 6
[31] Cal Civil Code Sections 3-1798.140
(r), see also Art 4 of GDPR
[32] Cal Civil Code Section 1798.100(d)
[33] Cal Civil Code Section 3-1798.145
(g)(1); 1798.130. (a)(2);
1798.140 (y); 1798.185. (a)(7), see also Art 15 of
GDPR
[34] Cal Civil Code Section 1798.100.
(d), see also Art 20 of GDPR
[35] Cal Civil Code Section 1798.135.
(a)
[36] Cal Civil Code Section 1798.100
(b), see also 1798.140 (t)(2)(D);
[37] Cal Civil Code Section 1798.105
(c)
[38] Cal Civil Code Section 1798.105
(d) (1) - (9)
[39]
Art 17 GDPR
[40] Art. 9 GDPR
[41] Cal Civil Code Section 1798.145
(c)
[42] Art. 45 GDPR
[43] Art. 47 GDPR
[44] Art. 40 GDPR
[45] Art. 42 GDPR
[46] Cal Civil Code Section 1798.150
(b)(1)
[47] Cal Civil Code Section 1798.125.
(a) (1)
[48] Art. 77 GDPR, see https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en
[49] Art. 79 GDPR
[50] Art. 84 GDPR
[51] Art. 7 GDPR
[52]
Art 5 GDPR
[53] Cal Civil Code Section 1798.125.
(a)(3)
[54] Cal Civil Code Section 1798.125.
(a)(4)
[55] Cal Civil Code Section 1798.120
(a)
[56] Cal Civil Code Section 1798.120
(d)
[57] Cal Civil Code Section 1798.140
(t)(2)(D)
Comments
Post a Comment
all comments to this blog are moderated