The California Consumer Privacy Act ("CCPA") went into effect on January 1, 2020. CCPA is considered an important regulation because California will become the first and the strictest state in the US to implement a data protection and privacy law.
In this article, CCPA and KVKK1 will be discussed together and the main points of the regulations are explained in greater detail below;
- Who is covered by CPPA?
This is perhaps the most important difference between the two laws. While the KVKK covers all natural and legal persons responsible without any restrictions, CCPA only covers "business". The CCPA defines "business" as any for-profit entity that:
- does business in California;
- collects or determines the "purposes and means of the processing" of a California resident's "personal information"; and (3) satisfies one of the following three thresholds:
- Gross revenues in excess of US$25 million;
- Buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices in a year; or
- Derives 50 percent or more of its annual revenues from "selling" consumer personal information.
- What is the definition of personal data?
One of the important points of the CCPA is the definition of personal data. CCPA defines personal information of California residents – consumers- as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers. 2 Although the CCPA's broad definition of personal data, the law imposes a restriction in terms of place and group of person. On the other hand KVKK has not only made a limited definition of personal data but also has no any restriction in terms of territory and person.
- What is the Right to Know?
This is one of the similar points between the two laws. The CCPA gives California residents the right to ask a business which categories and specific pieces of personal information processed, sold or disclosed in the preceding 12 months. Businesses, in turn, must respond these requests within 45 days. On the other part in Article 11, the KVKK regulates the rights of data subject. According to the KVVKK each person has the right to apply to the controller and have the right to ask which personal data processed, transferred third parties etc. Similar to CCPA, KVKK requires data controllers to return to individuals within 30 days at the latest and free of charge. 3
- What is fines and penalties?
The fines and penalties regulated by CCPA are at least as strict as the regulations brought by the KVKK. The state Attorney General has the sole authority to enforce the entire CCPA and to impose civil penalties of $2,500 per violation or $7,500 for each intentional violation. And unlike the KVKK there are no caps on civil penalties. Because when the fines of KVKK are examined, it is seen that a lower and upper limit of fines is determined.4
- What is the Right to opt out and opt in?
Unlike KVKK, CCPA has given consumers the right to opt in and opt out. After that, businesses were obliged to grant the right to choose whether the personal data was sold to third parties. This seems to be a very important topic for companies in the long term.
In conclusion, CCPA is a significant step in the United States for the protection of personal data. Starting with the state of California, CCPA shows us that serious regulations about privacy and data protection will come into effect soon. Perhaps the most important message of this law is to expect very detailed processes for businesses working with personal data.
1 Turkish Data Protection Law No:6698
2 The California Consumer Privacy Act of 2018.
3 Article 13, Turkish Personal Data Protection Law: No6698
4 Article 18, Turkish Personal Data Protection Law, No:6698