The increasing role of technology, data and sharing of personal information has heightened consumers' risk of the unauthorized use or disclosure of their personal information. Governments have passed legislation to protect consumers from these risks. In the European Union, the General Data Protection Regulation (GDPR) protects data subjects. In California, the California Consumer Privacy Act (CCPA) provides protection for consumers. The protections afforded consumers under the CCPA, which became effective January 1, 2020, will be expanded under a new regulation, the California Privacy Rights and Enforcement Act (CPRA). The CPRA will go into effect on January 1, 2023, replacing the CCPA and will apply to personal data collected as of January 1, 2022. Businesses still need to comply with the CCPA until the CPRA goes into effect, so it is important to understand its requirements.
The CCPA has been compared to the GDPR, as it affords some similar protections to individuals, including giving them the right to access and delete their personal information. Like the GDPR, the CCPA promotes transparency about the use of an individual's data. Yet the two legislations differ in many respects. The purpose of this piece is to discuss similarities and differences between the CCPA and GDPR. Over a series of articles, we will compare the two regulations with respect to their applicability, basis for processing, consent, transparency given to consumers/data subjects about their personal information and those individuals' rights with respect to that personal data, and the terms your business needs to ensure are in its contracts with data processors or service providers to comply with your obligations under each regulation.
In this first article, we look at the applicability of the regulations and the basis for processing personal data.
The CCPA seeks to protect the privacy of natural persons who are residents of California. Any company doing business in California (regardless of where it is located) that meets certain thresholds with respect to its gross revenue or revenue from personal information it sells or the amounts of personal information that it buys/receives/sells or shares for commercial purposes must comply with the CCPA. The CCPA gives consumers the right to access, correct, or delete the personal information businesses have collected about them and to opt-out completely of third-party sales of their information. The CCPA's definition of personal information includes data that identifies or can be linked to a household, as well as a particular consumer.
In assessing its applicability, the GDPR does not set a threshold (in revenue or the amount of personal data collected) to determine if an organization falls under the regulation. The GDPR focuses not only on the residency of individuals whose data a business will process, but also the location of a business's operations. The GDPR applies to organizations/businesses operating within the European Union (EU). In this way, it also offers protections for non-EU residents. If a non-EU resident travels to the EU and makes a purchase and shares personal data, such as their name and email address with the retailer, the EU business must protect that individuals' data, just as it must protect the data of any EU resident purchasing an item from that retailer. The GDPR also applies to organizations/businesses operating outside the EU that offer goods and services to individuals in the EU. Under the GDPR personal data is information that can be used to identify an individual. The definition does not explicitly encompass data linked to households.
Legal Basis for Processing / Consent
The GDPR and CCPA differ in whether a basis for consent is needed to collect and process an individual's personal information. The GDPR requires that an organization processing a data subject's personal data have a legal basis to do so. The GDPR contains six legal grounds for processing personal data: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. [For further information on the legal bases for processing, see this article).
A common ground for processing personal data under the GDPR is having consent in advance from the data subject. If a business relies on consent as its legal basis for processing personal data, then it must show that the data subject's consent is freely given, specific, and unambiguous. In other words, the consent cannot be implied. And the consent must be given prior to the processing taking place. By requiring organizations to have a legal basis for processing an individual's data, and especially when consent serves as that legal basis, data subjects under the GDPR can have control over their privacy from the start.
In contrast, the CCPA does not require a legal basis for processing personal information, and prior consent is not needed from consumers before a business processes or sells their personal information to third parties (except in the case of the sale of minors' personal information, as we'll discuss later). Consumers have less control over their privacy in this regard.
While the CCPA and GDPR both aim to protect the privacy of individuals' personal data, the GDPR has a wider applicability. It not only applies to people living in the EU but applies to anyone who is in the EU when their personal data is collected and processed. The GDPR also requires an organization to have a legal ground for collecting and processing data, and as we'll see in the next series, organizations must inform individuals of this legal basis. If the organization relies on a data subject's consent to collect and process information, this consent must be provided before the collection and processing occurs. This is in contrast to the CCPA where prior consent is not needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.