Businesses throughout California have a common New Year’s Resolution this year: ensure compliance with the California Consumer Privacy Act (CCPA). Earlier this year we posted an article comparing the highlights of CCPA—which will come into effect on January 1, 2020—to the General Data Protection Regulation (GDPR). Though strict enforcement of CCPA will likely not occur until July 1, 2020, it’s best not to delay. Here are a few reminders to get you started as we turn into the New Year:
- Does CCPA Apply to Your Business? CCPA applies to any business that collects or processes the personal information of a consumer and meets at least one of these requirements: (a) earns $25 million or more in a year in revenue; (b) alone, or in combination, buys, sells, or receives the personal information of 50,000 or more consumers, households, or devices for commercial purposes annually; or (c) derives 50% or more of annual revenue from selling consumer information.
- Being GDPR-Compliant Does Not Mean Your Company is CCPA-Compliant. As highlighted in our previous article (below), there are several differences between CCPA and GDPR, though they ultimately have the same goal. Therefore, even if your business is GDPR compliant, you will want to ensure you have reviewed and implemented CCPA standards as well.
- Stay Tuned. As with many new laws, we learn as we go. Though CCPA’s effective date is January 1, 2020, strict enforcement by the Attorney General likely won’t occur July 1, 2020, allowing a reasonable grace period to perfect compliance. Ensure you’re keeping up to date with best practices and monitoring developments to make the compliance process as smooth as possible for your company.
In 2016, Yahoo announced that a data breach resulted in the compromise of 500 million users’ names, email addresses, dates of birth, and telephone numbers. In 2017, Equifax, one of the largest credit bureaus in the United States, reported that 143 million consumers had a mixed bag of their personal information exposed: social security numbers, birth dates, addresses, driver’s license numbers and/or credit card information – take your pick. In 2018, two years after acquiring Starwood, Marriott discovered that cyber attackers had been squatting in the Starwood database since 2016, resulting in stolen data of another 500 million customers.
Fast forward in 2018 and this makes headlines: Google is fined $57 million for failing to comply with the European Union’s (EU) General Data Protection Regulation (GDPR).
Beginning with GDPR, which went into effect on May 25, 2018, legislative bodies finally started implementing security measures to protect consumers’ personal data. California leads the protecting-privacy-path for the United States – in June 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), which will go into effect in January 2020.
But what does this mean for California businesses? What are GDPR and CCPA and how do they compare? Here’s the need-to-know:
WHAT IS GDPR?
GDPR went into effect on May 25, 2018, and serves as one set of data protection rules for all companies operating in the EU, regardless of where the company is based. The goal of GDPR is two-fold: (1) to ensure that individuals have more control over their personal data; and (2) to provide a level playing field for businesses.
GDPR regulates the processing of personal data or information relating to individuals in the EU. Simply put, if a business anywhere in the world processes personal information of members of the EU, it is subject to GDPR. For purposes of GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’) . . . by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Practical examples of personal data include name, surname, home address, email address, identification card number, IP address, cookie ID, and any other information that could directly or indirectly identify a natural person.
“A [data] controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the [data] processor is an entity which processes personal data on behalf of the controller.” The data controller is usually the business that is collecting and processing the personal information, but the duty to comply with GDPR can also extend to tech companies hired by businesses to process the data.
WHAT IS CCPA?
CCPA goes into effect in January 2020. Being a state initiative, its applicability is narrower than GDPR. CCPA applies to any business that collects or processes the personal information of a consumer and meets at least one of these requirements: (1) earns $25 million or more in a year in revenue; (2) alone, or in combination, buys, sells, or receives the personal information of 50,000 or more consumers, households, or devices for commercial purposes annually; or (3) derives 50% or more of annual revenue from selling consumer information.
Under CCPA, personal information has a more robust list of information that can be directly or indirectly linked to an individual than does GDPR, such as commercial information, geolocation data, professional or employment-related information, and education information.
While GDPR focuses on any entity or individual that processes information, CCPA concentrates on businesses that collect consumer information.
COMPARISON: GDPR v. CCPA
GDPR and CCPA are similar initiatives but have a few idiosyncrasies that businesses should be aware of in order to ensure compliance. This chart presents a brief comparison of the data privacy laws:
Who does it apply to
GDPR Ch 1, Art. 3
CCPA § 1798.140(c)(1)
Any data controller (i.e., company collecting information) or processor (i.e., SaaS) that collects personal data of EU citizen.
Any business collecting or processing consumers’ personal information that meets at least one of these requirements:
1. Earns $25M or more in a year in revenue
2. Buys/sells/receives personal information of 50,000+ consumers, households, or devices for commercial purposes
3. Derives 50% or more of annual revenue from selling consumer information
Right to knowledge of personal information being collected
GDPR Ch. 3, Art. 15
CCPA §§ 1798.100, 1798.110, 1798.115
A data subject (i.e. consumer) has the right to access information that an organization is processing. The organization must tell the consumer what information is being processed and who the recipients of the data are, among other things.
A consumer has the right to request a list of the personal information a business collects about him/her a maximum of twice per year; the business must send the information electronically or by mail free of charge. A consumer also has the right to know exactly what information is collected, what it is used for, who it is shared with, and whether it is sold. If personal information is sold, the consumer has the right to know all of the categories of personal information collected and sold about the consumer.
Right to Delete/Right to Erasure
GDPR Ch. 3, Art. 17
CCPA § 1798.105
A consumer has the right to withdraw consent to having personal information processed. Further, when an organization is no longer processing personal information of an individual, it must delete the information.
A consumer has the right to request that a business delete any personal information about the consumer, and the business must do so unless the it must maintain the personal information to complete a transaction, detect security or illegal activity, or comply with a legal obligation, among other exceptions.
Right to opt out of having data sold
GDPR Ch. 3, Art. 21
CCPA § 1798.120
Under the right to object, the consumer may object to the organization sharing information with third parties.
A consumer has the right to direct a business that sells personal information to third parties not to sell the consumer’s personal information.
CCPA § 1798.150
GDPR Ch. 6
The European Data Protection Board established 28 data protection authorities; there is no private action.
Private right of action or action brought by the Attorney General.
CCPA § 1798.125
No such provision.
A business is forbidden from discriminating against a consumer for exercising his/her rights under CCPA.
GDPR Ch. 8
CCPA § 1798.130
A consumer has the right to lodge a complaint with one of the established supervisory authorities.
Businesses must ensure consumers have access to two or more methods for submitting requests to exercise the rights included in CCPA.
GDPR Ch. 3, Art. 12
CCPA § 1798.130(a)(2)
The organization must take action without undue delay and within one month of a consumer’s request, free of charge unless the request is excessive.
A business is required to deliver the information requested by a consumer within 45 days of receiving the request, free of charge.
GDPR Ch. 8, Art. 83
CCPA § 1798.150
Up to €20 million or 4% of a company’s worldwide turnover.
$100 to $750 per breach or actual damages (whichever is greater); $7,500 fine for violations that are not addressed within 30 days.
Though GDPR and CCPA appear to have specific provisions and hefty fines for violations, we will not have the opportunity to witness how effective they are until disputes (not just fines) ensue. In the meantime, one thing is certain for businesses that collect personal information – data privacy legislation is finally here, and based on Google’s experience, it’s better to be in compliance sooner rather than later!
 GDPR ch.1, art.4(1).
 For purposes of this article and simplicity, “data subject” will be called consumer and “data controller” will be called business or organization.
Missy Griffin is an associate in the Los Angeles office of Gibbs Giden where she represents clients in the areas of construction claims and litigation in addition to business and commercial transactions. Ms. Griffin has worked on complex construction litigation, contract analysis, contract drafting, corporate governance issues, and data privacy and compliance matters.
Ms. Griffin brings to Gibbs Giden nearly a decade of real estate and property management experience. Prior to becoming an attorney, she worked in operations for a leading multifamily residential company on the West Coast followed by positions in operations and human resources for the largest owner and operator of premium showroom and exhibition space for the home furnishings industry.