For a while now, the Internet is buzzing with the news about a new GDPR-like update to California’s consumer privacy legislation. Since major tech companies are based in California, the law may set standards in the whole US. But is it really similar to GDPR? Let’s see.
The California Consumer Privacy Act, CCPA for short, was enacted on June 28, 2018. It appears to be regulating the ways personal information is being used in a transactional sense, that is when a business makes profit on consumer’s data.
What’s more, it seems that it concerns the one-time use of personal information, unlike GDPR which controls data processing.
Who does the California privacy law concern?
The law gives Californians a greater insight and control over the ways their personal information is used by businesses. That sounds a bit like GDPR, which regulates personal data processing.
However, businesses should meet a couple of requirements in order to be affected by CCPA.
- They should operate for-profit
- Their annual gross revenues should be more than $25 million
- They process data of 50 thousand or more consumers, household, or devices
- They have to derive at least 50% of their annual revenues from the sale of personal information
The EU data protection law applies to data controllers, processors, and services that process data on the behalf of controllers. You can find definitions of those terms in this blog post:
What is personal information?
The CCPA protects natural persons. It understands personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The law goes beyond the standard information that identifies a specific person, but also includes a kind of info that points to a person. Information that may be implied based on Social Security number, IP addresses or geolocation data is also seen as personal information.
GDPR, on the other hand, defines personal data as any piece of personal data based on which you can identify a person.
What’s the main difference between GDPR and the California privacy law?
GDPR puts limits on the timespan when you can process the data. It also identifies consent-based grounds for using the data.
Watch the part of our webinar when we discuss the storage limitation under GDPR >>
The CCPA grants California residents a set of rights with which they can exercise a greater control over the use of their personal information.
What are the rights coming from the California privacy law?
The California Consumer Privacy Act allows consumers a few important rights to protect their privacy.
Right to be informed
California consumers have a right to know what information, or a category of information, a business is collecting about them. Similarly, they may request that a company shares the sources from which that info is collected and the purpose for collecting and selling the information. And they have the right to know who they are sharing the information with.
Businesses are required to tell a consumer what information they are collecting and why they do that right after a consumer makes the request (the request needs to be verifiable). The same consumer can ask for information no more than two times a year.
Companies have 45 days to provide the information that a consumer asks them for. The period may be extended to 90 days if there’s a sound reason for the delay. It can be extended only if the consumer was informed about that during those 45 days.
Right to request information erasure
Californians have a right to request that a company deletes their information. Businesses cannot discriminate the residents who made such a request.
However, that doesn’t apply in situations when that personal information is necessary to provide a service, as in the internal communication between the service and a client. The same goes for protecting the human rights of a person, like freedom of speech or freedom of personal security.
Nevertheless, it’s not the same as the right to be forgotten stated in GDPR.
Right to object to the sale of personal information
The CCPA gives people the right to ask a company to stop selling their personal information. Businesses are required to respect that request and cannot treat such consumers differently.
Selling personal information of children younger than 16 is prohibited.
The California Consumer Privacy Act is considered to be one of the most demanding privacy laws in the US. It will come into effect on January 1, 2020. There’s still room for change before it gets enforceable, but it’s a revolutionary act that has a potential to spark legislation in other US states.
This blog post was written in cooperation with Margaret Sikora, Interim Manager & Data Protection Officer at Woodpecker.co