The California Consumer Privacy Act of 2018 (CCPA) goes into effect January 1, 2020, and grants consumers extensive rights to control personal information.
KEY DIFFERENCES BETWEEN THE CCPA AND THE GDPR
Covered Entities. The GDPR has broad application to any person or entity, regardless of location or nationality, that acts as a "controller" (i.e., a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) or a "processor" (i.e., a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller) of personal data of individuals that is collected in connection with a presence in the EU. The CCPA is not so broad; it regulates a "business," defined as a for-profit legal entity that does business in the state of California and which:
- Has annual gross revenues in excess of $25 million,
- Alone or in combination buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices on an annual basis, or
- Derives 50 percent or more of its annual revenues from selling consumers' personal information.
This difference in covered entities reflects the fundamental underpinnings of the two laws: The GDPR is grounded on the principle that, in the EU, privacy is a human right. Although the California Constitution similarly refers to the right to privacy as among the "inalienable" rights of all individuals, the CCPA itself does not seek to protect that right outside the commercial arena. It is "consumers" whose personal data is protected under the CCPA, and it is businesses, not other persons, upon which California has imposed the CCPA's requirements.
Personal Information. The GDPR protects "personal data" which is "any information relating to an identified or identifiable natural person (or a "data subject")." The CCPA similarly protects "personal information," but the definition of that term is designed to cover not only information identifiable to an individual consumer, but also to consumers that purchase or use products or services jointly: "'Personal information' means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Importantly, however, as clarified by the recent amendments to the CCPA, certain information that is subject to protection under other US privacy regimes is exempt from the CCPA. For example, nonpublic personal financial information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing rules or the California Financial Information Privacy Act is also generally exempt from the CCPA (although a breach in the security of this information would be actionable in a private party suit brought under the CCPA). In addition, medical information governed by the California Confidentiality of Medical Information Act and "protected health information" collected or created by "covered entities" or "business associates" as those terms are defined under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing rules are not subject to the CCPA. Information is exempt if it is collected as part of a clinical trial subject to protection under (i) the so-called "Common Rule" protecting human research subjects; (ii) the parallel rules of the Food and Drug Administration, or (iii) good clinical practice guidelines issued by the International Council for Harmonization in research. This latter exemption, vigorously advocated for by the pharmaceutical and medical device industries, is critical to prevent risks to the integrity of clinical trials that would exist if consumers who are research subjects could request access to or deletion of their personal data collected in the course of a clinical trial in which blinded studies and consistent data retention are essential to accurate analysis and reliable results.
There is ambiguity-or perhaps a serious deficiency-in the exemption for research subject information, however, in that much research involving human subjects takes place outside of actual "clinical trials"-for example, through surveys, interviews and other channels. The specific reference to data collected in a "clinical trial"-as opposed to in human-subject research more generally-may not encompass information collected for purposes of, for example, pharmacoeconomic or outcomes research, or for purposes such as identifying clinical trial participants. The medical research community may wish to seek further clarifying amendments to foreclose the possibility of an adverse impact on such nonclinical research.
Core Consumer Rights. Most of the basic privacy rights protected by the CCPA and GDPR are similar. The CCPA declares the California Legislature's intent to ensure five core consumer rights of California residents with respect to personal information about them:
- The right to know what personal information is collected;
- The right to know whether that personal information is sold or disclosed, and to whom;
- The right to "say no" to the sale of that personal information;
- The right to access that personal information; and
- The right to equal service and price, regardless of exercising their privacy rights.
The GDPR similarly grants individuals the right to notice of what types of personal information about them will be collected and disclosed, as well as the right to access the collected information. But unlike the CCPA, the GDPR does not focus specifically on the sale of personal data-the GDPR regulates "processing" generally, which encompasses collection, disclosure, sale, and the many other forms of activity that may occur with respect to personal data. And the GDPR does not require special notice of an individual's right to block the sale of personal information, whereas the CCPA requires each regulated business to post a clear and conspicuous notice on the homepage of its website of a consumer's right to prevent such sale, which must be an active link for consumers to click stating: "Do Not Sell My Personal Information." (For children, the CCPA requires additional protection: children under the age of 16 must affirmatively opt-in before businesses can sell their personal data, and parents of children under the age of 13 must opt-in on the child's behalf.)
Deletion of Personal Information. Another area in which the GDPR and CCPA are similar, but different enough to suggest distinct practices and policies, concerns the right of individuals to have their personal information deleted upon request. Under the GDPR, such a request must be honored in any of six circumstances, including when the personal information is no longer necessary in relation to the purposes for which it was processed or the individual has withdrawn their consent to processing and there is no other legal ground for processing. The CCPA, while establishing a general right to deletion, narrows the right substantially by permitting a business to decline an individual's request for deletion of certain personal information under nine specific conditions, including if the business needs to keep that information to "enable solely internal uses that are reasonably aligned with the expectations of the individual based on the individual's relationship with the business" or to "[o]therwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information."
Third-Party Processing Contracts. Another noticeable difference between the CCPA and the GDPR is that the GDPR requires any "controller" that shares personal information with a third-party "processor" to enter into a contract with the processor that places specific data protection obligations on the processor. Although other privacy laws in the United States, including the HIPAA privacy regulations and the Gramm-Leach-Bliley Act rules, impose such contractual obligations on "covered entities" and financial institutions, respectively, the CCPA does not require the businesses it regulates to similarly bind third-party processors to data protection obligations.
A more detailed summary of the similarities and differences between the CCPA and the GDPR is set forth in chart form below. As the summary indicates, while the CCPA and GDPR both are expansive pieces of legislation that similarly extend certain privacy rights to individuals in relation to their personal information, each law has subtleties in its definitions, mandates and exceptions that critically impact its application and interpretations. Businesses seeking to comply with both laws should view compliance with the CCPA as a separate phase of their data privacy program, albeit a phase that is following closely on the heels of, or is in conjunction with, their GDPR compliance. The specific details of both laws should be fully assessed so that business practices and policies can be implemented and adjusted accordingly.