How is the California Consumer Privacy Act Different from GDPR?

Craig Pollack | Aug 14, 2018

Just a few months ago, we discussed the launch of the new European Union (EU)’s General Data Protection Regulation (GDPR). This expansive legislation, which was put in place to protect the data privacy of EU citizens from businesses and organizations, became effective in May and now has a similar American counterpart that recently passed in one U.S. state.

At the end of June, California approved the most significant personal privacy law to date in the nation — one that aims to protect consumer privacy rights. Known as the California Consumer Privacy Act of 2018 (CCPA), the legislation is highly reminiscent of the GDPR and will “require a business to make disclosures about the information and the purposes for which it is used.” The consumer privacy rights legislation, which will go into effect on Jan. 1, 2020, was put up for a vote just a few months after the data mining firm Cambridge Analytica was found to have misused the personal data of more than 80 million Facebook users.

But, what makes the GDPR and California Consumer Protection Act of 2018 similar or different? As an IT Managed Service Provider (MSP) as well as a Managed Security Service Provider (MSSP), we feel it's our responsibility to help you stay informed with the newest legislation impacting businesses in the Los Angeles area.

Protected Parties and Organizations are Defined Differently

While there are many similarities between the two consumer privacy rights acts, there are also a number of differences. For the GDPR, the bill protects EU citizens, who are referred to in the legislation as “data subjects” from businesses and other organizations (with the exception of government entities). At its core, the GDPR regulation protects data subjects’ personal information and data from being shared, sold, or disclosed to another party by a “controller” or “processor” without giving their consent.

A controller is defined as “the natural or legal person, public authority, agency or other body which... determines the purposes and means of the processing of personal data.” This could be a business, nonprofit, or another organization either located in the EU or abroad — meaning that these rules also apply to American organizations that do business with or handle the personal data of EU citizens. A “processor” is identified as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The California Consumer Privacy Act, on the other hand, aims to protect “California consumers,” which are defined as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”

A “business” is defined in the California Consumer Privacy Act text as:

  1. “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners” that:
    1. Has annual gross revenues in excess of $25 million; or
    2. “Annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes... the personal information of 50,000 or more consumers, households, or devices”; or
    3. Derives at least 50% of its annual revenues from selling consumers’ personal information.
  2. “Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business.”

Regulations Offer Similar Protections But Differ in Degree

While the new California legislation is more stringent than previous consumer privacy laws in the U.S., some experts are still concerned that the consumer privacy rights legislation is not as well defined as it should be. According to an article from CNN:

“Technology companies can, for example, ‘share’ people's data even if a consumer bars them from selling it. And the law allows companies to charge higher prices to consumers who opt out of having their data sold.”

Under both the General Data Protection Regulation and the California Consumer Privacy Act, the protected parties (data subjects and California consumers) are entitled to:

  • know what personal information is being collected
  • be informed as to whether their info is being sold or disclosed (and to whom)
  • know what categories of personal information are to be collected
  • understand the purpose of how their personal information is to be used
  • refuse to the sale of their private information
  • request to have their personal data deleted (unless it is necessary to the business for certain purposes)
  • have access to their personal information from the business or controlling body, free of charge

Types of Protected Information

The two privacy rights documents protect “personal information,” including personally identifiable information (PII) including (but not limited to):

  • a basic identifier (a name, an identification number, etc.)
  • race, gender, or sexual orientation
  • an online identifier (IP address, email address, etc.)
  • location data
  • biometric data
  • health and genetic data
  • mental health status

GDPR Is More Strict Than CCPA

However, the GDPR is more strict in its application of protecting consumer privacy rights than the new California law. It’s intended to impact virtually any organization that interacts with the personal data of any EU citizens. It also requires strict compliance with outlined data security and private data management practices.

The California Consumer Privacy Act, on the other hand, is limited to protecting consumers who reside within the state and specifically affects businesses that conduct business within the state. The California Consumer Privacy Act text states that this includes all businesses “if they collect or sell Californian’s personal information, whether they are located in California, a different state or even a different country.”

Consumers Can Be “Punished” for Opting to Not Share Data

Unlike the GDPR, under the California Consumer Privacy Act, consumers can be charged higher prices by companies when they refuse to share their data in a roundabout way.

According to the California Consumer Privacy Act text:

“The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.”

Emily Rusch, executive director of the nonprofit California Public Interest Research Group, shared her concern in the aforementioned CNN article: "California is explicitly allowing 'pay for privacy' deals that are in direct contradiction to our privacy rights.”

Both Documents Incur Penalties for Violations of Rules

Side by side, the General Data Protection Regulation and the California Consumer Privacy Act both have penalties for businesses or organizations that violate their provisions. However, the differences between the penalties outlined in each consumer privacy document are significant.

With the GDPR, violations can result in any number of fines based on the type and severity of the infraction, as well as the cooperation of the alleged violator. Lesser infringements may result in GDPR fines of up to 10 million euros or 2% of the business’ global annual turnover from the previous financial year (whichever is greater). More severe infractions, on the other hand, may result in GDPR fines reaching 20 million euros or 4% of global turnover (whichever is greater) from the same period.

With the CCPA, businesses in violation of the title can be subject to civil penalties (provided in California’s Section 17206 of the Business and Professions Code) or a civil penalty of up to $7,500 per violation. The funds would be paid to the Consumer Privacy Fund (20%) and the jurisdiction that pushed for the civil penalty (80%). The fund was created within the General Fund of the Treasury to offset any costs incurred by the state courts and Attorney General to enforce the title.

It'll be interesting to see how the regulation may change or be amended between now and when our state’s new regulation rolls out in January 2020. As IT services and IT security professionals, we will keep an eye on the California Consumer Privacy Act to see how (or if) it may change in the future and how those changes will affect your business practices concerning data protection and processing.

To learn more about the importance of protecting your business and clients’ personal data, and how exposure of this information can affect your bottom line, be sure to check out our resource guide by clicking on the link below.

What are your thoughts on the GDPR and the CCPA? Share your thoughts in the comments section below or send me an email if you'd like to discuss this topic more in depth.

CFO'S GUIDE TO CYBERSECURITY

Author

Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.

Comments