There’s no doubt that the EU General Data Protection Regulation (GDPR), which took effect in May of 2018, set into motion a growing awareness of how companies around the world handle consumer privacy data. GDPR set the stage for the introduction of global data privacy regulations as evidenced by the California Consumer Privacy Act (CCPA) that was signed into law on the heels of GDPR and went into effect on January 1, 2020. And already, CCPA protections will soon be expanded when it’s superseded on January 1, 2023 by the recently approved California Privacy Rights Act (CPRA).
The first law of its kind in the United States, CCPA/CPRA is often equated to GDPR. But while they both aim to give consumers control over how their personal information is collected, used, and shared, there are several differences between these two regulations that impact who is affected, what companies need to do to comply, and the risks associated with noncompliance.
If your business is global and online, there’s a good chance that you’re subject to both CCPA/CPRA and GDPR, and just because you comply with one, doesn’t necessarily mean you comply with both. Let’s take a look at the top 5 areas where the two regulations differ.
Who and What Information is Protected?
CCPA/CPRA was established specifically to protect the rights of California residents, which the law defines as “a natural person who is a California resident” living in the state for any reason other than temporary or transitory purposes, as well as anyone living outside of the state who is considered a legal California resident. The law is aimed at consumers of household goods and services, employees and anyone involved in business-to-business transactions. In contrast, GDPR states that is protects ANY living identified or identifiable natural person, and that person does not need to be considered a resident of the EU or located within the EU. This is a much broader scope aimed more at companies offering goods and services in the EU rather than those only doing business with EU citizens.
CCPA/CPRA and GDPR both have broad definitions as to what constitutes personal data, which includes any information that can identify a consumer such as name, IP address, email, social security number, online cookie identifiers, etc. While similar in scope, CCPA/CPRA is more specific in clarifying the various categories of personal information and also clearly states that it includes anything that can be linked to a household as well as a consumer. GDPR does not specifically address households, but enforcement under GDPR’s governing authority has shown the law to include households since in reality, any information that can identify a household can also identify a consumer.
It was previously thought that the two regulations varied greatly when it came to sensitive information since CCPA did not originally fully address this category. However, CPRA now clearly addresses such information as geolocation, biometric data, health information, race or ethnic origin, sexual orientation and the likes. With that change, the only real significant difference in terms of what information is protected is that GDPR covers publicly available data while CCPA/CPRA does not.
Who Has to Comply?
According to CCPA/CPRA, any for-profit entity doing business in California that meets any one of the following thresholds is required to comply:
Under this definition, your business does not need to be physically located in California, or even in the U.S. for that matter. The revenue threshold of $25 million also applies to ALL revenue, not just revenue attributed to California residents. Additionally, the definition of “selling personal information” is not confined to the classic sense of the word but rather includes disseminating or disclosing information in any way (click here for more on what constitutes a sale under CCPA/CPRA).
Unlike CCPA/CPRA, GDPR does not define specific thresholds but applies to ALL companies that offer goods or services in the EU, or that monitors the behavior of persons in the EU, irrespective of the company’s location. This essentially means that even if your company has minimal presence in the region with no established EU location, if you do any business in the EU, you need to comply. And don’t assume that you’re safe just because you aren’t selling into EU markets—if your website is accessible from the EU, you may be collecting data about Europeans, even if you never receive a single euro from those digital visitors.
What Rights Do You Need to Provide?
Under the right to be informed, CCPA/CPRA and GDPR both require businesses to provide information in advance about the personal data it collects and how it will be used via a privacy notice. Both regulations also establish the right of access, allowing consumers to know what personal information an organization holds. Right of access also requires you to provide the means for consumers to request access, disclose all categories of personal data and deliver the information to the consumer. There are some differences on the timing—the right to access under CCPA/CPRA applies only to information collected in the 12 months prior to the request with a deadline of 45 days to respond, while GDPR applies to all information with one month to respond. Both regulations do allow for extensions with notice.
CCPA/CPRA and GDPR opt-out rights are similar in their overriding objective, but there is a substantial difference. CCPA/CPRA requires the right to opt out of the sale of personal information to third parties and requires a clear and conspicuous “Do Not Sell My Personal Information” link on a website’s homepage. GDPR isn’t quite as absolute, providing consumers with the right to opt-out of “processing data for marketing purposes” and withdraw consent to process personal data, as well as giving businesses an exception if they can demonstrate compelling legitimate grounds.
While both regulations also give consumers the right to have their personal information deleted, one key difference is that GDPR also gives consumers the right to request that an organization corrects any inaccurate or incomplete personal information. CCPA/CPRA does not cover any rights of rectification.
How Do You Ensure Security of Privacy Data?
CCPA/CPRA and GDPR are similar in that businesses need to ensure an appropriate level of security for privacy information, but while GDPR requires technical and organization measures to comply (i.e., encryption), CCPA/CPRA shifts this requirement more to consumer rights. Under CCPA/CPRA, consumers have a right to action for unauthorized access and exfiltration, theft, or disclosure of personal information as a result of a business’s inability to maintain appropriate security measures.
What Are the Risks of Noncompliance?
Penalties for noncompliance of CCPA/CPRA and GDPR both aim to hit where it hurts—your bottom line. Depending on the severity of the violation, GDPR fines can be up to 4% of annual global revenue or 20 million euros ($24 million USD), whichever is higher. CCPA/CPRA places their penalty fee on individual violations—$2500 per violation, with $7500 per violation for those concerning minors.
CCPA/CPRA has no ceiling on the number of violations, so depending on your annual revenue, penalties can add up beyond those of GDPR. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion USD in fines if a data breach or other violation hits the company’s entire data set of customers.
Meeting your obligations under both GDPR and CCPA/CPRA can seem daunting—especially given the differences between the two and the seemingly ever-changing rules. Get in touch today to learn how Ketch can help make your company fully GDPR and CCPA/CPRA compliant.
The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, are applicable to any for-profit business in California that meets any one of the following thresholds:
If your revenue is less than $25 million, your customer base doesn’t exceed the threshold for the number of consumers or households, and you’re not earning revenue by selling personal information, you probably think that your business is exempt. However, under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather is broadly defined. That means you could technically be selling personal information, even if you don’t think you are. It’s therefore important to know what constitutes a “sale.”
What’s in a Word?
CCPA/CPRA defines a “sale” of privacy information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.”
While this remains a vague aspect of the law, one can conclude based on the definition that even if your business is not directly being paid for consumer personal information (i.e., name, social security number, email or IP address, Internet browsing history, etc.), any such information that you make available by other means could still be considered a sale if you’re receiving “valuable consideration” in return. But what exactly is valuable consideration?
California law defines valuable consideration as any benefit, meaning it can be non-monetary such as assets, inventory, a service, discounts, promotion, or intellectual property. Really any tangible or nontangible business asset can potentially have valuable consideration. This includes targeted advertising based on a consumer’s behavior or preferences acquired via Internet analytics or tracking cookies. But there are exceptions.
Exceptions to Every Rule
First of all, under CCPA/CPRA, “selling” only refers to providing privacy data to third parties, which does not include service providers or contractors that perform a service required for your business to function. For example, if in selling your product or service, you provide personal information to a credit check bureau or fraud detection service to protect your business, this does not constitute a sale. In this scenario, service providers and contactors are also prohibited from “selling” personal information, and it’s up to you to ensure this requirement is covered in any terms and conditions.
Another exception to disseminating privacy data occurs if your business has previously provided personal information to third-party entities and a customer then chooses to opt out—you’ll need to provide that customer’s identification information (i.e., email, account numbers, etc.) to third parties so they too can comply with the opt-out request. Additionally, if you’re selling assets as part of a business merger or acquisition to a third party that will take over control of the business, the transfer of personal information does not constitute a sale. And of course, if a consumer opts in, disseminating that user’s personal information also does not constitute a sale.
How Can You Be Sure?
At this time, it remains somewhat unclear as to whether all disclosures of personal information to third parties constitutes a “sale” under CCPA/CPRA. As specific legal cases arise and the California Privacy Protection Agency (CPPA) ramps up audits, enforcement, and education, it may become increasingly clear what constitutes a sale, but that doesn’t mean compliance can be put off until tomorrow. Rather than waiting for clarification and risking the penalties of non-compliance, any business handling privacy data would be wise to assess their risk today. And in today’s data-driven economy where information drives business decisions, it’s more than likely that you’re handling personal information.
With cybersecurity attacks on the rise and users becoming increasingly concerned about how their data is used, you need to be sure that you’re maintaining consumer trust. To that end, it is recommended to engage with CCPA/CPRA legal and data experts to conduct a thorough data mapping that identifies all the ways your business systems acquire and disseminate personal information. These experts can help assess your risk and implement necessary orchestration policies and procedures to prevent any potential non-compliant “sale” of information. Because even if your business is unknowingly selling information per the definition of CCPA/CPRA, you can be held liable.
CCPA/CPRA privacy data compliance is complicated. But with Ketch, it doesn’t have to be. Learn how we can help your business with data privacy today to reduce your risk tomorrow.
Under the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, California residents have the right to opt-out of a business selling or sharing any of their personal information.
That means that if you are a for-profit entity with an annual gross revenue in excess of $25 million and handling personal information of more than 100,000 California consumers or households, you are required by law to provide a clear and conspicuous way for your customers to opt-out. But what exactly does the right to opt out mean, how is it implemented, and how can you ensure your business complies?
What Does it Mean?
When you give customers the option to opt out, it limits the extent to which your company can sell or share a customers’ personal information. Under CCPA/CPRA, personal information is considered any information that identifies, relates to, or could be linked to an individual or household. This includes information like name, social security number, email or IP address, Internet browsing history, product purchases, geolocation data, and professional or employment-related information—essentially any information that is not publicly available via federal, state or local government records. According to Section 1798.140 of the CCPA, personal information also includes any information used to create a customer profile that reflects preferences, characteristics, behavior, or attitude.
The opt-out requirement doesn’t preclude you from collecting personal information in the normal course of doing business. After all, your business needs personal data to fulfill purchases and enable transactions. Opting out just means that you can’t sell or share this information with any other entity—unless it is a service provider that is necessary to perform a business function.
It’s important to note that any disclosing of personal information deemed as providing monetary or other valuable consideration is considered a “sale” under CCPA. While often disputed, this broad definition includes the use of third-party advertising and analytics cookies that track a user’s browsing behavior. This does not apply to first-party cookies required to perform essential functions on your website, like remembering which products a customer has placed into an online shopping cart.
How is it Implemented?
Under CCPA/CPRA, businesses needing to comply must provide two or more methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous “Do Not Sell or Share My Personal Information” link on the business’ homepage. Other acceptable methods include a toll-free phone number, designated email address, forms submitted in person or by mail, and user-enabled privacy controls such as a browser plugins or settings.
One way of providing an opt-out method is via an interactive cookie banner on a website that allows users to decline or accept any non-essential cookies that collect personal information. Some also get a bit more specific and allows users to select only necessary cookies that enable core functionality to help improve the customer experience while preventing the sale or sharing of data for marketing analytics or targeted advertising.
CCPA/CPRA also has more restrictive “opt-in” requirements for children. This means that businesses cannot sell or share personal information for consumers less than 16 years of age without specific affirmative consent, with parental consent required for anyone under the age of 13. Unlike the opt-out option, opting in means that consumers are opted out by default and must take action to opt in. While this is contingent upon the business having knowledge of the age of the consumer, CCPA/CPRA does not allow a business to deliberately disregard a consumer’s age. Any business that targets children would therefore be wise to only use the “opt-in” option or implement a means to identify age to turn off any default selling or sharing of information for anyone under 16.
How Can You Ensure Compliance?
It is also recommended to conduct a thorough data mapping to identify all the ways your business and its systems handle personal information. This can help you determine if any third-party cookies are enabled on your website or if any of your data handling constitutes selling or sharing personal information. Because even if you think you aren’t selling or sharing personal information, it’s not always as obvious as disclosing data to third-party advertisers—think credit checking, identify verification services and other cloud-based services. And if you are unknowingly selling or sharing personal information, you’re still liable.
To see just how compliant (or not) your business is with CCPA/CPRA opt-out rights, start with a free assessment of your website at www.privacygrader.com.