GDPR-CCPA Compliance
A Practical Summary
There are several new regulations and sets of rules enacted on privacy and personal data around the world, two of which are GDPR and CCPA. These rules set about a wide variety of changes, and therefore inadvertent confusion, in the market. This post is intended to be informative and help understand some of the changes, themes, and implications, and serve as a foundation for further research.
But before any of that, please consult legal counsel on your specific situation and needs. The information below is not legal advice: it is only provided as an introduction. A little knowledge is a dangerous thing and if you make a mistake, even if it is inadvertent, there may be serious legal consequences. Go talk to a lawyer.
But before any of that, please consult legal counsel on your specific situation and needs. The information below is not legal advice: it is only provided as an introduction. A little knowledge is a dangerous thing and if you make a mistake, even if it is inadvertent, there may be serious legal consequences. Go talk to a lawyer.
Scope of Application
CCPA applies to companies that do business in California. Even if a company does not have offices in California, the CCPA would still apply if one of these conditions are met:
CCPA came into force on January 1, 2020.
- A business buys, sells, or shares PII of 50,000 consumers or devices;
- Gross revenue of a business is greater than $25M; or
- A business derives 50% of its annual revenue from sharing personal information.
CCPA came into force on January 1, 2020.
Definition of personal information
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
Summary of CCPA compliance requirements
CCPA has three segments of compliance requirements: (i) relating to individual rights; (ii) relating to data security; and (iii) relating to service providers. Here is an overview:
1. Privacy notices
CCPA requires the business to provide a privacy notice to those Californians about whom it has collected private information. Privacy notices should be given at least “at or before the point of collection” of personal information.
Differently from GDPR, CCPA adds two additional requirements:
Compliance to-do list: (a) Identify instances in which the information about Californians is collected, and (b) draft a privacy notice that conforms with CCPA (and other pertinent laws).
Differently from GDPR, CCPA adds two additional requirements:
- Privacy notices must contain a “Do not sell my personal information” link on websites and privacy notices; and
- Privacy notices must describe the information the business is sharing with service providers.
Compliance to-do list: (a) Identify instances in which the information about Californians is collected, and (b) draft a privacy notice that conforms with CCPA (and other pertinent laws).
2. Right to access data
In the EU, this right to access data is not new. However, in the US, only HIPAA and FERPA set forth similar rights to access health-related data.
Compliance to-do list:
Compliance to-do list:
- Review existing methods for submitting requests and check if they comply with CCPA.
- Review user authentication policies and procedures. If there is no policy, draft an authentication policy for those cases when users make data access requests.
- Draft a “play-book” of standard communications in implementing data requests.
- Train employees in handling data requests.
3. Right to be Forgotten (“RTBF”) / Right to Erasure
CCPA has a narrower scope of the information that has to be deleted than the GDPR. As a reference, under the GDPR, the following types of information may have to be deleted: information necessary to detect security incidences, information that is necessary to protect against illegal activity, repair, and errors; information that is necessary for internal uses of the company.
Compliance to-do list:
Compliance to-do list:
- Review existing methods for submitting RTBF requests.
- Review user authentication policies and procedures.
- Draft a “play-book” of standard communications in implementing data requests.
- Train employees in handling data requests.
- Have a policy to facilitate deletion requests.
- Review technological capabilities (“hard/irrevocable deletion” & “selective deletion”)
4. Right to opt-out from having the information sold
One of the most important rights introduced in the CCPA is the right to opt-out from having one’s information sold. GDPR does not have any similar counterpart to this.
The notion of “sale” is defined broadly, it is important for businesses to follow the practice of the California Department of Justice and stay up-to-date on how this right is enforced in practice.
Compliance to-do list:
The notion of “sale” is defined broadly, it is important for businesses to follow the practice of the California Department of Justice and stay up-to-date on how this right is enforced in practice.
Compliance to-do list:
- Ensure that the website has “do not sell my Personal Information” link;
- plus compliance requirements as in #3 above.
5. Right to opt-in to having the information sold (minors)
CCPA’s right to opt-in means that there is a requirement that businesses can not sell personal information of a consumer who is less 16 years old unless the business has received an opt-in consent.
Compliance to-do list:
Compliance to-do list:
- Identify whether the business is knowingly collecting personal information from children under the age of 16; identify whether the business unknowingly collecting such information.
- Institute a system for collecting parental consent.
- Verify whether the consent mechanism complies with COPPA and GDPR.
- Train employees in handling requests related to info collected about a child.
6. Right to receive services on equal terms
CCPA prohibits discriminating consumers who exercise rights under the CCPA.
Compliance to-do list:
Compliance to-do list:
- Review your business’s pricing policies and make sure there is no price discrimination (intentional or inadvertent) based on opt-out requests.
- Review privacy notice requirements under the CCPA.
- Verify that policies in place facilitate compliance with the new requirements under the CCPA for consumers who exercise their rights.
7. Data Security
CCPA requires that organizations put in place “reasonable security measures and practices” to help protect personal information from being breached.
Compliance to-do list:
- CCPA standard is nearly equivalent to GDPR.
- Under the CCPA, it is clear that the regulator facilitates private class action; while under the GDPR - enforcement through supervisory authorities.
Compliance to-do list:
- Memorialize security policies and procedures in a written information security plan (“WISP”).
- Review whether your WISP complies with the industry standard.
- Conduct periodic risk assessments.
- Train employees on your security policies and procedures.
8. Service provider agreements
CCPA allows sharing personal information with third parties or service providers for business purposes as long as there is a written agreement that complies with the CCPA. CCPA prohibits waiving consumers’ rights in those service provider agreements.
Compliance to-do list:
Compliance to-do list:
- Review existing agreements with service providers and check if there are gaps.
- See if there are any service providers with whom there are no SPAs in place.
- Update SPAs in place to comply with CCPA.