Comparing Scope: GDPR vs. CCPA vs. CPRA
In the last few blog posts I talked about how the California Privacy Rights Act (CPRA) will likely end up on November 2020 state ballot initiative and how the CPRA is being positioned to voters in the (virtual?) voting booth and how the proponents are messaging the initiative. It should be noted that the CPRA is an uber/omnibus privacy and data protection law, not a separate law to the existing California Consumer Privacy Act (CCPA), so it truly represents “Version 2.0” of the CCPA. It changes the scope of the CCPA, provides additional rights to consumers, adds additional obligations to businesses, but probably most significantly it creates a new regulatory agency to enforce data protection and privacy in California — the California Privacy Protection Agency (PPA).
In this blog post I will discuss the scope of the CPRA. Given that the CRPA is Version 2.0 of the CCPA, I will compare it to the CCPA. And given that every privacy law is benchmarked against the European Union’s General Data Protection Regulation (GDPR), I will use that as a starting point of the comparison. In subsequent posts I will discuss the CRPA’s individual privacy rights, business obligations and enforcement mechanisms and benchmark those to GDPR and CCPA.
Effective Date
In terms of effective date, GDPR came into full effect in mid-May of 2018.
CCPA was passed into law in 2018, but did not take effect until January 1, 2020, with a few caveats: (1) enforcement actions taken by California AG to not occur til July 1, 2020; and (2) collection of personal data of a job application and/or employee and/or contractor by a business is not in scope until January 1, 2021.
The CRPA will likely be voted by California voters in November of 2020, and if the ballot initiative passes, becomes operative on January 1, 2023 with the following caveats: (1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022; (2) extends the CCPA's exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023; and (3) the CPRA's changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified). Except for the caveats, the CCPA is the law in effect until “Version 2.0” kicks in on January 1, 2023.
Who is Regulated and Protected?
In terms of who is regulated and who is protected, GDPR regulates “Controllers” (entities who determine the purposes and means of the processing of personal data) and “Processors” (third parties that process personal data on behalf of the controller) who are either: (a) established in the European Union (EU), regardless of whether the processing takes place in the EU or not, or (b) not established in the European Union that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects. Controllers can include non-profit businesses. GDPR protects a natural person (i.e. a real person, not a corporation, and not a deceased person — also referred to as a data subject), regardless of whether they are a resident of the EU. So, the territorial aspect of the law applies to entities either processing data in the EU or processing the personal data of EU data subjects.
CCPA regulates for profit “businesses” who either have (1) gross revenue greater than $25 million OR (2) buys/sells/shares personal information on over 50,000 consumers or households or devices OR (3) derives 50% or more of its revenue from selling consumer personal information. So much narrower in who is regulated, effectively small-to-medium businesses and non-profits are excluded. CCPA protects consumers who are California residents. So, the territorial aspect applies to the consumers, i.e. California residents.
The CPRA tightens who qualifies as a business vis a vis the CCPA. With the CRPA, it pertains to a for-profit “Business” that "collects consumers' personal information" with the following thresholds: (1) gross revenue greater than $25 million in the preceding calendar year OR (2) buys/sells/shares personal information on over 100,000 consumers or households; OR (3) derives 50% or more of its revenue from selling or sharing consumer personal information.
So, what changed per the italics above is the revenue threshold is now for the preceding calendar year (vs. say what a business may project for the upcoming year) and it raises the information collection bar dramatically from 50,000 to 100,000 consumers, and drops the concept of devices as being counted towards the threshold number.
But a very key word added is the concept of “sharing.” Before Version 1.0/CCPA cared if you “sold”/”sell” personal information, and now Version 2.0/CRPA cares if you sell and/or “share”/“shared” personal information. The CRPA defines “sharing” as transferring/disclosing/etc. personal information to a third party for cross-context behavioral advertising (think “retargeting” of digital ads based on your internet behavior and activity) — whether you do so for monetary value or not. This will certainly be of interest to firms that focus on data-driven advertising and marketing.
Finally, new additions to the CRPA of who else gets covered includes (a) any entity that controls or is controlled by a business and "shares common branding" with the business and "with whom the business shares consumers' personal information"; (b) "a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest"; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency (PPA) that it is in compliance with the CRPA. This certification concept is of interest as it reminds me of the concept of an “adequacy decision” found in the GDPR.
Personal Information and Sensitive Information
The data protected is relatively the same – GDPR calls it “personal data” while CCPA calls it “personal information.” It’s stuff you expect, e.g. government IDs, credit card info, health records, etc. CCPA also broadens the definition to include information linked to households and devices. The CPRA per above drops the association of collection of data on devices and includes “sensitive personal information” (SPI) as being personal information (more on SPI below). Both the CCPA and CRPA does not apply to information that is deidentified nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA.
One thing that the CPRA clarifies is that personal information does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is "lawfully made available to the public by the consumer or from widely distributed media." Which means your postings on social media (e.g. Twitter) is not personal information.
GDPR has a special category of “sensitive data” that includes racial, ethnic, political beliefs, sexual orientation, etc. that cannot be processed with a few exceptions including consent by the data subject and/or in the context of fulfilling legislation.
The CCPA has no call out for sensitive data. But the CPRA does, and defines “sensitive personal information” (SPI) as being
social security, driver's license, state ID card, or passport number;
account log-in (including access code and password), financial account, debit card, or credit card number
precise geolocation;
racial or ethnic origin, religious or philosophical beliefs, or union membership -- ala the GDPR;
mail, email and text messages, unless the business is the intended recipient of the communication;
genetic and biometric data;
personal information collected and analyzed concerning a consumer's health; and
personal information collected and analyzed concerning a consumer's sex life or sexual orientation.
One thing that was pointed out by another blogger was that CPRA identifies precise geolocation as sensitive personal information, but with the GDPR “geolocation is subject to special rules under the ePrivacy Directive in the EU but it is not a special category of data under GDPR.”
With the CPRA, businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose and cannot store SPI beyond the expressed length of time. Furthermore, a consumer shall have the right at any time to limit the use of their SPI. In addition, a business must also either put on its homepage a clear link titled "Limit the Use of My SPI" or support an opt-out signal. Finally, as SPI is personal information, a consumer can also request that the business does not sell or share SPI. as well as a business must respect the other consumer rights re: personal information (right to access, delete, rectify, etc.).
Do Children Get Special Protection?
Yes with GDPR because the EU believes that in general children may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Yes with the CCPA too — "a business shall not sell the personal information" of children aged from 13-16 unless the child directly "opts-in" to the sale. For children under 13, a business requires parental consent to the sale of their child's personal data.
In the case of the CPRA, the protection for children is further strengthened with the addition of stop the selling and sharing of personal information. Furthermore, for children under 16 who did not give consent, businesses must "wait for at least 12 months before requesting the consumer's consent again" or "until the consumer attains 16 years of age." Finally, the CPRA enables the Privacy Protection Agency to be able level administrative enforcement fines of $7500 per violation of the law in cases where the "business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age."
Note both for the CCPA and CPRA, that both are “intended to supplement federal and state law," so existing Federal privacy laws re: children (e.g. COPPA) still apply.
What About Employees?
Yes employees and their personal data are covered by the GDPR. The CCPA has delayed implementation of the protection of personal data involving employment until January 1, 2021. The CPRA retroactively extends this delay until January 1, 2023. The CPRA also states that consumer rights (right of access, deletion, etc.) will "apply to personal Information reflecting a written or verbal communication or a transaction between the business" and the employee not until January 1, 2023.
Lawful Bases to Process Personal Data?
In the case of the GDPR, personal data can only be processed if there is a lawful basis, which includes implicit consent as well as to fulfill a contractual obligation. So, the focus on GDPR is about giving data subject’s the ability to “opt-in” to allow entities to process their personal data based on notice and consent. In contrast, in the US a recent Supreme Court ruling (Sorrell v. IMS Health Inc. in 2011) interpreted the US Constitution’s 1st Amendment as letting businesses collect data without having to specify a purpose. So CCPA and the CPRA supports “opt-out” with the exception for minors, who are “opt-in” for the sale of their personal information (i.e. by default business are not allowed to sell personal data) if aged 13-16 or with parental consent with children under 13.
Is the Law Protected from Watering Down?
In the case of the GDPR and CCPA, there is no provision to limit its ability for the respective legislatures to water down the two laws. In the case of the CPRA, the resulting law may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are "consistent with and further the purpose and intent" of the CPRA. So, the backers of the ballot initiative have tried to put the CPRA in a “lockbox.”
Next up: a look at the individual privacy rights found in the CPRA and comparing them to the GDPR and CCPA.