Observation : CCPA Highlights and EU GDPR match-up

The State of California had passed the California Consumer Privacy Act on June 28th, 2018. There exists the theory that this law came up soon after the Facebook-Cambridge Analytica issue and the selling of user information with unauthorized third parties. The Act has the word ‘sell’ as one of the most important focus and has a high-light on this, no wonder 🤔

The first difference noted with respect to(w.r.t) the GDPR is on the definition of the actors or entities involved.

→ There is no ‘Data Controller’, ‘Data Processor’ or ‘Data Subject’. The equivalent ones used here are:

•Business / Person — who are analogous to, the Data Controller

•Service provider — who is analogous to, the Data Processor

•Consumer — who is analogous to, the Data Subject

The definition of Third party and a small essence of ‘Joint Controller’ are also present(Section 1798.140(t)(D), (w), ( C)(1))

This is how the Act(SEC. 3) has been structured:

•Rights(Sections 1798.100 to Section 1798.120)

•Non-Discrimination(Section 1798.125)

•Methods to cater to those Rights(Section 1798.130)

•Notice & Transparency(Section 1798.135)

•Definitions(Section 1798.140)

•Exceptions & Restrictions(Section 1798.145)

•Administrative Fines(Section 1798.150)

•Seeking guidance from the Attorney General(Section 1798.155)

•Consumer Privacy Fund(Section 1798.160)

•Conflicting laws & Superseding(Section 1798.175,180)

•Roles & Responsibilities of the Attorney General(Section 1798.185)

•Improvisations & Clarification(Section 1798.190–196)

•Date of enforcement & Validity(Section 1798.198)

Similarities to the EU GDPR

The core Privacy Principles are covered. However a few similarities that share ground on context of the theme, along with the GDPR are:

•Right of Access, Right to Information, Right to Delete(Right to be Forgotten), What information to be provided when consumer request their information, Right to Data Portability(mentioned within the Right to Access), Right to Object(Right to opt-out)

•Notice and Transparency

•Enforced by an important body(the Attorney General in this case).

Unique Right in the CCPA

Right to opt-in

Provisions missing in the CCPA w.r.t to the EU GDPR

•There is no mention about ‘sensitive personal information’.

•There is no mention about data and practices related to employment.

•There is no mention about having a DPO or any privacy representatives in the organization.

•There is no mention of any transfer mechanism for transferring(selling) the data to other third parties or businesses.

•Right to Rectification, Right to restriction of processing(though the Right to opt-out could be considered analogous to this), Right not to be subject to a decision solely based on automated means.

•There is no direct mention of ‘technical and organizational measures’ except for in the process for de-identifying the data,

•There is no mentions of signs, symbols or icons related to data protection except for the opt-out logo/button.

•There is no reporting structure or breach notification methodology or time frame as in the GDPR. There is no requirement for the Business to report any breaches to the Attorney General or to the affected consumers.

•There is no specific mention about Risk Assessments or DPIAs.

Highlights of the CCPA

There are quite a number of exceptions businesses can rely upon with respect to acting on the Right to Delete consumer information when the consumers requests for it(Section 1798.105).

→ One clarity or even can be called a loophole provided here is that the Business can retain the information for the purposes of “debugging to identify and repair errors that impair existing intended functionality”.

→ Another quite loose mention is that Businesses can retain the information when the information is going to be “otherwise used, internally, in a lawful manner that is compatible with the context in which the consumer provided the information” or “to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the relationship with the business”(1798.105(d)(7),(8))

Also, on the outset it looks like there is no mention of the ‘Lawful basis of processing’. However, when read in its entirety, the law mentions these lawful basis as part of other Sections, either directly or indirectly.

•Consent

•Legitimate Interest

•Legal Obligation

•Performance of Contract

•Public interest

→ But there was no mention either directly or indirectly about Vital interest being a valid lawful basis for processing.

Providing information to consumers

With respect to what information must be provided when a consumer requests their information(Subject Access Request or just for the sake of transparency),

→ The source of the information is to be provided, irrespective of whether the Business collected the information directly or indirectly from the consumer.

→ Specific pieces of information that the Business has collected about the Consumer

→ What information has been collected, sold or disclosed for business purposes

→ Recipients of that information

The time provided to respond to any request is 45 days, which can be extended by another 45 days provided the reason for extension is mentioned to the consumer and the reason is due to complexity and number of requests(Section 1798.130(a)(2), 145(g)(1))

Methods of submitting requests to Businesses by consumers

The business must have 2 or more methods, for sure to have a toll-free number & a website address. Other methods mentioned are Internet Web portal, mailing address, or other applicable contact information(Section 1798.130(a)(1), 140(i)))

Method in which to provide the requested information

→ If the consumer has an account with the business, then provide the information via the password-protected account itself.

→ If the consumer does not have an account with the business, then provide the information by mail or electronically as per the consumer’s choice

The data should be in a readily useable format and portable from one entity to another without hindrance. This should also be done free of charge(Section 1798.100(d), 130(a)(2)).

Businesses are obligated to provided the information pertaining only to the preceding 12 months & not the entire history per se.

Businesses are not obligated to provide the information to the same consumer more than twice in a 12-month period(Section 1798.130(a)(7),(b))

Caution:

→ The business must not require the consumer to create an account with the business in order to make a verifiable request or to solely to provide this information.

→ The information collected from the consumer or the consumer’s authorized person for the specific purpose of verifying the customer’s request should not be used for any other purpose other than this specific purpose of verification.

The Act makes a clear distinction between information shared with other Businesses, Persons, Service Providers or Third parties based on the purpose for which it was disclosed, whether(Section 1798.130(a)(4)(b,c),(5)( C)(i, ii)):

→ The information was ‘sold’ (or)

→ The information was ‘disclosed for business purposes’

One Right that has been mentioned repeatedly in the Act is the ‘Right to Opt-out’(similar to the Right to Object and Right to Restriction of processing as in the EU GDPR).

→ This Right enables consumers to opt-out of businesses sharing or disclosing or selling their personal information to other businesses or third parties or persons(Section 1798.125(a-d))

Another noticeable Right is the Right to opt in, which talks about sharing/selling the personal information of children between the age of 13 and 16, without proper affirmative authorization from the parent or guardian.

→ Any business that willfully disregards the consumer’s age shall be deemed to have had the actual knowledge of the consumer’s age. So, hey! Make sure you get the age of your consumers, especially if the service you are providing or offering could be used by children(Section 1798.120(d))

A fresh transparency requirement is regarding the financial incentives program, where a business can enter into this program with the consumer with prior opt-in consent & that consent could be revoked anytime by the consumer(Section 1798.125(b)(3)).

→ A point/leeway worth noting in this is that, a business can charge a consumer a different price or rate or provide a different level of quality of goods or services to the consumer, if that difference is reasonable related to the value provided to the consumer by that consumer’s data(Section 1798.125(a)(2))

What should businesses do

•Businesses must maintain a separate list of the other business, third parties, persons to whom the information was sold & another separate list of the other business, third parties, persons to whom the information was disclosed for business purposes(Section 1798.130(a)(4)(B,C))

•Businesses must maintain a privacy policy or policies, preferably a specific description for Californian consumers and make sure all their rights and provisions are mentioned in it, and to take reasonable steps to ensure that California consumers are redirected to that page instead of the home page that is available to the public generally. This page must also be updated at least once every 12 months(Section 1798.130(a)(5), 135(b))

•Businesses must provide a clear and conspicuous link on the business Internet’ homepage titled “Do Not Sell My Personal Information” where the consumer or the person authorized by the consumer can opt-out of the sale of the consumer’s personal information. Caution: Don’t require the consumer to create an account with the Business in order to direct the Business not to sell the consumer’s personal information(Section 1798.135(a)(1)). Include this link in the privacy policy as well as the page specifically maintained for Californian consumers.

→ A leeway present here is that the business can request the consumer after 1 year of opting out to opt back in to the sharing of that consumer’s personal information.

•Business must ensure that the notices and information are easily understood by average consumer, accessible to consumers with disabilities and in the language primarily used to interact with the consumer.

The most important definitions(not quoting as-is, but the important points in those definitions)

Business — determines the means and purposes of processing(similar definition as in the EU GDPR), that has annual gross revenue in excess of $25M or collects or sells personal information of 50,000 consumers, households or devices or one that derives 50% or more of its annual revenues from selling consumer’s personal information.

Business purposes — includes counting ad impressions to unique visitors, verifying position and quality of ad impressions, audits, short term transient use of information, providing customer service, processing payments, providing services to consumers on behalf of the business or service provider, internal research for technological development, activities to improve, upgrade or enhance the service or device owned, manufacture for, or controller by the business.

Collect/collection/collected — buying, renting, gathering, obtaining, receiving or accessing any personal information pertaining to a consumer by any means.

Commercial purposes — advancing a person’s commercial or economic interest such as by inducing another person to buy, rent, subscribe, exchange goods and services to a commercial transaction. It does not include purposes of political speech and journalism.

Consumer — a California resident, who is not in California only for a temporary or transitory purposes, but for extended periods of time.

Device — any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.

Sell/selling,sale,sold — means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. The law also provides exceptions as to what need not to considered as ‘sale’, such as: consumer intentionally directs the business to disclose that information, sharing that information for the purpose of alerting other business and third parties that the consumer has opted out of the sale, required/necessary to perform a business process provided that the business has made this known the consumer in its T&Cs and the business does not use it for any secondary purpose.

Service provider — processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.

Unique identifier/Unique personal identifier — a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services like a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

Some interesting points noted in this Act

•The definition of biometric information specifically includes voice recordings, voice prints, keystroke patterns or rhythms, sleep, health and exercise data in addition to the other information like thumb impression, retina, iris imagery etc.

•The Act considers IoT, wearable techs, hardware devices as an important player. The word ‘device’ is mentioned very frequently.

•The term personal information includes IP, alias names, commercial information like products/services purchased, consuming histories and tendencies, network activity information like browsing history, search history, thermal, olfactory information, inferences drawn about a consumer to create a profile about the consumer’s preferences, trends, behavior, attitudes etc.

•Publicly available information refers to only information lawfully made available from federal, state or local government records. Information is not considered to be publicly available if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

•It was quite weird when seeing that ‘probabilistic identifier’ was a defined term in the Act. It means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

•A good things to note was the ‘Research’ was tied to ‘public interest’ and ‘must be subject to applicable ethics and privacy laws’ especially for the purposes of public health research

•The term ‘selling’ also excludes mergers, acquisition and bankruptcy or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with Sections 1798.110 and 1798.115.

•The Act mentions the term “family” which means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

•Another note worthy point is that, the Act constantly mentions that ‘other federal laws and obligations’ must also be met consistently and that in the event of a conflict between other laws and the provisions of this Act, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control(Section 1798.175, 1798.145).

•The Act also mention that Ethics and Fair practices must be adhered to and that no portion of this Act will supersede or add a provision for businesses to violate the ethics and fair practices.

•The law also ensures and highlights that the rights afforded to consumers and the obligations imposed on the business does not adversely affect the rights and freedoms of other consumers.

•A special fund called ‘Consumer Privacy Fund’ is created and will be used to offset any costs incurred by the state courts in connection with actions brought to enforce this Act and any costs incurred by the Attorney General in carrying out the Attorney General’s duties with respect to this Act and provisions.

The law does not apply to

•Protected or Health information, that is collected by a covered entity governed by the Confidentiality of Medical Information Act

•Data and practices governed by FCRA — apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report for the purposes of reporting a consumer’s credit worthiness, credit standing, credit capacity etc.

•Data and practice covered by Gramm-Leach-Bliley Act

•Data and practice covered by Driver’s Privacy Protection Act

De-identified information

The law allows the use of de-identified data for various purposes. In fact, the data that is de-identified is not governed by this Act.

Advantages of de-identifying information:

•Business can collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information.

•Can be used for research without any hassles of data protection and privacy requirements.

The law defines ‘de-identified data’ as information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:
(1) Has implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit re-identification of the information.
(3) Has implemented business processes to prevent inadvertent release of de-identified information.
(4) Makes no attempt to re-identify the information.

Employee training

The law puts forth a very specific requirement, that employees or any individual within the Business who handles customer queries must be trained and adequately informed about the Business’ privacy practices and how to direct consumers to exercise their rights mentioned in this Act(Section 1798.130(a)(6)).

Data breach, provision breach, fines and actions

A data breach is said to occur when a consumer’s non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

→ Civil action can be taken against the business by the consumer.

→ Consumer can recover damages in an amount between $100 and $750, per consumer per incident or actual damages, which ever is greater.

→ Fine evaluation criteria(by the court): nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

→ Any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.

Some tricky areas, things that are not so clear or are grey areas

•The law does not mention about data that is made publicly available by consumers themselves, example, through social media or information about consumers being made public by news agencies, journalists, other pages of a website etc.

•The law defines “Homepage” as the introductory page of an Internet Web site and any Internet Web page where personal information is collected. Therefore, it could cause confusion as to pages somewhere deep within the website which have even a form to collect personal information could constitute “homepage”.

•A consumer can authorize another person solely to opt out of the sale of that consumer’s personal information. But there is no definition or light as to how the authorization takes place and how to validate the authority.

•There is no mention of photography as being personal information or biometric data, however ‘faceprint’ is considered as biometric information.

•The Act seems to keep a check on those who raise a complaint on the business, by saying that while raising a complaint, the consumer must provide in written notice identifying the specific provisions of the Act the consumer alleges have been or are being violated. This means that, the consumer needs to have some legal consultant who can do this for them.

Tasks of the Attorney General

•Updating, as needed, the additional categories of personal information

•Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business

•Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights

•Establishing rules and procedures :

→ To facilitate and govern the submission of a request by a consumer to opt out of the sale of personal information.

→ To govern business compliance with a consumer’s opt-out request.

→ The development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information.

→ Establishing rules and guidelines regarding financial incentive offerings.

→ Establishing rules and procedure with respect to catering of the rights of the consumers taking into account the consumer’s authorized agent’s ability to obtain information, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’ determination that a request for information received by a consumer is a verifiable request.

The Act becomes enforceable on January 1, 2020.

Where should you(as a Business) start?

First, check if you are required to comply(refer to the definition of Business)

If you are in the scope,

→ Conduct a gap assessment to know what all controls are in place already and what you need to additionally implement

→ Check your organization’s privacy policy or policies against the Notice and Transparency requirements of this act and made amendments as deemed necessary.

→ Revisit your financial incentives programs and make it conform to the requirements of this Act.

→ Check if your disclosure of personal information is transparent and is ethical & if it falls within the exceptions of the ‘selling’ definition.

→ Try to avoid selling consumer unless there is enough legality and ethics.

→ Record all of your disclosures with other businesses and third parties as separate list(as mentioned above in this article)

→ Have strong contracts with the businesses and third parties you engage with so that they do not involve in unethical or unlawful data practices especially when they are providing some service to you or on your behalf.

→ Set up at least 2 methods of how consumers contact your organization to raise their request and exercise their rights(toll free number, website form, web portal etc)

→ Tag the sources to the information while it is being collected/entered in your systems

→ Make sure you get the age of your consumers, verify the age and get appropriate consents, especially if your service or product is to cater or is very likely to be used by children.

→ De-identify data where ever possible and don’t try to re-identify it just for the sole purpose of complying to this Law.

→ Be careful about information being shared orally and via hard copies(prints).

→ Notify consumers whenever you are going to change any of your practices that might use their data in a new way, other than for what it was initially collected.

→ Encrypt and redact personal information where ever possible. This reduces chances of a data breach and therefore reduces wasting time in legal suites & keeps away from financial losses.

→ Do not discriminate consumers just because they are exercising their rights under this law.

→ Make sure your policies and notices are easily readable and understandable and accessible to consumers with disabilities.

→ Train your employees on the privacy practices of your organization and have in place proper processes and procedures on how to deal with consumer requests by mentioning in details the steps to be followed by the employees, right from the communication to the follow-up to closing the request appropriately with proper comments added to it.

My overall impression and comments about this Act

→ The act is quite friendly to Business while it does cater sufficiently to the Rights of the consumers

→ The Act has been written quite elaborately with respect to defining the terms carefully, considering the trends and changes including the IoT regime.

→ The fines are quite a small amount for large business who actually misuse the personal information of consumers.

→ The Act has not addressed some important things like Employee information.

→ The Act has no mention about breach reporting, which is a major requirement in the current breach-prone data-world.

Overall, the Act is a good inclusion to the US Code, however it is not as stringent as the competing data protection laws in the world such as the EU GDPR.

*The above article is based on my limited understanding and interpretation of the text. This should NOT be construed as legal advise. Please do inform me of any inaccuracies by mentioning in the comment below*