The California Consumer Privacy Act of 2018 (the “CaCPA”) has caused a big stir in the privacy world with its speedy approval and strict requirements. Although the bill will not be implemented until January 1, 2020, the gravity of the changes it requires has grabbed everyone’s attention. The requirements in the bill have been compared heavily to the EU’s General Data Protection Regulation (GDPR), which went into effect in late May.
The CaCPA does mirror many of the GDPR’s requirements and captures the overall spirit of the GDPR by seeking to enhance individuals’ rights. However, the two differ when it comes to how personal information is defined. The bill pushes to protect all California residents by expanding the definition of personal information, which could have a greater operational and financial impact than the GDPR.
In this post, we will compare these two landmark privacy laws and seek to answer the question “If we’re compliant with the GDPR, are we compliant with the CaCPA?” We also created a quick cheat sheet that lines the two regulations up side by side for you to take with you.
Greater Protection of Individual Rights
Alignment between the CaCPA and the GDPR is most clearly seen in the area of individual rights. Much like the GDPR, California’s new bill provides individuals (i.e., consumers) more control over their personal information and includes the following individual rights: Right to Know (or access), Right to Object (or be forgotten), and the Right to Portability.
While these rights may sound similar to those found in the GDPR, there are a few differences between the two. According to the CaCPA, individual rights pertain to the consumer, which could be an individual person, household, and/or an organization or group of persons residing in the state of California, while the GDPR applies these rights to just the individual person.
Unlike the GDPR, the Golden State’s new law includes metadata in its Right to Access. Consumers may not only inquire about the type of data a business has on them, but also request further information on the different categories of data, how the data was collected, how categories are defined and organized, and how the data is distributed to third parties.
In addition, the definition of personal information is much broader in California’s new law. It stretches to include any information that may identify a person, including information that could be linked or associated with their household (e.g., utilities data such as water or electricity consumption, commercial activity such as purchase history, or profiling such as behavior or preferences).
Another distinction is that the CaCPA includes repatriations to consumers as a penalty. In the event of a data breach, a business may have to provide affected consumer(s) with compensation ranging from $100 to $750. For this penalty to be invoked, the following steps must be taken:
- Consumers must make a written report of violations and wait 30 days to allow an organization to respond.
- If the organization continues the violations, then the consumer can bring the issue to the Attorney General for prosecution.
- The Attorney General will then analyze the significance of the violations and will prosecute within six months of the report being made, and will then determine what the compensation will be based on the effect of the breach on the consumer.
The Opt-out vs. The Opt-In
While the GDPR requires data subjects to opt in to allow their data to be processed by an organization, the CaCPA states that consumers must choose to opt out of allowing companies to sell their information. The CaCPA requires that businesses provide a clear and conspicuous link on their website titled “Do Not Sell My Personal Information” to provide consumers with the opportunity to opt out. While many companies may balk at this idea, there are actually quite a few steps to complete that the average consumer may not take (like going on the company website to opt out). Many customers won’t go to the trouble of completing these steps, allowing organizations to continue to sell most of their customers’ information.
The CaCPA also provides organizations with a few workarounds. The law allows organizations to charge consumers who opt out a different price with the caveat that the increased price be reasonable according to the value of the consumer's data. The bill also allows organizations to offer financial incentives, including compensation, to California residents for the collection or sale of their personal information. These options give organizations a way to incentivize consumers to not opt out of the sale of their personal information.
The Reach of the CaCPA and the GDPR
Just as the impact of GDPR expanded outside of the EU, the CaCPA will heavily influence privacy legislation across the U.S. Even companies without a physical presence in California will need to implement some, if not all, of the guidelines imposed by CaCPA. The scope of the CaCPA is not based just on an organization’s physical location, but also on its total revenue and sources of revenue and how these are tied to the sale of California residents’ data. California’s large population size and dominance in the technology industry means many U.S. companies will be affected by the new law. The only companies that may be able to avoid complying with the law are those that can prove that all of their commercial conduct takes place wholly outside of California.
At this point, many are asking, “If my organization complies with the GDPR, does this mean we are also compliant with the CaCPA?” The simple answer is no. While GDPR compliance is a necessary step for most global companies and will aid U.S. companies who must now comply CaCPA, these two regulations do not align completely. The central goal of the CaCPA is to protect consumers’ information from being maliciously used for profit, and imposing stricter restrictions on data sharing for commercial purposes. It also has a much broader definition of what is considered personal information and requires specific disclosure and communication channels not required by the GDPR.
The CaCPA is a new bill with the strictest requirements of any privacy law in the U.S., which has caused a stir between technology companies and privacy advocates. This controversy is expected to lead to several amendments and revisions before the law goes into effect in 2020. However, in the meantime, companies that collect or process the information of California residents in any way should consider the following measures in order to better align with the CaCPA requirements:
- Build data inventories and records pertaining to California residents.
- Consider alternative business models, such as California-only sites, services, offerings.
- Design processes that allow data subjects to submit requests.
- Create a link for “Do not sell my personal information” on the business’ website homepage in a place that is a clear and easily accessible for consumers and implement procedures to accommodate these requests.
As a leader in the privacy and compliance space, Focal Point is one of the first organizations to offer an innovative suite of CaCPA compliance services. Click here to learn more about our offerings, from readiness assessments to advisory services to ongoing support.
In the meantime, download our free guide to the CaCPA and the GDPR to keep these changes top of mind.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.