You remember the GDPR, right? The regulation that I constantly keep talking about and for which I always make weird jokes like “What? You’ve never heard about the GDPR?” and yadi-yadi-ya…
But don’t worry, I won’t lecture you about the GDPR once again, so you can relax and breathe out.
So, do you feel okay now? You’re starting to chill out in your comfy chair? Good.
Now… have you heard about the CCPA? No? Your bad.
Actually, I’m just teasing you. It’s okay if you’ve never heard about the CCPA, because it freshly came into force on January 1st, 2020. Most of you must be wondering: “what’s the CCPA?“
At first, I wanted to mess with you by telling you the answer at the end of the article, but I realized that it was only fun to me. So here’s your answer: CCPA stands for “California Consumer Privacy Act”.
I noticed there are mainly two kinds of articles about the CCPA on the internet:
- articles explaining why that act is totally “rad” (don’t judge me, I’m just trying to sound cool);
- articles comparing the CCPA with the GDPR.
So, with this article, I’m going to combine these two aspects above… except that I’ll explain why the CCPA is far from being “rad”, and why it doesn’t stand comparison with the GDPR.
Anyway, since I already know the GDPR almost by heart, I just had to get familiar with the CCPA to write this article. So I printed the act, grabbed a highlighter, took a deep breath and started reading thoroughly the 25 pages. By the way, the CCPA is 3,5 times shorter than the GDPR, so obviously, some things are missing.
I’m warning you beforehand: it wasn’t my intention to write a negative article the CCPA. Actually, when I first heard about it, I was thrilled that California passed such a law. But I think there was so much lobbying involved that its impact may be lessened.
So thanks to my generosity (I like tooting my own horn), you’ll get a recap of everything there is to know about the CCPA by comparing it with the GDPR and saying what’s wrong with it.
So what’s the CCPA? Five words or less.
The aftermath of Cambridge Analytica. Here are your five words.
Officially, the Cambridge Analytica case was the triggering factor of this act: “In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. (…) As a result, our desire for privacy controls and transparency in data practices is heightened”.
Therefore, thank you Facebook for sharing our personal information and giving rise to that act! I bet you didn’t see that coming, right?
Anyway, when I read that act, I was surprised: the legislator got greatly inspired by the GDPR, but he changed all the existing terminology just so that people wouldn’t find out. As a result, most of the words created by the GDPR were used and reworded.
If you want an example, the GDPR constantly uses the words “personal data” for any data that belongs to a natural person. The CCPA reworded that expression by using “personal information”. It basically means the same thing, but at least, the Californian legislator can’t say that they copied and pasted the European regulation.
There are examples like that by the shovelful. But that article is not about spotting the 7 differences between the CCPA and the GDPR. Actually, it’s about explaining the CCPA and saying if it’s better than the GDPR. To be honest, I didn’t really know how to write this article without having you fall asleep on your desk from boredom, so I decided to do a game with a score. In the end, you’ll know which law is best for protecting people’s privacy.
I’ll give you a hint… the CCPA didn’t do great. But since I’m a fair player, I’m going to give the CCPA a 3 points head start. So now, who’s going to win?
1. Who’s targeted?
The GDPR’s target is every natural person, without exception. That means that every single person in the EU has control over their data, whether they are a customer, a public service user, an employee, a student, etc… From the moment anyone collects some data that makes you identifiable, the GDPR applies.
Conversely, the CCPA’s target is consumers… so there’s the first rub. Weirdly enough, the bill NEVER ever gives a the definition of a “consumer”, we only know that it’s a Californian resident. Basically, the bill says “if you want to know if you’re a Californian resident, go look into the California Code of Regulations”. So that’s what I did, and the answer left me dissatisfied… and now, I’m even more confused because there are so many blanks in the equation. So I took a deep breath (again) and I tried to make sense out of this mess.
So, what do we know about a “consumer”? Not much, but we can play a guessing game. My first impulse is to say that a consumer is an individual who’s acting for purposes outside his trade or business activity. In a more simple way, a consumer is a company’s customer. I’m a French legal expert, so my guesses are only based on an EU directive (which doesn’t apply at all in California). Therefore, maybe I’m missing something here.
If my guess is right, that means that the CCPA would only apply to individuals buying from a business. So if you’re an employee, a public service user or a volunteer for a charity, you have no say in this and you can’t stop the organization from using your personal information. That theory drastically narrows down the field of application of the CCPA.
Ultimately, the GDPR is much more efficient than the CCPA because it applies to everyone in any kind of situation, not only when an individual makes a transaction with a business. That’s why the GDPR just got 1 point.
CCPA: 3 – GDPR: 1
Remember that I gave the CCPA a 3 points head start out of kindness?
2. For which companies?
The GDPR applies to every single company, without exception. Even better, the regulation was not only designed for companies, but for every public or private structure processing personal data, no matter the size of the organization.
However, the CCPA is way more trickier and narrow. It only applies to a “business”, which automatically excludes public organizations or associations. And even if you own a business, you may not be subjected to the CCPA. Indeed, the definition given by the CCPA is quite interesting, since three conditions are required to be subjected to the CCPA:
- Your business must have annual gross revenues higher than $25,000,000;
- Your business must buy, receive, sell or share the personal information of at least 50,000 consumers, households or devices per year;
- At least 50% of your business annual revenues are from selling consumers’ personal information.
In short, if you don’t fit into one of the above, the CCPA does not apply to you. Basically, a lot of businesses are “spared” by this law. It’s almost like it was only designed for Facebook, right? Since the Californian legislator cannot only create a law specifically punishing Facebook, they chose criteria perfectly fitting Facebook. It was also a perfect way to kill two birds with one stone, by punishing all the Big Four.
In a way, that’s a good thing for Californian residents who will get protection of their personal information by big companies. But if you’re dealing with a local business which sales your information without your consent, there’s nothing you can do to stop it. For that reason, the point goes to the GDPR for applying to every single organization.
CCPA: 3 – GDPR: 2
3. How do you say no?
Should the organizations fully comply with the GDPR, you can say no to the sale of your personal data. If a structure wants to collect your personal data, it has to tell you what for and then you must give your informed consent. If you don’t do that, the processing is illegal and the organization cannot collect or sale your personal data to anyone.
With the CCPA… things are trickier. By default, a business can collect some personal information about you. If you don’t want that to happen, you can opt-out. But if you don’t pay attention or don’t know that a business is collecting some personal information about you, it can legally sell them to anyone.
To make this simple: with the GDPR, you have to opt-in. With the CCPA, you have to opt-out. So it’s safe to say that the GDPR is more protecting of people’s privacy rights.
GDPR: 3 – CCPA: 3
We have a tie! I know, the suspense is killing you…
4. What are your rights?
The GDPR gives you many rights to make sure that you have control over the data you consented to give to a third-party. Basically, here are the rights you are entitled to:
- a right to transparent information and communication;
- a right of access;
- a right to rectification;
- a right to erasure (AKA the “right to be forgotten” since the Google Spain case);
- a right to restriction of processing;
- a right to data portability;
- a right to object;
- a right to object to an automated individual decision-making.
Any European citizen can exercise the rights above to have control over the data they gave to a third-party.
Under the CCPA, you can exercise the following rights:
- the right to know what personal information is being collected about you;
- the right to know whether your personal information was sold or disclosed to another business;
- The right to say no to the sale of personal information (by opting-out);
- the right to access your personal information;
- the right to equal service and price, even if you exercise your privacy rights.
At first, both the GDPR and CCPA seem to offer the same rights… but of course, there are some serious limitations to the CCPA.
For instance, you’re a Californian resident and you want to access the information that Facebook collected on you? Well, don’t get your hopes up about getting everything that Facebook collected since it was created, because the CCPA only requires a business to give access to the information collected over the last 12 months. If you’re under a lucky star, maybe the business will give you access to all of your information, but that scenario is pretty unlikely.
Oh, I forgot something. Under the CCPA, you cannot exercise your rights more than twice a year per business. There’s no explanation about that restriction, but I can’t stop imagining the Californian legislator waking up one day and thinking: “it could be great to allow more privacy to people… but only twice a year”. I hope that’s not what happened, but that limitation is really curious. It’s like allowing rights to people, but not too many rights because Facebook still has to be protected.
So it’s safe to say that the GDPR is far more efficient regarding people’s rights. It’s not only about the sale of personal data, because there are a lot of obligations regarding the way the data is being protected or processed.
That’s why one point goes to… the GDPR! (please, act surprised…)
GDPR: 4 – CCPA: 3
5. What penalties?
Here comes the interesting part of the article. As you may know it, the GDPR provides for two penalties:
- a €10,000,000 fine or 2% of your worldwide annual turnover;
- a €20,000,000 fine or 4% of your worldwide annual turnover.
Depending on the gravity of the violation, the supervisory authority can punish you with one of the fines above. Since the GDPR came into force, many fines have been issued and the most striking one being against British Airways (with a €200 million fine).
On the other hand, there’s the CCPA with intensely huge big scary penalties:
- $2,500 for each violation;
- $7,500 for each intentional violation.
That means that if you want to top a €20 million fine like the GDPR, a business has to commit at least 8,000 violations (or 2,666 violations if it commits it on purpose). Plus, I remind you that the CCPA only applies to businesses that make more than $25,000,000 a year. Therefore, I’m pretty sure that the Big Four laughed when they saw the amount of the penalty (there’s nothing like a little lobbying…).
So that seems pretty obvious… the point goes to the GDPR.
GDPR: 5 – CCPA: 3
I know, the CCPA-bashing is getting old
6. The supervisory authority?
Under the GDPR, there’s one supervisory authority for each Member State of the EU. Each one can impose fines or help data subjects exercise their rights. All of this must be done for free. To ensure a consistent application of the GDPR in every Member State, all the supervisory authorities form part of the European Data Protection Board.
With the CCPA, there’s no supervisory authority like the in the European Union. Instead, the authority taking care of the enforcement of the CCPA is the Attorney General. The latter has the power to start investigations in case of violation of the law and to bring that case before a judge in court.
However, the problem with the CCPA is that the Attorney General supervises the enforcement of the CCPA among the rest of his legal cases. That means that they’re not specialized in the field of data protection, which may lead to some violations slipping through the net.
All the money collected thanks to civil lawsuits pertaining to the CCPA will go to the Consumer Privacy Fund. That fund will be used only to file lawsuits against businesses that don’t comply with the CCPA. At first, it sounds like the legislator gave much thoughts to this system, but there’s still something bothering me: what if the fund is empty? Would that mean that the Attorney General won’t be able to go to court or build a case against businesses if they don’t have any money left? The CCPA just came into force, so I’m just speculating. I guess we’ll see how it goes in a few months.
Meanwhile, another point to the GDPR which provides for supervisory authorities dedicated to data protection. They mainly ensure the enforcement of the GDPR across Europe, and the Member States must give them all necessary resources to carry out their missions.
GDPR: 6 – CCPA: 3
7. What protection for children?
Under the GDPR, children below the age of 16 must get their parents or legal guardian’s consent to share some personal data. Children basically have the same rights as adults, except that they’re not able to give their consent to share their data.
At first, the CCPA has a lot of similarities with the GDPR regarding the protection of children. Actually, children who are less than 13 years of age need to get their parents’ or legal guardian’s consent to sell their personal information. There’s basically no difference with the GDPR on that point.
Between 13 and 16, businesses no longer need the parents’ consent to sell their children’s information. The CCPA implicitly leaves the choice for children to opt-in for the selling of their personal information, without any adult involved in the decision.
For children above 16, no more special treatment. Businesses can sell their personal information. If they don’t want that to happen, they need to opt-out.
On paper, the CCPA provisions seem pretty fair and good. But since nitpicking is like my favorite hobby, I’d like to express some reservations. Indeed, if you think this through, almost every business subjected to the CCPA requires to be at least 13 to use their service. That means that you legally cannot create a Facebook, Twitter, Instagram, Snapchat, Apple or Google account if you’re less than 13 years-old. Basically, you cannot sign-up to any popular service among kids these days.
So what does it means for the CCPA? It basically means that the parents will almost never be able to give their consent about the selling of their child’s personal information. Once these kids will legally be able to sign-up to a social media (which are the biggest data collectors ever), their parents’ consent will no longer be required. It’ll be up to the kids to decide whether they authorize a business to sell their personal information. Can you really imagine some 13 years-old children reading Instagram’s terms and conditions before creating an account? And if they do, are they mature enough to grasp the concept of online privacy and decide what they want to do with their personal information? Most adults are not even aware of those concepts, so it’s likely that it goes beyond a child’s understanding. I even wouldn’t be surprised if some businesses tried to trick kids into opting-in to sell their personal information.
In my opinion, the legislator knew perfectly that most web services require you to be at least 13, so that’s why the CCPA says that you only need the parents’ consent if you’re under 13. In other words, that provision is there just to look pretty when in fact it’s useless.
Therefore, since the GDPR offers a better protection to children, that’s where the point goes.
GDPR: 7 – CCPA: 3
8. What about civil remedies?
When a European citizen suffers from a violation of the GDPR, that person can file a lawsuit to set things right and claim for damages. That’s enough to go to court. Of course, you can seek damages as an individual or collectively, it’s up to you.
As you can imagine now, things are more complicated under the CCPA. There are some requirements if you want to file a lawsuit for a violation of the CCPA.
Indeed, prior to initiating any action against a business for statutory damages, the consumer must notify the business of the alleged violation. From that moment, the business has 30 days to set things right and cure the violation. If the business did so, the consumer won’t be able to file a lawsuit. So, that’s great for you to know that a business can mess with your personal information until you ask them to stop.
Oh, and I forgot something: you can initiate an action ONLY when a business violates its security obligations. That means that you can only sue the business for violations resulting from non-encrypted or non-redacted personal information.
Fortunately for you, thanks to the huge outpouring of generosity of the legislator, consumers are exempted from the prior notice mentioned above if you initiate an action only for actual pecuniary damages. But if you choose this path, just know that you can only recover damages between $100 and $750 per damage. No more, no less. That’s pretty cheap when you know that a business made more money off your back thanks to this violation. In short, this provision is about discouraging people from filing a lawsuit.
Now, guess to whom the point goes to?
GDPR: 8 – CCPA: 3
9. How can you exercise your rights?
The GDPR allows you to exercise your rights at any time by submitting a written, oral or electronic request to the controller. The request must be free of charge and the controller has to grant the request within 1 month. However, that deadline can be extended to 2 additional months if the request takes a lot of time or if the controller is facing an overload of requests.
The great thing about the CCPA is that consumers can exercise their rights under almost the same conditions as the GDPR. Consumers can make a request which is free of charge, and businesses will have to grant the request within 45 days. That deadline can be extended to 45 additional days.
So if you put together the initial time and additional time required to reply to the data subject or the consumer, there’s no difference between the GDPR and the CCPA.
Therefore, I’m proud to announce that the point goes to… the GDPR! Trust me, I would have gladly given a point to the CCPA, but there’s an inconsistency the law. Maybe I missed something in the text, but I’m pretty sure there’s a mistake inside the CCPA. In the first pages, the law says that a business response deadline can be extended to 45 additional days, but a few pages later, I find out that “the request may be extended by up to 90 additional days”. So, 45 or 90 additional days to reply to a consumer’s request? I guess we’ll know for sure if a business gets punished for replying beyond the 45 additional days.
GDPR: 9 – CCPA: 3
10. What are the controller’s/business’ obligations?
A controller subjected to the GDPR must comply with many obligations, such as:
- Keep a record of data processing activities;
- Carry out impact assessments for situations likely to result in a high risk for the data subjects’ rights and freedoms;
- Appoint a DPO, which is mandatory in some cases or highly recommended in others;
- Notify the supervisory authority of any data breach;
- Supervise any data transfer outside the EU;
- Ensure the high security of the data processed;
- Take technical and organizational measures to comply with the regulation…
Anyway, it would take too long to list all the obligations stated in the GDPR. The point is that the controllers are subjected to a lot of obligations, which is why the GDPR was enacted in April 2016 and came into force on May 2018. The obligations were so heavy for companies that the EU institutions gave the controllers a 2-year period to comply with the regulation.
As for the CCPA, businesses are only given less than 6 months to comply with the act. Does it mean that the legislator is dying to see the businesses to apply the act? No. It just implies that there are not as many obligations as the GDPR, so compliance will take much less time.
Indeed, businesses pretty much have to protect the consumers’ personal information (which should already be done thanks to the GDPR), implement measures for the consumers to opt-out, and implement procedures so the consumers can exercise their rights. So unlike the GDPR, there’s no need to create a record of data processing activities, carry out impact assessments, and so on…
At this point, you know to whom the point goes to…
GDPR: 10 – CCPA: 3
What valuable lesson have we learned today?
First off, congrats for reading this article all the way to the end. I know this topic might have been too long for some of you, so hats off to you!
So what you need to remember: the CCPA is a step-in-the-right-direction joke. The thing is that this act is a good thing for Californian residents, but it’s not enough to top the GDPR. Of course, the GDPR is far from being flawless, but it was like a revolution for European citizens who got their control back over their personal data.
I think the CCPA was designed for a greater purpose, but the amendments and lobbying got the better of it. In the end, it feels like the act was rushed or unfinished to the businesses’ advantage.
Therefore, if you’re already GDPR-compliant, you’ve done the hardest part and you just need to work out a few details in order to comply with the CCPA.
If you don’t know if you’re already GDPR-compliant, you can fill out for free the quiz created by Ziwit, and you’ll know everything!