California GDPR comes into force

California’s Consumer Privacy Act (“CCPA”) came into force on January 1, introducing principles in this state that are somewhat similar to those established in the European Union by the General Data Protection Regulation (“GDPR”).

However, as we will see, the CCPA is stricter than the GDPR in some aspects, and its scope of application is limited to companies that “do any business in California” and that (i) have at least $25 million in gross revenue; (ii) possess personal information from at least 50,000 Californian residents, households and devices per year; and (iii) generate at least 50% of their annual revenue from selling Californians’ personal data.

It should first be noted that there is no major difference between what is classified as personal data in Europe and in California, because the CCPA also defines personal data as any information that makes it possible to directly or indirectly (as in this case) identify a consumer or household (defined as “a person or group of persons who occupy a single home”), which given its private nature and purpose, explicitly includes commercial information related to a consumer (e.g., buyer and consumer trends or asset records).

The CCPA also introduces certain basic consumer rights that are familiar to Europeans. This includes the right to know (meaning consumers have the right to know which information a company has gathered on them, its source, the purpose for using it, and whether it is provided to third parties), and the right to delete consumers’ personal data. However, in this latter case, companies are only required to eliminate consumer data they collect directly. The act also introduces other rights, such as the right to prevent the sale or transfer of personal data to other companies. To do this, websites must include a link entitled “Do Not Sell My Personal Information” where consumers can exercise this right. The right to not be discriminated against for exercising any rights under the CCPA is also recognized. 

The CCPA’s provisions also include a series of obligations for companies, such as the obligation to proactively disclose the existence of consumers’ rights and to communicate the purposes and categories of the personal data they collect; the prohibition against reselling the personal data a company has collected by buying it from another company (except where there is consent); and the obligation to communicate the categories of personal data a company has sold or disclosed in the last 12 months.

There are also significant differences between California’s new law and the GDPR, notably:

• The CCPA does not include the right to be forgotten, the right of rectification and the right not to be subject to automated decisions.
• It does not require express consent from consumers to process their data, which means that companies are free to process and sell their data, unless consumers oppose its processing and use.
• Companies can prove that they comply with the applicable regulation after the fact, with no need to have prior specific documents proving compliance.
• The CCPA allows companies to offer financial incentives to consumers who consent to having their data collected and processed.

Does automatic compliance with the CCPA guarantee compliance with the GDPR?

In general, compliance with the EU regulation means compliance with California’s law, although the latter does introduce explicit rules on selling personal data that companies must take into account.

Moreover, the CCPA also includes a specific set of penalties, and consumers have the right to private action against companies in the event of any security breach affecting their unencrypted and unprotected personal data that is not remedied within 30 days. In particular, all consumers may claim $100 to $750 for damages. The State Attorney General may also sue companies for any breach of the CCPA and demand fines of up to $7,500 per infringement.

All in all, according to several sources, and at least until New York’s Privacy Act is approved, the CCPA is the United States’ strictest personal data protection law, and it will have an undeniable impact on how companies and website operators handle the personal data and privacy of Californians (to whom the CCPA limits its effects).