July 1, 2020 was the official deadline to meet the standards of the California Consumer Privacy Act of 2018 (CCPA), which came into effect. While arguably the most advanced consumer privacy protection law in the US, the CCPA is notably less extensive than its EU General Data Protection Regulation (GDPR) counterpart. This means a company that has invested in a robust GDPR programme can meet many CCPA obligations in relatively short order. However, there are some important differences in which the CCPA imposes obligations above and beyond the GDPR:

Additional disclosures in response to individual requests for information

Personal information under GDPR is defined as any information relating to an identified or identifiable person. The CCPA expands this definition to any information relating to a California resident or household. As such, businesses should consider both the consumer and household as identifiable entities and be prepared to locate and disclose this information to California residents upon request .

Data Sale Practices

The CCPA defines “sale” as any form of disclosure, in any format, to any other third party in exchange for money or other valuable consideration. “Other valuable consideration” significantly broadens the scope of what constitutes a sale, such that any disclosure of data in exchange for value (e.g. third-party data analytics) could meet the definition. Compliance with this obligation will require a review of all agreements where personal information is shared with third parties.

Additional disclosures in the privacy policy

The CCPA requires privacy policies to disclose whether the business collects, discloses, or sells personal data and a description of the categories of third parties with whom this data is shared. Given the broad definition of a sale of data noted above, businesses will likely need to disclose more information than required under the GDPR. It further requires the privacy policy to be kept current, meaning it must be updated annually, and the disclosures must cover the activities of the prior 12 months.

Protecting against discrimination

The CCPA prohibits a business from discriminating against individuals who exercise their rights under the statute. This means businesses cannot deny goods or services, offer different prices, or provide a different level of quality to such individuals. This explicit protection is not offered under the GDPR, so businesses will need to address this new requirement in their policies and procedures.

Financial penalties

The monetary risk to organisations under GDPR is up to 4% of annual global turnover or 20 million euros (whichever amount is greater). CCPA penalties are minor in comparison, ranging from $2,500 for a non-intentional violation to $7,500 for an intentional violation. However, multiple lawsuits in California are testing the theory that CCPA non-compliance predicates a violation of California’s Unfair Competition Law. If these claims are successful, private plaintiffs would have the ability to bring class action complaints for violations of the CCPA and organisations would be at significantly higher risk of monetary loss.

Keep in mind, the CCPA only applies to a business if one or more of the following are true:

  • Has a gross annual revenue in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
  • Derives 50% or more of its revenue from selling consumers’ personal information.

In addition to the above, businesses handling the personal information of more than four million consumers have additional obligations.

Contact Peter Boaz for further information

Peter has experience in the intersection of law and technology across jurisdictions. ​

​Peter is our San Francisco-based consultant specializing in emerging technologies and data governance. He analyses global trends in data protection and advises clients on how to operationalize the California Consumer Privacy Act and other international regulations.