California’s new Data Protection Law – Imitating GDPR or breaking new ground?
California’s new Data Protection Law, the California Consumer Privacy Act (CCPA), will enter into force in January 2020 and some have already referred to it as “California’s GDPR”. What regulations does the new law provide?
More legal obligations for enterprises – but not for all
The CCPA regulates data processing by certain companies and other legal entities that process and collect personal information about California residents. The company does not have to be based in California, the only thing that matters is whether data by Californians is processed. However, the law does not apply to all companies processing personal data, as it is the case with the GDPR, which focuses on the protection of every individual. The CCPA only applies to companies that exceed one of the following threshold values:
- Gross annual revenues of more than USD 25 million
- Processing of California resident personal information in the amount of 50,000 for business purposes or
- The profit of the company results 50 percent or more from the annual revenue from the sale of personal information.
European data protection standards for California thanks to its new Data Protection Law?
The legal term „personal information“ is interpreted broadly and includes not only identifying data (“personal data”), but also IP addresses, biometric information or location information that relates to a person.
California residents are granted more rights by the CCPA: access to personal information, deletion of such information, and a facilitated burden of proof system for data subjects that assert data breaches.
All this suggests a comparison to the European GDPR. This regulation, too, gives data subjects a broad catalog of individual rights and imposes higher obligations on transparency on data processors. Despite some similarities, however, there are also differences between CCPA and GDPR: The concept of the Data Protection Officer (DPO) is unknown to the CCPA. A mandatory data protection impact assessment (DPIA) is also not compulsory. Another difference is that the CCPA does not include the term „legal basis“ as a prerequisite for any data processing.
Opt-out instead of comprehensive protection
A difference to the GDPR is that the Opt-out possibility has a broader range of options at the CCPA A revocation (opt-out) is sufficient according to the CCPA: Section 1798.135 (a) (1) stipulates that companies must display a clearly visible link on their website entitled „Do Not Sell My Personal Information“ that prohibits the sale of personal data. If children are consumers, stricter rules apply. Children between the ages of 13 and 16 must express their consent. For children under 12, the parent or guardian decides.
Overall, California’s new Data Protection Law should bring about a significant improvement in the rights and data security of California residents. Consistent use of the CCPA can create consumer confidence, possibly with the effect that in the future he or she will be more willing to disclose personal information just if, in return, the data processor can provide quality services. However, the data protection level of GDPR is not quite reached.