There is a lot going on right now in privacy-land. Multiple EU countries are cracking down on US-based cloud services like Google Analytics, and even last month, privacy-NGO noyb won a big case against Facebook on the use of personalized ads. It's clear to everyone that privacy is moving more and more to the forefront, but finding your way in the privacy legislation jungle is difficult. Hence this article aims to outline the different privacy legislation to clarify things.
Specifically, we’ll focus on The Californian Consumer Privacy Act, which is the most notorious US privacy law. It’s also a very important piece of legislation because many large tech companies are established in California. We will take a look at it and see how it compares to the EU GDPR.
- The CCPA
- Who does the CCPA apply to?
- What are the obligations for your business under the CCPA?
- Is there a federal privacy law in the US?
- Is the CCPA a “GDPR light”?
- How do the CPPA and the GDPR regulate cookies?
- How do the CCPA and GDPR regulate data transfers?
- How does consent work in the CCPA and the GDPR?
The Californian Consumer Privacy Act (CCPA) is a Californian law. It was passed in 2018 and came into force in 2020. It gives consumers certain rights, including the right to information, the right to delete their data, and the right to opt-out.
The CCPA was amended in 2020 by another law, the California Rights Privacy Act. The amendment introduced new privacy rights and established the California Privacy Protection Agency, which will enforce the CPPA starting July 2023. The latest and amended version is the one we will refer to throughout the blog.
So, to sum it up:
- the CCPA is a Californian privacy law
- the CPRA is another Californian law that modifies the CPPA
- the CPPA is the agency that will enforce Californian privacy law starting July 2023.
Bottom line, California is terrible at picking names. We will now look closer at the CCPA and see how it compares to the GDPR.
Who does the CCPA apply to?
The CCPA mainly applies to businesses that meet certain thresholds regarding revenue and amounts of personal information processed. The CPPA also applies to some institutions and public agencies but does not apply to non-profit organizations.
It should be noted that the CCPA applies to companies doing business in California, regardless of their establishment. So a non-US company may need to comply with the CCPA if it is active on the Californian market.
Aside from businesses, the CPPA includes rules for service providers, contractors, and third parties.
What are the obligations for your business under the CCPA?
Businesses have several obligations under the CCPA. They must provide information on how the data are processed, erase or correct data upon request, limit data retention, and allow consumers to opt out from the selling and sharing of their data. Consumers can also sue them for data breaches.
Is there a federal privacy law in the US?
The US has no comprehensive federal privacy law, but there are federal laws regulating specific areas such as health data (HIPAA) and children's data (COPPA). A federal privacy law is in the works: the American Data Privacy and Protection Act (ADPPA).
Right now, six States have privacy laws. California is one of them, the others being Colorado, Connecticut, Nevada, Utah, and Virginia. The interaction between the ADPPA and local privacy legislation is a contentious point in the political negotiation around the proposal. Some States with privacy laws do not want the ADPPA to override their own bills because they are afraid that this would weaken the privacy rights of their citizens. At the same time, some proponents of the bill insist that the ADPPA override local laws to avoid legal fragmentation across the US.
Is the CCPA a “GDPR light”?
The CCPA was in some ways inspired by the GDPR and is sometimes referred to as a “GDPR light.” The two regulations are similar in some ways:
- both have extra-territorial effect in some circumstances. This means that businesses outside California may need to comply with the CCPA, and businesses outside the EU may need to comply with the GDPR
- some privacy rights are similar under the two regulations, such as the right of information and the right to erasure. Both laws seek to give individuals more control over their data
- both provide special protection for sensitive information, although the definitions of sensitive information are different
- the GDPR is mainly enforced by the data protection authorities in each EU Member State. Starting June 2023, the CCPA will also be enforced by a data protection authority (the CPPA) along with the California attorney general.
- non-compliance can be expensive. GDPR fines can amount to €20M of 4% of a company’s yearly worldwide turnover, while civil penalties under the CCPA can amount to a maxium of $7.500 per individual violation. For companies processing vast amounts of personal data, the numbers can add up fast!
There are also important differences:
- the GDPR is broader in scope and applies to a wide range of data controllers other than companies. On the other hand, the CCPA is a consumer protection law and mostly focuses on businesses
- the GDPR is a longer, more complex law. It includes more rules and a comprehensive system of principles
- the GDPR is generally stricter. For instance, the regime for processing sensitive data is more restrictive.
- the GDPR protects the data rights of all people in the Europena Union and the European Economic Area, including non-EU citizens. On the other hand, the CCPA only applies to the data of California residents.
How do the CPPA and the GDPR regulate cookies?
The CCPA does not specifically regulate cookies, but third-party cookies fall under the rules for data sharing. Under the law, businesses must inform users and provide them with a method for opting out.
This is an instance where EU privacy law is stricter: under the GDPR and the ePrivacy Directive, controllers must collect consent via an opt-in system for non-essential cookies (the accept button on cookie banners). And unlike the CCPA, EU law does not differentiate between first and third-party cookies.
How do the CCPA and GDPR regulate data transfers?
The CCPA does not regulate data transfers and sets no limits to data transfers outside of California or the US.
This is another important difference with the GDPR. The GDPR includes a complicated system of rules for data transfers to ensure that personal data can only be transferred safely.
Generally, a company can only transfer data based on one of several compliance mechanisms. The most common ones are standard contractual clauses (SCCs) which need to be implemented in a contract with the data recipient and tell it what it can and cannot do with the data.
The European Commission can also “greenlight” a country as a safe destination for data with an act called an adequacy decision. We had two such decisions for the US, but both were invalidated by the EU Court of Justice in the Schrems I and II ruling because of concerns over US surveillance of foreign data.
US surveillance also complicates data transfers based on SCCs because these clauses can do little to protect European data. The Schrems II ruling clarified that companies sending data to the US must supplement SCCs with additional safeguards, which is very difficult to do in practice. This problem is at the heart of Google Analytics’ legal issues with data transfers and is the reason several European privacy authorities are ruled against the use of Google Analytics (we wrote about this extensively on our blog).
A new adequacy decision for the US is coming but will certainly be challenged in the Court of Justice. The US implemented some changes to its surveillance system, but it’s hard to say whether it will satisfy the Court. In other words, Schrems III is on the horizon, and there’s no saying how it will play out.
How does consent work in the CCPA and the GDPR?
For the most part, the CCPA does not require prior consent to process consumer data: the law mostly revolves around an opt-out system. However, prior consent is needed in certain situations.
Valid consent is always opt-in under the GDPR. But consent is only one of several legal bases for processing personal data. This means that in some scenarios, data can be lawfully processed without consent. In a nutshell: consent is not always required, but when it is, it must be opt-in consent.
We wrote a blog about the topic if you’re curious about the other legal bases under the GDPR.
The GDPR and the CCPA are both important privacy laws. Both have an extra-territorial effect, so companies should familiarize themselves with them or rely on a professional to ensure compliance. The GDPR is a bit more complex, and we do our best to tackle some basics on this blog and make them digestible.
It is worth noting that both the GDPR and the CCPA only apply to personal data. From a compliance perspective, not processing personal data is a silver bullet for both laws- and for privacy law in general. This is not always possible because there are things you simply can’t do without personal data.
Fortunately, more and more privacy-friendly solutions show you can do without personal data. For example, Simple Analytics is a privacy-friendly alternative to Google Analytics that complies with GDPR and still gets you the website insights you need.
US-based Cloud services have come under fire lately for their non-compliance with GDPR. Hence, companies that value privacy and want to comply seek alternative solutions. If you are interested, you should check out the website “European Alternatives.” It gives you a broad idea of which alternatives exist in different categories such as web analytics, email provider, hosting provider, etc.
We created Simple Analytics as we believe in an independent internet that is friendly to website visitors. So less cookies and less tracking. If this resonates with you, feel free to give Simple Analytics a spin.