You diligently spent time analyzing your General Data Protection Regulation (GDPR) compliance requirements, built your roadmap, and executed it. You now learn that a new law, the California Consumer Privacy Act (CCPA), will go into effect in less than a year—and there are similar state privacy bills that have a good chance of becoming law this year. You are being told that you need to comply, but also that your GDPR prep is not going to be sufficient. Is there anything you can salvage to reduce your implementation costs?
Commentators often compare the CCPA to the GDPR because the CCPA was passed just over a month after implementation of the GDPR, and borrows certain concepts from the EU law. However, while they are both designed to protect consumers’ privacy, they employ different approaches. Broadly speaking, the GDPR is a holistic data protection statute that addresses organizations’ handling of “personal data” throughout the data’s collection, use, storage, disclosure, and deletion lifecycle. In contrast, the CCPA imposes a relatively narrow set of commitments on for-profit businesses, excluding certain regulated entities, designed to give consumers more control over the use and disclosure of their “personal information.”
For more information about the CCPA, please see our Rapid Q&A.
How Do I Leverage My GDPR Preparation for CCPA?
We estimate that the CCPA requires most covered businesses to address 21 operational requirements (the actions that an organization must be able to perform to comply) and within those requirements, there are 68 tasks an organization must undertake to achieve compliance. Many of the steps that organizations would take to meet these requirements overlap with the GDPR.
Achieving compliance with the GDPR and CCPA begins by creating an accurate record or “map” of how your organization processes (i.e. collects, uses, discloses, stores, de-identifies, and destroys) personal information. While mapping is not explicitly required by CCPA, without it, it is not possible to create the accurate disclosures required by both statutes, find personal information within your systems for deletion in response to a consumer’s exercise of their deletion right, or know what personal information is subject to consumers’ opt-out rights.
If you created entity-wide data maps, data flow diagrams, or other records of your data processing activities—your “processing register”—for GDPR, you can use that processing register as a basis for your CCPA compliance. The definition of “personal data” in the GDPR overlaps significantly with the definition of “personal information” in the CCPA such that an effort to identify GDPR-covered personal data within an organization would likely have uncovered most of its CCPA-covered personal information.
However, there are nuances that may require additional analysis. In particular, under the CCPA “personal information” includes that of “households.” If your organization maintains records that identify a household by an address but not the individuals living there, those records may still be personal information. Personal information also includes inferences drawn about a person to create a profile that “reflects” the consumer’s “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Personal information excludes certain public records that are still considered personal data under GDPR.
Finally, the CCPA does not provide guidance for determining when information that has been stripped of identifiers is no longer considered personal information.
Data Governance Program
A data governance program is a collection of policies and procedures, including the processing register, that defines how an organization handles personal information collected and stored in its systems.
If you have created a data governance program for complying with the GDPR, you may be able to leverage a significant amount of that work for your CCPA compliance.
- If you have created policies and procedures that address the GDPR principles of data minimization and the requirement to use privacy-by-design, you may have reduced your CCPA compliance burden by minimizing the number of information systems in which you store personal information.
- The GDPR and CCPA require that organizations create detailed, public disclosures describing their data processing. While the CCPA will require you to convert that information to a specific format, having done the analysis of your privacy practices for GDPR purposes will speed up the process.
Other elements of the CCPA are, however, significantly different from the GDPR and thus require separate consideration. For example:
- The CCPA’s opt-out rights and nondiscrimination provisions have no equivalents in the GDPR.
- The CCPA requires more specific disclosures in public-facing privacy notices, in particular “a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) [corresponding to the categories of information listed in the definition of personal information] that most closely describe the personal information collected.”
- The CCPA requires businesses that sell personal information to make a link available on their websites entitled “Do Not Sell My Personal Information” and a toll-free telephone number to for consumers to use to exercise the right to opt-out of the sale of their personal information.
Data Subject Rights
The CCPA’s obligations related to consumer access and deletion rights closely track with the GDPR’s. Both require organizations to disclose information about their personal information processing activities upon consumers’ requests, give consumers a copy of their personal information, and delete personal information within their systems associated with the requestor. (Note: The CCPA’s deletion requirement is more limited than the GDPR’s because it allows organizations to take advantage of more exceptions.) Therefore, it is likely that any policies and procedures you created to respond to these consumer rights under the GDPR will also work for CCPA compliance.
Consumers’ rights to opt-out of the sale of their personal information under the CCPA do not exist in the GDPR. To be sure, the GDPR permits data subjects to “opt-out” by revoking consent or exercising a right to object to or pause certain processing activities. But the CCPA allows consumers to prevent a business from disclosing any of their personal information to any third party from which the business receives monetary or other consideration, regardless of whether the personal information was obtained with consent, unless an exception applies. Therefore, it is essential to create an accurate data map and processing register to efficiently identify information that your business “sells” so that you can act within the CCPA’s deadlines for responding to an opt-out request.
Data Security and Data Breach Risk
United States-based organizations that must comply with the GDPR will have already adjusted to its short reporting time frames and broad disclosure requirements.
The CCPA itself does not create any new obligation to notify consumers or regulators of a data breach or implement security controls. The CCPA does, however, significantly increase the risk of being sued, if the breach was caused by the organization’s failure to implement “reasonable” security measures.
If your organization tightened its security controls in response to the GDPR’s strict requirements, chances are that you have less work to do to reduce your risk of losing lawsuits based on alleged violations of the CCPA. However, continued vigilance is necessary because there is no official guidance defining or explaining what “reasonable” security would entail with respect to the CCPA. The California Attorney General is required to issue implementing regulations, but the AG’s deadline is six months after the effective date of the CCPA, and there is no guarantee the AG will even address the issue.
A Final Note
Finally, an important lesson from the months leading up to the GDPR’s effective date: Don’t Wait! Although the California legislature has not considered expected amendments to the CCPA, and the California AG has not even drafted implementing regulations, the CCPA’s core elements (privacy notices and consumer rights) most likely will not change. You should not underestimate the time you may need to spend gathering and organizing information from stakeholders in your organization.