The European General Data Protection Regulation has entered into force on the May 25th 2018. At the same time, the state of California adopted the California Consumer Privacy Act of 2018 (“the Act”) on June 29th2018 . This Act will become effective on January 1, 2020 and aims to enforce the “inalienable” right of privacy recognized by the California Constitution.
The initiative of this data protection bill was first led by a real state developer who gathered 625 000 signatures to propose a strict regulation on companies processing large amounts of personal data. The California Constitution provides the possibility for citizens to initiate the adoption of bills through referendum.
The California Consumer Privacy Act of 2018 grants new rights to California residents and requires companies to disclose the type of information they collect as well as the purpose for which it is used. The influence of the GDPR can be underlined but the provisions of the California Consumer Privacy Act are different in several aspects.
What are the provisions of the California Consumer Privacy Act? Which comparison can be made with the European GDPR? Mathias Avocats presents the main issues of this Act.
What information is covered by the Act?
The Act aims to protect the confidentiality of personal information of California residents. The notion of personal information is defined in the Act as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. The wording of this definition is broader than the one proposed in the GDPR. The definition in the Act includes information that concerns not only individuals, but also households.
The Act provides a non-exhaustive list of examples of personal information covered by the provisions such as “commercial information”, “identifiers” which includes “online identifier Internet Protocol address”, “biometric information” or “geolocation data”. However, the Act does not apply to information lawfully made available from federal, state, or local government records and that is used for a purpose compatible with the one for which such data is maintained.
What is the scope of application?
The provisions of the Act apply to California “consumers” who are defined as “natural person who is a Californian resident”. Consequently, entities covered by the Act that serve California residents must comply with the Act, even if those companies are not physically implemented in the state. This provision presents similarities with the GDPR which extends its scope to the processing activities by a controller or a processor who are not implemented in the European Union but whose data subjects are European citizens.
If we focus on the United States, most companies have Californian customers. As it is difficult to offer distinct web services to each state, it is likely that many company processing data of Californian residents will need to comply with the Act and update their privacy policies in order to do so. Furthermore, any other entities in the world collecting Californian resident’s personal data will also be subject to the Act’s provisions.
More specifically, the Act is aimed at for-profit companies that collect and control Californian consumers’ personal data as well as their affiliates. Companies will have to comply with the regulation if they meet one of the following criteria:
- gross revenues in excess of $25 million;
- receive or share the personal information of 50, 000 or more Californian residents, households or devices on an annual basis;
- 50 percent or more of their annual revenues from selling consumers’ personal information.
As a result, not-profit organizations and companies that do not fill one of the criteria named above are not concerned by this regulation.
What are the citizens rights protected by the Act?
The Act intends to give Californian consumers an effective way to protect their personal information, by ensuring the following rights:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is sold or disclosed and to whom. As a result, the Act recognizes the right of Californian consumers to ask a business that sells personal information to disclose further information such as:
- the categories of personal information that the business collected,
- the categories of personal information that the business sold about the consumer
- the categories of third parties to whom the personal information was sold
- the categories of personal information that the business disclosed about the consumer for a business purpose.
- The right to refuse the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
Moreover, Californian residents must be informed of the above rights via companies’ privacy policies which should disclose:
- The categories of personal information the business has collected about consumers.
- The categories of sources from which the personal information is collected.
- The purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific personal information the business has collected about that consumer. It has to be underlined that the nature of the specific information is not defined by the Act.
Similarities can be observed with Article 13 of the GDPR on the “information to be provided where personal data are collected from the data subject”. However, the scope of rights provided in the European regulation is broader: right to be forgotten, right to rectification, right to data portability, right to not be subjected to a decision based solely on automated processing, etc.
In addition, while companies sell consumer information to third parties, the Act requires them to disclose these practices and gives consumer the possibility to “opt out” of the sale by ticking a box “Do not sell my personal information” on the companies’ web site home page. It must be underlined that companies shall not require a consumer to create an account in order to direct the business not to sell their personal information.
The Californian regulation provides straight rules when the personal information that are sold concern consumers younger than 16 years old. Indeed, minors between 13 and 16 years old must give their affirmative consent following the practice of “opt in”. The GDPR had previously reinforce the use of the “opt in” rule regarding commercial prospection which requires a free, specific, informed and unambiguous consent of the data subject.
The consumers’ right to request information on the company’s collect of personal information is also specified. Entities must provide at least two methods for consumers to submit request for disclosure such as a telephone number and a web site address. In addition, companies are required to disclose and deliver the information to the consumer within a period of 45 days following the reception of the request.
In order to allow its consumers to exercise those rights, companies will have to take several measures regarding their privacy policies such as listing the data collected from individuals according to their nature and purpose and determining procedures to monitor and answer the requested information within a short period of time.
Which are the sanctions in the event of non-compliance?
In the event of non-compliance with the provisions of the Act, companies will be liable for a civil penalty of $7,500 per intentional violation. This amount is reduced to $2,500 per unintended violation if the company fails to cure the violation within 30 days of notice. Although the notion of penalty “per violation” will need to be clarified in practice, the intended financial penalties are drastically less onerous than the administrative fines provided in the GDPR.
The Act also provides a right of action to any consumer whose personal information “is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”. The victims may receive damages between $100 and $750 “per incident”, a notion which will also need to be precised.
Which are the main differences with the GDPR?
The California Act provides straightforward rules for companies to comply with and reinforces the rights of consumers regarding the collect and disclosure of their personal data. However, the provisions of the Act suffer from their comparison with the European regulation. One of the main differences between the two regulations regards the right to equal access to service and the notion of consent.
On the one hand, the Act guarantees California consumers the right to “equal service and price, even if they exercise their privacy rights”. This provision forbids companies from using discriminatory practices such as denying goods or services to the consumer, charging different prices for goods and services or providing consumers that have previously exercised their rights under the Act with different levels of quality.
On the other hand, the Act authorizes companies to charge a different price, or provide a different level of service, whether a consumer has exercised one of the rights recognized by the Act. Indeed, companies could charge consumers in different ways if that difference of price “is reasonably related to the value provided to the consumer by the consumer’s data”.
Moreover, a business may offer financial incentives for the collection of personal information, the sale of personal information, or the deletion of personal information. This provision highlights the importance given by the Californian’s legislature to the collection of data and its business impacts. However, it will be necessary to specify the circumstances under which the lack of consent to the collection of data may have consequences on the value of goods and services.
The notion of « opt-in » consent used in the Californian Act is different to the consent required by the GDPR and is business oriented.
As the recent decision of the French control authority against Google has shown, companies must ensure that individual gives their free, specific, informed and unambiguous consent to data collection and processing. The consent given by consumers while they are facing higher pricing cannot be considered as free in such circumstances. Moreover, contrary to the GDPR, the Californian Act does not require from companies processing or collecting personal information to have a legal basis, consent being one of these legal basis in the GDPR.
Companies subject to both regulations will have to find solutions to comply with the requirements of the Act and the GDPR. The Act is expected to be specified before its entry into force on January 1st, 2020, which allows companies to elaborate compliance strategies in time.