This post is the second in a series recapping Logikcull’s recent webinar on the California Consumer Privacy Act, with Emily Yu, Privacy, Policy and Compliance Director at Roblox, Eric Goldman, Professor of Law at Santa Clara University School of Law, and Christian Auty, Counsel at Bryan Cave Leighton Paisner. Given the interest and urgency surrounding the CCPA—the law goes into effect in under four months—these transcripts highlight and recap key learnings from the presentation.
In the excerpt below, Christian Auty discusses how the CCPA compares to the world’s other major consumer privacy law, the GDPR. You can also read the first post in the series, offering a brief introduction to the CCPA, here.
Logikcull: Let's talk a little bit now about the CCPA versus another major privacy law, which is GDPR. I know some people have called the CCPA "America's GDPR." They have definitely some significant similarities, but also equally significant differences. Christian, these are two laws that are right in your wheelhouse. Why don't you walk us through how these two compare?
Christian Auty: Sure. Thanks very much, Casey. I think probably it makes sense to start with similarities. There are important similarities. There are important conceptual similarities, and I think it's clear and I think it's fair to say CCPA borrowed some pretty core concepts from GDPR.
Auty: The first among them is the concept of this business service provider relationship which mirrors, in some respects, the controller-processor relationship in GDPR. You can even see in the definition of business.
For example, you've got a discussion of determining the purposes and means of processing. In the definition of a service provider, you have the requirement of a written contract and certain terms within that contract, although those requirements are far more ambiguous and far less definitive than what you find in Article 28 of GDPR.
Auty: I think there's an overarching framework of how we designate entities and how we categorize them with respect to datasets. There's a similarity between GDPR and CCPA. CCPA also borrows concepts of data access and data deletion. There are these ideas which are not completely new to American law, but relatively new are the right to receive information about what a business has about you, the right to receive an actual copy of personal information, a right to deletion of that personal information under some circumstances. Those are all concepts that we saw in GDPR and that were, I think, well-received, at least by data subjects with respect to GDPR.
Auty: Another really important similarity, I think, is the very expansive definition of personal data. GDPR has, of course, a very expansive definition and CCPA borrowed that idea and went further, listing a lot more categories—olfactory smells, I think were mentioned earlier—and brought in the concept of a household and what that means, even expanding beyond the individual to the household with respect to the enumerated categories of personal information.
That's very similar to GDPR. It's not the same, but it's very similar.
Personal information is no longer what you see in your typical data breach statute, which is a name plus something else—a name plus a password, a name plus a social security number, a name plus a driver's license information. It is really anything that can be related back to an individual.
“GDPR has, of course, a very expansive definition and CCPA borrowed that idea and went further… expanding beyond the individual to the household.”
That's kind of a new idea, but it borrows heavily from the disclosure requirements under Articles 13 through 15 in GDPR and it's clear that they borrowed that concept. Those are sort of the core similarities. But among those core similarities, I think there are major differences between the laws.
Auty: The first major difference and I think the most important major difference right, now as we sit here four months until the effective date, is that the CCPA is not a finished product.
It doesn't hold together completely. It was not the product of a perfect, deliberative process, and as such, there are errors, there are omissions, there are ambiguities that are essentially unresolvable at this point.
That is unlike GDPR. GDPR, say what you will about GDPR, it is a fairly well put-together law. It was done after a significant amount of deliberation. It was based on previous legislation on the 95 Directive, etc.
The CCPA is a law that's going to change. I think it's fair to say is going to change somehow, and I think it probably should because there are a lot of mistakes.
Auty: The second difference is thresholds. The CCPA doesn't apply everywhere and it doesn't apply to everything. GDPR sort of does.
We've got what Eric outlined with respect to the three requirements to meet the definition of a business.
We've got a non-profit carveout, although that non-profit carveout has a little bit of ambiguity around what does it mean to be working for the benefit of shareholders or constituencies. Supposing that gets resolved, I think the clear intent was to carve out non-profits.
CCPA is not going to apply quite as broadly as GDPR, which, of course, does not have a non-profit carveout and does not have de minimis threshold limitations.
Auty: The third major difference and perhaps arguably the most important major difference is that the CCPA doesn't have the concept of a basis for processing. If you'll recall back to 2018 when maybe you were getting ready for GDPR, there was a lot of discussion—there still is a lot of discussion—around your basis for processing: Is it legitimate interest? Is it contract? Is it consent? Are we getting consent in the right way?
CCPA doesn't really have that concept. There's arguably a hint of or a suggestion of that concept around an exception to sale, which we can talk about. But because it doesn't have that concept and because it's not concerned with use, we have other interesting concepts like the concept of sale that get at that goal about how you should be using data and what your reason for using data is, but get at it in a different way.
"The third major difference and perhaps arguably the most important major difference is CCPA doesn't have the concept of a basis for processing."
Auty: The fourth major difference I think is the structure. There are statutory damages, both AG statutory damages, $2,500 for a violation and $7,500 for an intentional violation, and then statutory damages for a data breach. Those are in fixed dollar amounts.
GDPR, of course, utilizes percentages and utilizes percentages for the reason they wanted to be able to significantly penalize large entities with a fine that would be meaningful to them. I think that's another major difference.
Some other minor differences that are out there? The first is the data breach. The CCPA’s data breach provisions really incorporate the old concept of name plus something else in California. There isn't this in GDPR, where if you lose access to data or you get hacked, and you just lose names and emails, that actually counts as a data breach. Not so with CCPA. They're still incorporating the old definition of what personal information is with respect to the breach.
Auty: There's this new concept of a sale and sale opt-out, which we're going to talk about a little bit later on, but it's a newish concept for the CCPA.
The absence of consent or the concept of consent means that there's less scrutiny on cookies, for example. The CNIL, the French regulator, and the U.K.'s ICO have both come out with cookie guidance in the space of the last couple of months. That cookie guidance relies heavily on consent and imposes not necessarily new, but significant obligations on controllers. The absence of that consent means there's a little bit less scrutiny on cookies in CCPA, even though cookies certainly are personal information in CCPA. But you've got to watch out for sales in relation to cookies. In particular, I think cookie banners may start making an appearance in the U.S. in reaction to that possibility, at least behavioral advertising cookies might end up being sales, but we can certainly talk about that later.
The last one I'll mention is there isn't a data inventory requirement under CCPA like there is under GDPR under Article 30. But as we'll talk about in the compliance portion of this, data inventory, while not required, may still be a good idea if you want to do this right and you want to make sure that you've got all your data flows nailed down. With that, I will toss it back to Casey.
Logikcull: Great! Thank you so much, Christian, and thank you for walking us through the complexities of both of these rules. I think it's fair to say that you cannot just copy and paste your GDPR compliance program and expect it to work for the CCPA.
Subscribe to the blog to stay on top of the latest legal, technology, and discovery news—including upcoming posts on building out a CCPA compliance program and more.