By: Chris Mermigas – Senior Corporate Counsel, USA Region
The EU’s General Data Protection Regulation (“GDPR”) began enforcement on May 25, 2018, and has caused waves throughout the globe. Establishing rights and protections for the personal data of citizens of the EU, the GDPR applies to anyone who handles or possesses personal data of EU citizens or otherwise monitors their behavior, regardless of where the business or the personal data is located. As a response to GDPR, similar data protection laws are being issued in the United States, beginning with the California Consumer Protection Act of 2018 (“CCPA”), which will go into effect January 1, 2020. Numerous elements that are found in the GDPR appear in the CCPA. For instance, the GDPR protects personal information of EU residents, while the CCPA protects the personal information of California residents. However, there are some significant differences that require special attention.
First, the GDPR requires consumers to consent to data collection and use of their personal information. In comparison, the CCPA mirrors the existing laws enforced in California, including the TCPA, that requires data controllers to offer consumers the right to opt-out of data collection. The opt-out is commonly seen as a check box on a form submission page. This allows data controllers to collect personal information without consumer consent although they must provide consumers an opportunity to request to delete their personal information.
Second, the CCPA expanded the definition of the term “data” found in the GDPR to include hidden information embedded in the data, or “metadata”. In the CCPA, data controllers are required to provide notice to consumers as to the categories of personal information that will be collected and the purpose for which it shall be used, as well as agreeing not to collect any other categories of personal information without notice. Categories of personal information include personal information provided voluntarily by the consumer, but also includes hidden website visitor information such as IP address and geographic location. Thus websites cannot collect visitor’s hidden personal information. This is an exceptionally tech-forward view and an emphasis that data doesn’t just exist in forms and “contact us” pages, but is exchanged constantly, even without consumer’s knowledge.
Third, the CCPA reduced the GDPR’s data subject’s rights and centralized their focus to the commercialization of personal information. One reduction is, that under the GDPR, the data controller must state the purpose for which the personal information will be used. This right is eliminated under the CCPA. In another instance, the CCPA only requires the data controller to establish “a clear and conspicuous link on the” business’ website stating “Do Not Sell My Personal Information.” Additionally, the GDPR’s right to be forgotten is not present in the CCPA. Meaning, once a business publishes or sells a California resident’s personal information, the resident has no right to ask that it be forgotten, deleted or returned to the data controller. However, the customer can prevent future sales of their personal information, but cannot undue the sale that has already occurred. It is clear that the focus of the CCPA is preventing unwanted commercialization of personal information in order to protect consumers.
Fourth, enforcement under the CCPA is conducted by the California Attorney General, a parallel enforcement agency to the GDPR’s supervisory authority. This doesn’t prevent private civil suits, but gives the Attorney General preference on taking over or initiating a lawsuit. These lawsuits can result in statutory damages of $100 to $750 per consumer per incident, or actual damages if greater. This means that the minimum penalty is $100 per consumer per incident, but on a large data file could mean exponential damages, and that doesn’t include the legal costs to defend the lawsuit. However, there is a safe haven for business from statutory damages. If a business cures the violation within 30 days of notification, statutory damages cannot be awarded. This does not prevent actual damages, which is why it’s important that businesses fulfill their duty to mitigate damages and have an effective data policy in place to rectify violations.
California, historically innovative in the legal realm, is just the first state to pass a parallel GDPR data protection law. Numerous other states and the US Congress are discussing parallel GDPR data protection laws. It is only a matter of time before other states and countries enact parallel GDPR data protection laws. Only one choice remains, join the data protection revolution and avoid paying for non-compliance.
For more information on the GDPR, please visit our previous GDPR article published here.