The California Consumer Privacy Act (CCPA) is the most sweeping privacy law in the US, rivalling that of the EU’s General Data Protection Regulation (GDPR). Generally, it requires organisations that conduct business in California to observe rights of transparency, access, control and portability for California ‘consumers’, which carries a similar meaning to that of a data subject under the GDPR – natural individuals. Since the enactment of the GDPR, companies have developed data maps, systems, teams and automated processes to comply with a number of sweeping requirements. With new, and sometimes divergent, data privacy and protection laws blossoming around the world, companies are assessing the best strategies for holistic and uniform multijurisdictional compliance. As efforts to protect personal information increase, companies are likely to see new laws that are asymmetrical from one jurisdiction to the next, which creates compliance issues for organisations conducting business in multiple jurisdictions.
These additional requirements necessitate action beyond the steps that impacted businesses may have already taken for GDPR compliance. The divergences in these privacy and protection laws, however, can create compliance and operational challenges. This article discusses some of the most significant divergences between the GDPR and the CCPA, and provides an overview of how companies around the world are internalising and operationalising these compliance distinctions.
On 1 January 2020, the CCPA officially went into effect as the most extensive US state law governing consumer privacy. Much like the GDPR, the CCPA’s breadth is far-reaching, and although it only affords rights to California residents, it applies to any for-profit organisation that conducts business in California and either: (i) earns annual gross revenues in excess of $25m; (ii) possesses the personal information of 50,000 or more consumers, households or devices; or (iii) earns more than half of its annual revenue from selling consumers’ personal information. Though the CCPA has various exemptions to avoid overlap with other US data privacy laws, like the Health Insurance Portability and Accountability Act and the finance-focused Gramm-Leach-Bliley Act, such exemptions are not absolute.
And, while CCPA is similar to the GDPR on many levels, it is narrower in some important respects. For example, the CCPA does not specifically provide individuals the right to correct inaccurate personal data, restrict processing or object to processing, and it provides somewhat more limited rights for individuals to access and delete personal data. However, the CCPA includes specific and certain unique requirements for businesses to verify individual identities and requests prior to disclosure of information, to provide detailed information about the collection and use of personal information, to create a mechanism for accommodating restrictions on the sale of personal information and to observe requirements for vendor management.
Request and identity verification
As a preliminary matter, businesses must assess whether they want to apply varying privacy regimes uniformly throughout their operations or observe only those rights provided within a particular jurisdiction. Although both the CCPA and the GPDR require organisations to verify an individual’s identity prior to responding to various exercisable rights, there may be complications verifying an individual’s residency. A uniform approach to compliance is becoming more favoured simply because of the ease of defensibility. For example, Microsoft recently announced that it intends to observe CCPA rights for all individuals, regardless of residency and jurisdiction. On the other hand, an approach that honours requests only from an individual’s jurisdiction, such as only observing CCPA rights for California residents, at a minimum, should leverage a robust process to verify residency and socialise robust training to personnel responsible for assessing and responding to such requests.