The California Consumer Privacy Act (CCPA), which is considered to be the most comprehensive but definitely not the first privacy law in the U.S., takes effect on January 1, 2020. Appropriately referred to as the mini-GDPR it borrows a lot from GDPR (how else could it have been drafted in a week) giving Californians more control over their own data and laying out very similar rights regarding data management.
But, the fact that it isn’t an exact copy may be telling. There are several important areas for Market Research where CCPA differs from GDPR and, in most cases, this is a good thing. Unfortunately, good things usually don’t last long and significant changes have already been drafted into a new 2020 ballot initiative co-authored by the person who got CCPA started in the first place; the California Privacy Rights and Enforcement Act (CPREA). For now, though, we’ll deal with the existing law.
The Definition of Personal Information
The CCPA definition of PI is arguably narrower than GDPR as it contains a “reasonableness” requirement in its definition of personal information (added as a last-minute amendment): “Personal information” is anything that identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
However, the CCPA’s definition of PI is broader than GDPR because it applies to data that could reasonably be associated with a household or device. Defining a “household’s” data is straightforward; a phone number, street address or IP address but further guidance is desperately needed. For example, how do you ensure all members of a household all agree on a data access request? Evidently the above-mentioned CPREA will offer clarity.
Changing Consent: Opt-in vs Opt-out
Unlike the GDPR, which effectively requires a lawful base in order to collect personal data, California’s new law is effectively “opt-out” because it does not require explicit consent (opt-in) to collect data and it doesn’t have any defined legal grounds for processing. (The CPREA ballot initiative mentioned above would shift CCPA to opt-in)
Relaxing Research Sponsor Identification
GDPR has had significant and unintended consequences for the market research industry, specifically by requiring the full identification of a research sponsor (namely, the brand commissioning the research study). As known to the industry, upfront sponsor acknowledgment can create response biases. By comparison, CCPA compliance only requires category identification.
Comparing Data Subject Rights
CCPA and GDPR share many of the same consumer rights but the list is not identical. Exceptions and remedies for compliance vary and some overlap. Here are the rights that are most in common:
- The Right to be Informed: CCPA and GDPR are fairly similar in the need to disclose information to data subjects about who and how their data will be used but the GDPR requires more detail and (as noted above) identification of the controller.
- The Right to Opt-Out: under CCPA, Data Subjects can opt-out of the sale of their data only, GDPR addresses this by requiring all processing to terminate upon request but also gives data subjects more control with added rights to restrict and object to processing.
- The Right to Access: requests to know if data is being collected and what information collected is limited under CCPA to the data collected in the past 12 months.
- The Right to Erasure: GDPR applies this right under specific grounds while CCPA simply requires deletion upon request.
- The Right to Non-Discrimination: both laws protect the data subject from discriminatory practices when a data subject exercises any of their rights but GDPR’s protection is more provisional.
- The Right to Data Portability: very similar in that data controllers must allow for the transfer of data in a readily usable format.
If you are interested in learning more about CCPA or GDPR in greater detail there are many resources on the web but here are some good places to start: https://oag.ca.gov/privacy/ccpa and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.