The California Privacy Act: A Primer for European Businesses

Since the introduction of Regulation (EU) 2016/679 (General Data Protection Regulation -GDPR), our experts have commented on European judgements, policy and legal developments and official guidance on the implementation of the GDPR.  With the implementation of the California Consumer Privacy Act (CCPA) on 1st January 2020, we look across the pond at the key features of this Act as a regulatory model of data privacy rights in the tech industry.

Scope

Similar to the GDPR, the CCPA creates new data privacy rights for California resident consumers relating to the access to, deletion of, and sharing of personal information that is collected by businesses. Unlike the GDPR, the CCPA is focused on for-profit companies doing business in California that meet at least one of the following criteria:

  • Has over $25 million in annual gross revenue.
  • Has over 50,000 consumers’ personal information for commercial purposes.
  • Earns over 50% of annual revenue from the sale of consumers’ personal information.

The scope of the CCPA is therefore much narrower than that of GDPR, but European businesses marketing their goods and services in California will need to comply if they fulfil the above criteria.

Do Not Sell My Info

Since 1st January 2020, businesses subject to the CCPA must provide notice to consumers at or before data collection and create procedures to respond to requests from consumers to opt-out, know, and delete their personal information.  These notices have a different function and format to the cookie notices and privacy policies familiar to Europeans. For example, businesses must explicitly include a “Do Not Sell My Info” link on their websites. Web-users may find this verbiage difficult to ignore and consequently exercise their right to opt-out more effectively than their European counterparts’ right to deny consent.

Other Points to Note

  • The definition of “personal information”under the CCPA, whilst worded differently, is similar to the definition of “personal data” under the GDPR.
  • The definition of“resident”under the CCPA is much narrower than the GDPR’s “data subject”.CCPA applicability is determined by the geographical locationof the data subject.
  • Under CCPA, the privacy notice and policy must be updated every 12 months.
  • The Right of Access under the CCPA is fairly similar to that under the GDPR. Before the implementation of CCPA, if a business is established in the EU and is processing the personal data of individuals in California, it was required to comply with the GDPR in relation to such individuals, even though they are outside the EEA. Post-implementation of the CCPA, if the same entity is to receive an access request from a California resident, it is not clear whether this should fall within the remit of the CCPA or the GDPR. Our experts will watch developments in this area closely.

My Business Isn’t Based In California: Should I Be Taking Action?

The CCPA and the GDPR are separate legal frameworks with different scopes, definitions, and requirements.  Some European companies that do business in California will be subject to the new law and will have additional compliance work to complete before the enforcement period begins on July 1st2020.  On the bright side, companies that have already completed the GDPR compliance journey are in good standing and are expected to be aligned with the CCPA obligations.

Trilateral’s advisors can support you in meeting your compliance needs. For more information, please visit our Data Protection and Cyber-Risk Service page and do not hesitate to contact a member of our team.

Lauren Tuite, Data Protection Intern at Trilateral Research



‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.