CCPA vs GDPR | Cookie compliance | California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) will become effective on January 1st, 2020 and it may affect how a website is allowed to handle personal information of citizens of California. It is similar to the European privacy law, the General Data Protection Regulation (GDPR), which together with the ePrivacy Regulation (ePR) regulate cookie usage, cookie banners and cookie notices. In this article we will take a closer look at the CCPA vs GDPR.

Create your free CookieFirst-account and make sure if your cookie usage, cookie declarations texts and third-party tracking procedures comply with the CCPA guidelines.

What Washington D.C. is to the United States Federal Government is California to the world’s technology industry. The capital of Silicon Valley is fortified on the southernmost shores of San Francisco Bay, but its reach is global, the extent of its tremendous forces recently fathomed by governments and citizens.

California is the physical border of America, where the continent overflows into the Pacific. With the passing of the California Consumer Privacy Act (CCPA) on January 1, 2020, it is also the border of data protection law in the USA.

In this article, we will try to understand the substance of the CCPA, its implications for businesses and consumers, a comparison with the European privacy law (CCPA vs GDPR) and its possible future.

CCPA vs GDPR | What is the CCPA and why is CookieFirst interested in it?

The CCPA or California Consumer Privacy Act is the data protection law that will come into force in the State of California on January 1, 2020. It is the strongest and most restrictive privacy law passed in the United States to date, but its practical future is still somewhat uncertain. The level of enforcement is such that the California Attorney General must determine by July 2020 at the latest.

Meanwhile, California State Legislature has a continuing tug-of-war between big business and privacy activists that is pulling California’s privacy bill in both directions, with proposed changes to either narrow it or expand it. The deadline for changes to the CCPA was September 13, 2019. At Digital Data Solutions, founder of CookieFirst, we are following the developments of the law, its implementation and practical implementation very closely as it is our area of expertise: online privacy.

This means knowing where and how CCPA and cookies converge.Once the CCPA becomes effective on 1 January 2020, CookieFirst will enable compliance with the CCPA and the GDPR and ePrivacy Regulations.

But – the CCPA requires that companies provide records of personal information collected about a consumer in the 12 months prior to the consumer’s request to access that information. This means that the information collected today can be requested for disclosure by a consumer on 1 January 2020, so a company should now start preparing for the CCPA.

CCPA and Cookies
CookieFirst is a tool that helps website owners comply with the current European law on GDPR and the upcoming ePrivacy Regulation expected in 2019 or 2020. Although the GDPR is rooted in the EU, it has a global impact in the sense that any website, no matter where in the world it is operated from, must be GDPR compliant with visitors from the European Union.

So if you run a website from California, you must still be GDPR compliant as soon as you have visitors from the EU. Check whether the use of cookies and tracking on your website complies with the GDPR and ePrivacy guidelines.

Read more about the CCPA and Cookie Consent

CCPA vs GDPR | Cookie compliance | CookieFirst makes your website compliant with the CCPA, GDPR and ePR

Register with CookieFirst for a full cookie scan, a compliant cookie banner and an automated cookie declaration.

 

Because the CCPA is still being pulled back and forth between the technology industry and the California State Legislative Privacy Commissioners, this article does not give any definitive answers as to how the CCPA will be implemented or how its implementation will look in practice. Instead, we provide as broad an overview as possible of this moment of reckoning with technology in California and the steps taken to resolve some of the major privacy and democracy issues that have emerged in recent years.

Let’s dive briefly into the California Consumer Privacy Act –

CCPA vs GDPR | The origin of the CCPA

In stark contrast to the top-down centralized manner in which the European General Data Protection Regulation (GDPR) was enacted, the California Consumer Privacy Act began as a bottom-up initiative by various data protection activists. Among the activists were a millionaire real estate developer, a former CIA analyst, an industry manager, and an award-winning Pulitzer journalist who worked on the Snowden leaks for the Washington Post.

The group called itself “Californians for Consumer Privacy,” and was led by San Francisco real estate developer Alastair Mactaggart. He designed a consumer protection voting initiative to fill the legal gap.

“Tell me what you know about me. Stop selling it. Keep it safe.”, Alastair Mactaggart summarized the proposal. With the revelations of the Facebook/Cambridge Analytica scandal, the Californian election initiative suddenly got a strong wind in its back.

An election initiative is a way for California society to pass bottom-up laws by drafting a bill and securing enough signatures (eight percent of those who voted in the last governor’s election) to make the proposal part of the November parliamentary election in that particular state. Voters must then vote yes or no on the same day as they vote for the President or Congress.

In the case of the CCPA, Mactaggart spent $3 million of his own money to collect more than 600,000 signatures for the proposal (which was a stronger and harder version than the one that would eventually become the CCPA), securing a place in the November 2018 general election.

CCPA – the right to require disclosure

The CCPA grants the consumer “the right to require a company that collects a consumer’s personal data to disclose to that consumer the categories and specific personal data that the company has collected” (1798.100.a).

Definition of “personal data” according to the CCPA
Personal data are defined in the CCPA as ‘information which may identify, refer to, describe or be associated with a particular consumer or household or which may be directly or indirectly linked to that consumer or household’.

CCPA and Cookies
Personal information contains according to the CCPA:

  • Identifiers such as cookies, beacons, pixel tags, phone numbers, IP addresses, account names, etc
  • Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data, etc
  • Geolocalization data such as the location history of devices
  • Internet activities such as browser history
  • Plus data on personal characteristics, behavior, religious or political beliefs, sexual preferences and so on.

A consumer has the right to access and obtain a copy of personal data collected by a company in the last 12 months.

The CCPA states that consumers have the right to request the disclosure of

  • the categories and specific personal data collected
  • the categories of sources from which the information is collected
  • the purpose of the collection or sale of personal data
  • the categories of third parties to whom the company discloses personal data

Compliance of the CCPA with the “Right of Disclosure
The disclosure request must be verifiable before the entity is required to provide the information (1798.100.c). If verifiable, a company must take immediate action to disclose the personal data and make it available to the consumer free of charge (1798.100.d).

The company must provide two or more procedures for submitting applications (1798.130.a.1) and disclose the necessary information free of charge within 45 days of receipt of the verifiable application (1798.130.a.2).

To be CCPA compliant, a company must also update its privacy statement and include the following:

  • A description of the rights (to disclosure and deletion) and how to exercise them correctly.
  • List of categories of personal information that the Company collects, sells and discloses. This list must be updated every 12 months.
  • A toll-free phone number and website for exercising this right.

Remember: you must also be GDPR compliant once you have visitors from the EU.

CCPA – the right to request cancellation

The CCPA grants the consumer “the right to request a company to delete all personal data of the consumer that the company has collected from the consumer” (1798.105.a).

It states that “a company that collects personal data must disclose the rights of the consumer to request the deletion of the consumer’s personal data” (1798.105.b).

A company must make it clear to consumers that they have the right to request the deletion of their data. It must describe this right – and how it can be exercised.

Cookie Consent Manager | Take a 2 week free trial

Take a 2 week free trial for our paid plans or create a free account …

Create an accountView our plans

CCPA – the right to opt-out

The CCPA gives the consumer the right to ask a company not to sell his personal data to third parties (1798.120.). If such a request is received, the company is prohibited from selling its personal data.

“Opting out” just means that a consumer is able to choose whether to instruct a company to stop selling his or hers personal data to third parties. The only exception would be the transfer, sale or disclosure of personal information to certain federal authorities and California health services.

CCPA compliance with the right to opt-out
A company must provide a unique link on its website entitled “Do not sell my personal data” (1798.135.a.1). This link must not require the consumer to open an account in order to instruct the company not to sell his data. If the consumer is under the age of 16, the opt-out must be made before the request, i.e. a company can only sell its personal data if it has been previously approved by parents or guardians.

The CCPA prohibits discrimination against consumers on the basis of their decision to exercise their rights. This means that if a consumer decides not to sell his data to third parties or if he requests the deletion of his data, a company is not entitled, for example, to charge different prices for services, offer different levels or qualities of services or refuse to provide services to consumers (1798.125.a).

However, the CCPA also authorises companies to offer financial incentives, e.g. different prices and service quality, for the collection, sale or deletion of personal data (1798.125.a.1.b).

CCPA vs GDPR | Ambiguous part in the CCPA

One of the main areas of ambiguity in the California Consumer Privacy Act concerns the definition of data, in particular the two categories “individual data” and “household data”.

Personal data – individual data vs. household data?
Critics have expressed concerns that the CCPA is not really clear as to whether the distinction in the Act between “household data” and “individual data” might allow anyone in a so-called “household” to request and receive another individual’s personal information.

This may seem harmless at first sight. But the effects of this inconsistency could potentially mean that everyone, from the college roommate to the divorced partner, would suddenly be able to request personal information about the members of their registered “household”.

Both the technology industry and privacy activists have expressed their concern and called on state legislation to revise this issue.

PAID PRIVACY – financial incentives for personal data
Another unclear area of the CCPA is what critics have described as the loopholes in financial incentives that could potentially create a “pay for privacy” model in California.

The CCPA empowers companies to provide financial incentives to consumers to compensate for the collection, sale or deletion of personal data. This means that a company may offer the customer a different price, tariff, level or quality of goods or services “if that price or difference is directly related to the value offered by the consumer’s data”.

In principle, a financial incentive is intended to encourage certain behaviours or actions, in this case for businesses, to motivate Californian citizens to have their personal data used. But it could also mean that companies could offer consumers tiered pricing depending on whether they opt out or delete their data.

Are your an agency, webdesigner or another reseller?

Earn 30% commission, take a look at our reseller model or contact us for numbers larger than 500 clients

Calculate your revenue

CCPA vs GDPR

So how does the California Consumer Privacy Act stand in relation to its European counterpart, the General data protection regulation that came into force in May 2018?

CCPA vs GDPR | As a reminder: What is the GDPR?
The General Data Protection Regulation (GDPR) is a European law with worldwide jurisdiction, in the sense that it protects the personal and user data of all European citizens, regardless of where in the world the website or company handling EU user data is located.

Read the official texts here: CCPA vs GDPR

The core of the GDPR is that websites and companies must obtain the clear and unambiguous consent of their users before processing personal data, after having specified all types of cookies and other tracking technologies that are present on their pages. It also requires that they document each user’s consent securely and confidentially.

The scope of GDPR is large and deals with data of all kinds (i.e. not only with personal data), how companies and organizations must ensure transparency and document the consent of users.

CookieFirst enables you to make your website to be GDPR compliant. Here you can create an account.

Agreement against request: the most important differences concerning CCPA vs GDPR

The clearest and most consistent distinction between European and Californian law is made at the time of approval.

The GDPR grants the user the right to consent, i.e. his data may only be used if the user has given his consent to it. This consent can be given in different ways, but the crucial point is that after the GDPR the previous consent is legally prescribed.

Now, in the CCPA nothing of the same is indicated. A company does not need prior consent to the processing of personal data, nor does a website need to obtain the consent of the user to sell its data to third parties.

What the CCPA does is to give the consumer the right to request either disclosure or deletion from a company to cease selling his information. But this is done on the condition that both the collection and the sale take place.

If the GDPR creates a lockable door for the consumer, the CCPA creates a window that the consumer can open to know which of his personal data has already been obtained from a company.

The GDPR is a prevention, while the CCPA is a means of transparency and subsequent deletion (of data collected in the last 12 months).

What the future might hold for the CCPA

Although adopted shortly after the summer of 2018, the CCPA will not enter into force until 1 January 2020. The reality is that a lot could have happened by then.

The following scenarios show a number of possible futures for the CCPA. The CCPA could be changed or even weakened before becoming effective. The enforcement of the CCPA could be extended or limited. And as a third option there is also the real possibility that the CCPA will be getting repealed by a Federal Data Protection Act.