The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA). We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).
HOW DOES THE CPRA CHANGE THE CCPA?
The CPRA makes several significant changes to the CCPA:
- It introduces the concept of “sensitive personal data”;
- It introduces new obligations on businesses, and GDPR-style “principles”;
- It introduces new rights for consumers; and
- It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.
These changes are very significant – but do they represent a move closer to GDPR, or a move away?
The application, or scope, of the GDPR is extremely broad. It applies to any “controller” or “processor” that (a) processes personal data in the context of an establishment in the European Union (EU); (b) offers goods and services to data subjects in the EU; or (c) monitors the behavior of data subjects in the EU. Its “extraterritorial applicability” has been widely publicized: it can apply to organizations outside the borders of the EU if they meet any of the above criteria.
It applies to any organization who meets these criteria, with no “de minimis” exemptions. This means it can apply to (for example) schools, universities, charities, sole traders, and SMEs.
In addition, the GDPR regulates the processing of data belonging to “data subjects” insofar as those data subjects are in the EU or their data is processed in the EU. It defines “data subjects” simply as “an identified or identifiable natural person”.
The scope of the CCPA, by contrast, is considerably narrower – and the CRPA revises its definition of business so that it only applies to larger businesses. The CCPA applied to for-profit “businesses” who either (a) have gross revenue greater than $25 million; (b) buy, sell or share personal information on over 50,000 consumers or households or devices; or (c) derive 50% or more of their revenue from selling the personal information of consumers. The CPRA adjusts the second definition to define “businesses” as those that buy, sell or share personal information on more than 100,000 consumers or households in contrast to the prior 50,000 threshold. While the CCPA/CPRA only applies to consumers in California, unlike the much broader definition of “data subjects” under the GDPR, it is difficult for online businesses to know when a consumer is in California.
So, in contrast to the GDPR, the CCPA/CPRA is defined in a way that it should only apply to more established businesses or businesses who trade consumer personal information. One of the major criticisms of the GDPR in the EU has been that it places an impractical administrative burden on small businesses, charities and sole traders and potentially stifles economic activity.
Step closer to the GDPR? NO
SENSITIVE PERSONAL DATA
The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. It also identifies certain “special categories of personal data” which merit extra protection. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
While the CCPA did not separate any special categories of personal data, the CPRA designates certain information as “sensitive personal data”, and provides consumers with a number of rights in respect of such data. It defines sensitive personal data as: social security, driver’s license, state ID card, or passport number; financial information and log-in information; geolocation data; racial or ethnic origin or religious or philosophical beliefs; trade union membership; mail, email and text messages (where the business in question is not the intended recipient); genetic and biometric data; health data; and data concerning a consumer’s sex life or sexual orientation.
The CPRA’s “sensitive personal data” categories are wider than the GDPR’s special categories of personal data. The GDPR does not, for example, identify geolocation data, financial information or mail, email and text messages as “special category” personal data. This change certainly represents a step closer to, and perhaps even beyond, the GDPR but the CPRA’s mandates as to sensitive personal data are limited to where the information is being used for the purpose of inferring characteristics about a consumer.
Step closer to the GDPR? YES
NEW CONSUMER RIGHTS
In broad terms, the GDPR provides data subjects with eight rights in respect of their personal data:
- The right to be informed;
- The right of subject access;
- The right to rectification;
- The right to be forgotten;
- The right to restriction of processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to a decision based solely on automated processing.
The CCPA provides consumers with some rights broadly equivalent to those contained in the GDPR, albeit with different exemptions and parameters. It does not include the right to rectification, the right to restrict processing, the right to reject automatic decision making or the right to object to processing. The CPRA, in effect, introduces all the other GDPR-style rights. They are not identical; and in particular, the CPRA only opens the possibility that the right not to be subject to automated processing could be introduced by the new California Privacy Protection Agency by way of a regulation. Nonetheless, the introduction of more consumer rights looks like a move closer to the GDPR.
Step closer to GDPR? YES