By Winnie Lok, Solicitor

20 February 2020 

By now you would have familiarised yourself with the EU’s General Data Protection Regulation (“GDPR”) and taken steps to ensure that your business complies with the GDPR. If you would like to do some catch up reading, read one of our explanatory articles about it here.

Now it is time to get to know the California Consumer Privacy Act (“CCPA”), a new privacy law which recently came into effect that creates new consumer privacy rights for California residents in relation to their access to, deletion of, and sharing of their personal information. Similar to the GDPR, this new law will require businesses worldwide to once again reevaluate their privacy policy and data collection policies and procedures to ensure that it is compliant.

What is the CCPA? Is it just related to the data of Californians?

While the GDPR applies across all of the EU and is far more draconian in content and reach, the CCPA is California-specific and a little more business-friendly. However, given California’s economic impact and centrality to much US trade, the CCPA will still have its flow-on effects and impact the global privacy situation, and it still requires businesses with American contacts to take notice.

The CCPA was enacted in June 2018 and took effect on 1 January 2020. The CCPA grants Californian consumers new rights in relation to their personal information. Under the CCPA, ‘personal information’ includes any data that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”. The CCPA does not apply to any personal information that is deidentified, aggregated consumer information or publicly available information – i.e. information lawfully made available from federal, state or local government records.

Californian consumers’ new rights under the CCPA can be divided into five categories:

1. Right to know – at or before the point of collection, consumers must be made aware of what categories of personal information will be collected and how this information will be used by the collecting business.
2. Right to access – a consumer has the right to request that a business disclose the specific personal information collected and held about the consumer, purposes which their personal information has been used for and who their personal information has been shared with or sold to.
3. Right to delete – a consumer has the right to request that a business delete any personal information collected from them.
4. Right to opt-out / right to opt-in – a consumer has the right to instruct a business that sells personal information to third parties to not sell the consumer’s personal information. If a consumer is a minor (aged between 13 to 16), a business cannot sell their personal information unless they opt-in to the sale of data. A parent or guardian must provide this consent if a consumer is under age 13.
5. Right to equal service and price – businesses are prohibited from discriminating against consumers who exercise any of their CCPA rights. This means that a business cannot deny goods or services, charge a different price for goods or services, provide a different level of quality of goods and services or suggest doing any of this just because a consumer has exercised their rights under the CCPA, such as to not have their data sold for instance.

Many of the above rights mirror the Australian legal situation and are consistent with the GDPR.

Who does the CCPA affect?

Similar to the GDPR, the CCPA is extra-territorial which means that it applies to all for-profit businesses that serve Californian residents regardless of whether or not the business is actually located in California. Australian businesses that collect personal information from Californian residents must therefore comply with the CCPA, but only if one or more of the following applies to their business:

• The business has at least USD$25 million in gross annual revenues; or
• Buys, receives, or sells the personal information of 50,000 or more consumers or households, including personal information collected directly through devices (e.g. geolocation, Internet browsing history, cookies etc.); or
• Derives 50% or more of annual revenues from selling consumers’ personal information.

If a business is found in breach of the CCPA and does not rectify the breach within 30 days of being notified of their non-compliance, they may face civil penalties that can range from USD$2,500 to USD$7,500 per record. In addition, businesses are also subject to a private right of action for any breaches of the CCPA against a consumer with penalties ranging from USD$100 to USD$750 per consumer per incident or actual damages, whichever is the greater amount.

The important thing to consider here is just how divisible your CRM and/or customer databases are.  While you or your clients may well have made considerable structural changes to account for EU resident data when the GDPR was launched, are you ready to do the same (if the CCPA thresholds apply to your business) and you possess the personal information of Californian residents? Secondly, it would not be a stretch to assume that the California legal position will be assessed by the market, and then the same or very similar legislation rolled out across the other States in the USA. It may be the case that, all of the above being considered, adjusting your privacy practices and procedures to be compliant with both the GDPR and the CCPA is the appropriate future-proofing direction to take.

How is the CCPA different from the GDPR?

Given that the CCPA and GDPR were both introduced to provide individuals with protection in relation to their personal information and govern the way businesses collect, use and share consumer data, there are many overlaps between the two regulatory frameworks. In saying this, there are many key points of difference.

In some instances, the GDPR’s application is wider than the CCPA’s. For example, the CCPA protects the rights of consumers who reside in California whereas the GDPR protects data subjects. This means that the GDPR’s application can extend to EU citizens who reside outside of the EU or non-EU citizens who reside in the EU where the business has an establishment in the EU. In addition, while the CCPA only applies to for-profit businesses of a particular size, the GDPR obligations apply to all entities regardless of whether or not they are a for-profit entity or the size of the business.

Conversely, there are areas where the CCPA goes further than the GDPR, especially when it comes to the rights granted to its consumers. The right to opt-out under the CCPA is absolute and businesses must include a “Do Not Sell My Personal Information” link on their website homepage. The GDPR does not require this specific wording and their right to opt-out equivalent is not absolute. This means that if the data controller can prove that there are compelling legitimate grounds to continue processing the personal information, then they may reject the data subject’s request to opt out. Furthermore, the GDPR does not explicitly include a right not be subject to discrimination for exercise of rights, like the CCPA provides.

What do Australian businesses need to do now?

Based on the above, businesses cannot assume that just because they are compliant with the GDPR, this also means that they satisfy CCPA requirements. Australian businesses will need to consider whether the CCPA applies to them – i.e. whether they serve any consumers who reside in California and whether they fall under any of the three criteria listed above in the article. If you believe that you or your clients satisfy these requirements, you should contact us immediately to discuss steps you may need to take to adjust your practices and procedures to comply with the CCPA. This may involve updating privacy policies and website homepages and ensuring that there is a plan in place if a Californian consumer exercises any of their rights granted under the CCPA.