{"id":101,"date":"2018-08-15T15:16:18","date_gmt":"2018-08-15T19:16:18","guid":{"rendered":"https:\/\/pbacyber.com\/?p=101"},"modified":"2019-04-12T11:00:23","modified_gmt":"2019-04-12T15:00:23","slug":"so-it-begins-california-adopts-legislation-that-reminds-many-of-the-gdpr","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/08\/15\/so-it-begins-california-adopts-legislation-that-reminds-many-of-the-gdpr\/","title":{"rendered":"So, it begins: California adopts legislation that reminds many of the GDPR"},"content":{"rendered":"<p>Jordan Fischer<span style=\"display: inline !important; float: none; background-color: transparent; color: #333333; cursor: text; font-family: Georgia,'Times New Roman','Bitstream Charter',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">,<\/span> <a href=\"https:\/\/xpanlawgroup.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">XPAN Law Group<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>A common question that we receive at our firm is: will the U.S. adopt legislation similar to the GDPR? And, if yes, what will that look at? Well, let us look into our \u201cmagic-8\u201d ball &#8230; And, no surprise, it looks like privacy is moving (slowly) across the pond to the US \u2014 and the most recent example is the adoption of the <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=201720180AB375\" target=\"_blank\" rel=\"noopener noreferrer\">California Consumer Privacy Act of 2018<\/a> (CCPA).<\/p>\n<p>&nbsp;<\/p>\n<p>While the CCPA is grabbing headlines, one does not need promethean sight to predict that privacy protections are gaining traction at the state level. Many states have already started to address privacy issues, each with unique nuances. Check out our recent \u201c<a href=\"https:\/\/xpanlawgroup.com\/privacy-is-the-new-black\/\" target=\"_blank\" rel=\"noopener noreferrer\">Privacy is the New Black<\/a>\u201d post for a more detailed discussion on these changes.<\/p>\n<p>&nbsp;<\/p>\n<p>The reason the CCPA has received so much attention is because it is the first domestic legislation that looks *somewhat* like the European Union\u2019s <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&amp;from=EN\" target=\"_blank\" rel=\"noopener noreferrer\">General Data Protection Regulation<\/a> (\u201cGDPR\u201d). If you have been under a rock, the GDPR caused (and continues to cause) panic regarding how companies are collecting, processing, and using personal data. It has brought privacy to the forefront for many entities who, up until now, have had free reign to do with data as they see fit.<\/p>\n<p>&nbsp;<\/p>\n<p>For many US based companies, the GDPR seems scary but once-removed so as not to cause true change. We hear all the time: \u201cbut how can the EU come after me in the United States?\u201d For those companies who kept minimizing the impact of the GDPR, the CCPA brings many of the issues directly home in the United States.<\/p>\n<p>&nbsp;<\/p>\n<p>And, the CCPA does track, in some key ways, the rights and the goals of the GDPR. Similar to the GDPR, the CCPA derives from a right to privacy, recognized by the <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displayText.xhtml?lawCode=CONS&amp;division=&amp;title=&amp;part=&amp;chapter=&amp;article=I\" target=\"_blank\" rel=\"noopener noreferrer\">California Constitution, Article 1, Section 1<\/a>. Further, the CCPA parallels the GDPR to focus on \u201cgiving consumers an effective way to control their personal information, thereby affording better protection for their own privacy and autonomy.\u201d See Sec. 2(i).<\/p>\n<p>&nbsp;<\/p>\n<p>However, while the origin and intent behind both pieces of legislation are similar, the CCPA is more narrowly focused, and does not go as far the GDPR in providing the transparency in data processing and giving the data subject\/consumer control over her data.<\/p>\n<p>&nbsp;<\/p>\n<p>The CCPA provides the following rights:<\/p>\n<ul>\n<li><strong>Right to request<\/strong> that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer (1798.100 &amp; 1798.110);<\/li>\n<li><strong>Right to request<\/strong> that a business that sells the consumer\u2019s personal information, or that discloses it for a business purpose, disclose to that consumer the categories of personal information that the business sold\/disclosed about the consumer and the identity of the third parties to whom such personal information was sold\/disclosed (1798.115);<\/li>\n<li><strong>Right to opt-out<\/strong> of a business\u2019s sale of personal information about the consumer (1798.120);<\/li>\n<li><strong>Right to equal service and price<\/strong>, so that a business is prohibited from discriminating against a consumer because of that consumer\u2019s exercise of her rights under the CCPA (1798.125); and<\/li>\n<li><strong>Right to deletion<\/strong>\u00a0of any personal information about the consumer which the business has collected from the consumer (1798.105).<\/li>\n<\/ul>\n<p>These rights outlined by the CCPA align with the GDPR\u2019s right of access by the data subject (Article 15), the right to erasure (Article 17); and loosely, the right to restriction of processing (Article 18) and the right to object (Article 21). However, there are a number of rights under the GDPR that are missing, including: (1) the right to rectification (Article 16); (3) the right to data portability (Article 20); and (3) the right to object to automated processing (Article 22).\u00a0 Further, the CCPA provides for nine (9) exceptions to the right to deletion (1798.105(d)).<\/p>\n<p>&nbsp;<\/p>\n<p>Additionally, the CCPA appears to places a very short timeframe on those rights it does provide: the rights to request certain information are limited to \u201cthe preceding 12 months\u201d of when the request is made (1798.130(a)(3)(B); 1798.130(a)(4)(B-C); 1798.130(a)(5)(B-C)). The GDPR places no such limitation on <em>when<\/em> the data was collected \u2014 it applies to <em>all<\/em> data collected. As such, as drafted, the CCPA could only scratch the surface of data collected by businesses.<\/p>\n<p>&nbsp;<\/p>\n<p>Speaking of businesses, the CCPA applies to any for-profit business<\/p>\n<blockquote><p>\u201cthat collects consumers\u2019 personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers\u2019 personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:<\/p>\n<p>(A)\u00a0Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.<\/p>\n<p>(B)\u00a0Alone or in combination, annually buys, receives for the business\u2019 commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.<\/p>\n<p>(C)\u00a0Derives 50 percent or more of its annual revenues from selling consumers\u2019 personal information.\u201d<\/p><\/blockquote>\n<div>(1798.140(c)(1)).<\/div>\n<div><\/div>\n<p>Combining the definition of \u201cbusinesses\u201d with the CCPA\u2019s definition of consumer (i.e., \u201cnatural person who is a California resident\u201d (1798.140(g)), the CCPA carves out smaller businesses as an exception to its requirements. This type of exemption is not found in the GDPR, further differentiating these two regulations.\u00a0 However, the definition of a business, as either an entity that collects data or on whose behalf data is collected does align with the definition of a \u201ccontroller\u201d under the GDPR (Article 4(7)).<\/p>\n<p>&nbsp;<\/p>\n<p>If you are familiar with the California Breach Notification requirements (<a href=\"http:\/\/leginfo.legislature.ca.gov\/faces\/codes_displaySection.xhtml?lawCode=CIV&amp;sectionNum=1798.29\" target=\"_blank\" rel=\"noopener noreferrer\">California Civil Code s. 1798.29(a)<\/a> [agency] and <a href=\"http:\/\/leginfo.legislature.ca.gov\/faces\/codes_displaySection.xhtml?lawCode=CIV&amp;sectionNum=1798.82\" target=\"_blank\" rel=\"noopener noreferrer\">California Civ. Code s. 1798.82(a)<\/a> [person or business]), the granular details outlined in the CCPA will come as no surprise. The CCPA includes detailed requirements for websites, notifications to consumers, and the way information is displayed (e.g., 1798.135). For example, businesses are required to \u201c[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address\u201d (1798.130(a)(1)).<\/p>\n<p>&nbsp;<\/p>\n<p>In some instances, the CCPA is more detailed in its express requirements than the GDPR, laying out the exact information to be supplied and how to provide that information. The GDPR, while intensive in its many requirements, leaves a lot of discretion to the individual company to determine <em>how<\/em> to comply. And, even though the CCPA is the first of its kind in the United States that is beginning to incorporate GDPR-type requirements, it by no means is as extensive or invasive as the GDPR. Another wrinkle is that the CCPA is still up for <a href=\"https:\/\/theintercept.com\/2018\/06\/26\/google-and-facebook-are-quietly-fighting-californias-privacy-rights-initiative-emails-reveal\/\" target=\"_blank\" rel=\"noopener noreferrer\">debate<\/a>: many California-based companies are weighing in, and changes to the law may still be seen. However, what is clear is that the GDPR has started a trend toward data privacy that is here to stay \u2014 it is just the exact form it will take as the trend takes hold across the US is still to be seen.<\/p>\n<p>&nbsp;<\/p>\n<p>___________________________<\/p>\n<p><em>Jordan is a co-founder and managing partner of XPAN Law Group, LLC, a Women-Owned boutique law firm. She focuses her practice on international data privacy and cybersecurity and cross-border data management, with a special emphasis in European Union data privacy regulations and the General Data Protection Regulation (GDPR).<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jordan Fischer, XPAN Law Group &nbsp; A common question that we receive at our firm is: will the U.S. adopt legislation similar to the GDPR? And, if yes, what will that look at? Well, let us look into our \u201cmagic-8\u201d ball &#8230; And, no surprise, it looks like privacy is moving (slowly) across the pond <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2018\/08\/15\/so-it-begins-california-adopts-legislation-that-reminds-many-of-the-gdpr\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,4,16],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/101"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=101"}],"version-history":[{"count":7,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions"}],"predecessor-version":[{"id":267,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions\/267"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}