July 01, 2019

Heightened Privacy Standards: California’s Privacy Law versus the EU’s GDP

André B. Cotten

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”) are both intended to ensure strong protection for people regarding their personal data and apply to businesses that collect, use or share consumer data. The GDPR became effective May 2018, and the EU privacy law is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive United States privacy and data protection standard, the CCPA’s impact is also expected to be global, given California is the fifth largest global economy. The CCPA will take effect Summer 2020. This article will provide an overview of the California privacy law and highlight select distinctions from the European Union’s privacy law.

CCPA versus GDPR

To begin, the CCPA only applies to for-profit entities (“business”), and it also sets thresholds that determine businesses covered by the law. Conversely, the GDPR applies to a broader scope of entities including public bodies, institutions and nonprofits, and the GDPR did not create an exemption for small entities. The CCPA also protects “consumers” who are natural persons and California residents. In contrast, the GDPR protects “data subjects,” who are natural persons, without any residency or citizenship requirements.

The GDPR provides that the processing of personal data will only be lawful where one of the six grounds under Article 6 is fulfilled. The CCPA does not have a list of “positive” legal grounds required for collecting, selling or disclosing personal information. However, consumers may ask businesses not to sell their personal data. In case a consumer opts-out, the business will only be able to sell and/or disclose personal information if the consumer gives their explicit permission.
The CCPA contains four key requirements: data access and disclosure; data deletion; opt-out of data sale (opt-in for minors); and non-discrimination. To begin, both the CCPA and the GDPR establish a right of access, which allows individuals to have full visibility of the data an organization holds about them. In regards to consumer access, the CCPA and the GDPR present some differences, such as the procedure covered entities should follow to comply with an individual’s request. In addition, the CCPA provides that whenever access is granted to consumers electronically, the information must be in a portable and, to the extent possible, readily useable format that allows the consumer to transmit the information to another entity.

Both the CCPA and the GDPR also include requirements to disclose certain information when collecting and processing certain personal information. The CCPA states that information on the following must be provided to individuals: the categories of personal information to be collected; the purposes for which collected personal information is used; and if businesses sell personal information about the consumer to third parties, the rights of the consumers and the methods to exercise those rights, which includes a link to the “Do Not Sell My Personal Information Page”.
Next, the CCPA requires a business to delete any personal information that it has collected from the consumer upon receipt upon a verifiable consumer request. However, certain exceptions apply if the data is necessary to: complete a transaction or provide a service the consumer requested; engage in activities reasonably anticipated within the context of an ongoing business relationship with the consumer; protect against fraud or other illegal activity; comply with the law; engage in certain research; exercise free speech rights; or enable internal uses reasonably aligned with consumer expectations. Note, a business that collects personal information must disclose to consumers the right to request deletion of such information.

Moreover, consumers have the right, at any time, to direct a business not to sell his or her personal information to third parties. To inform consumers, a business must provide a clear and conspicuous link on its internet home page titled “Do Not Sell My Personal Information” that enables the consumer to opt-out and must describe the opt-out right. Parents or guardians of minors aged 13-16 must affirmatively consent or opt-in to the sale of their personal information. The CCPA defines “sale” or “sell” to mean processing “for monetary or other valuable consideration.”

A business may not discriminate against a consumer for exercising any rights under the CCPA, including, but not limited to, the following: denying goods or services to the consumer; providing a different level or quality of goods or services to the consumer; or charging different prices based on the exercise of CCPA. However, a business can offer different quality services if the difference is reasonably related to the value provided by the consumer’s data. A business can provide financial incentives to encourage users’ participation in the collection of personal information.

Key CCPA Exceptions

Most important to financial institutions, personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”), its implementing regulations, or the California Financial Information Privacy Act (“CFIPA”) is scoped out of the California privacy law’s application. There is also a FCRA exception, which allows the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined in the FCRA, and use of that information is limited by the Fair Credit Reporting Act. Despite these exceptions, the CCPA’s broad scope may still apply to certain personal information financial institutions collect, process, sell, or disclose about: employees, contractors, job applicants, individual California residents associated with business loans or accounts, such as guarantors and principals, individual California residents browsing a company’s website without seeking a product or service, and potentially other non-GLBA information.

Practical Compliance Considerations

To begin, financial institutions may want to conduct a data inventory assessment specific to California residents. Data mapping to GDPR requirements may provide a starting point, however, the CCPA contains a broader definition of “personal information”. Under GLBA, a “consumer” is an individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes. The CCPA defines consumer as a natural person who is a California resident.

From a strategic perspective, financial institutions may want to consider whether to apply CCPA requirements nationwide, whether to de-identify data to be excluded from the CCPA, and whether to use data encryption to receive a safe harbor from civil liability in case of data breach. Financial institutions will also want to create a “Do Not Sell” button on their websites. With that being said, generally, policies, procedures, and training material will need to be updated to reflect CCPA disclosure requirements.

André B. Cotten

Regulatory Counsel, Consumer Bankers Association

André B. Cotten, Regulatory Counsel, Consumer Bankers Association.  He can be reached at acotten@consumerbankers.com and 202-552-6360.