Now that we have compared the scope and individual rights that the EU’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA — which is likely to be on the November 2020 California ballot and represents Version 2.0 of the CCPA) provide, lets jump straight into the obligations that each one of the three cumulatively requires of organization that collect and process personal data.
These obligations promote accountability and governance for businesses (CCPA/CPRA) or controllers (GDPR) and are legally required to be compliant with the respective laws, i.e. they are “must do” requirements vs. “nice-to-do recommendations/guidance.
Executive Summary of the Business Obligations Required by GDPR, CCPA and CPRA
Let’s just cut to the chase and give an executive summary in table form. There are eleven obligations of note that span the three privacy and data protection laws. (ironically there were also eleven individual rights!) Details to follow below on each.
Just like individual rights, the CPRA could get California very close to EU law because of the additions of requirements around data protection by design as well as the requirements to maintain records and perform data protection impact analysis.
All three require that a business disclose to consumers the categories and specific pieces of personal data that the business is collecting. In the case of the CPRA, which has the concept of sensitive personal information, that too needs to be disclosed in terms of categories. All three also requires a business must also disclose the consumer’s rights, e.g. the consumer’s rights to request the deletion of their personal information. Finally, in the case of the CPRA, businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. CCPA just requires this for information that is sold. [Side note: the CRPA defines “sharing” as transferring/disclosing/etc. personal information to a third party for cross-context behavioral advertising (think “retargeting” of digital ads based on your internet behavior and activity) — whether you do so for monetary value or not.]
#2 Data Protection by Design and Default
The GDPR requires controllers implement data protection by design and by default. e.g. “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner.” Furthermore, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
The CCPA has not such requirements, with the exception that a business must identify what data is personal in the design of their systems and apps so they can properly notify customers and support their consumer rights to delete etc.
The CPRA take things further in that it requires a business to not collect additional categories of personal information (PI) and/or sensitive personal information (SPI) that are “incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.” In addition, a business shall not collect this data “for longer than is reasonably necessary for that disclosed purpose” (i.e. principle of storage limitation) and a “business’s collection … of a consumer’s personal Information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed” (i.e. data or purpose minimization, aka principle of proportionality).
#3 Written Contracts with Processors / Service Providers / Contractors / Third Parties
All three require. The GDPR states that the “processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
The definition of service provider (equivalent of GDPR’s processor) in the CCPA implies that a contract is in place.
The CPRA takes things further than the CCPA and also requires contracts with not only service providers, but also contractors and third parties that use or process the business’ personal information it has collected. These contracts must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA’s obligations re: the protection of PI and the rights of consumers over their PI. Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests. But “a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor.” This avoids the scenario of Amazon AWS getting a request directly from a consumer and having to search each and everyone of its customers data that it hosts.
#4 Maintain Records of Processing Activities
The GDPR does require that each controller “maintain a record of processing activities under its responsibility.” The CCPA does not require this. The CPRA does via the Privacy Protection Agency that will create regulations “specifying record keeping requirements for businesses to ensure compliance with this title.”
#5 Respond to Rights Requests
Yes, for all three. The GDPR states that “The controller shall facilitate the exercise of data subject rights … and shall not refuse to act on the request of the data subject for exercising his or her rights … unless the controller demonstrates that it is not in a position to identify the data subject.” Furthermore, “the controller shall provide information on action taken on a request … to the data subject without undue delay and in any event within one month of receipt of the request.”
The CCPA and CPRA must respond a “verifiable consumer request” and must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.”
#6 New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)
GDPR does not have this obligation to add links to home pages. The CCPA does for “do not sell”, while CPRA requires for “do not sell/share” and “limit use of sensitive personal information.” Both the CCPA and CRPA do not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” The CPRA adds the capability for a business to support on their web page and mobile application an “opt-out preference signal” that automatically indicates the consumer’s intent to opt-out and/or limit usage. The technical specifications of this “opt-out signal preference” will be defined via regulations created by the Privacy Protection Agency.
#7 Implement Appropriate Security Measures
Yes for GDPR: “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” including “pseudonymisation and encryption of personal data” as well “ensure the ongoing confidentiality, integrity availability and resilience of processing systems and services.”
The CCPA does not have this as a direct obligation, although per the private right of action section it states that “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Like the GDPR, the CPRA explicitly states that businesses must do so: “a business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” In addition, the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to … perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.”
#8 Security Breach Notification
With the GDPR, controllers must notify both the supervisory authority and impacted data subjects within 72 hours. There is a carve out with the supervisory authority where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” The carve out with data subjects is if the data were encrypted and not readable.
In the case of the CCPA and CPRA, both don’t have a breach notification section, but California has an existing (and separate) data breach notification law.
#9 Data Protection Impact Analysis
Yes for GDPR, no for CCPA and yes for CPRA. In the case of the GDPR: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” In the case of the CPRA the Privacy Protection Agency will issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” … and (B) “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information.”
#10 Data Protection Officers
Yes for GDPR and no for both CCPA and CPRA. For the GDPR, controllers and processors must appoint a Data Protection Officer in specific instances including when their core activities include monitoring of data subjects on a large scale. The DPO should have a certain amount of independence and be the main point of contact with the supervisory authority.
#11 Adhere to the Rules of Cross-Border Data Transfers
Yes for GDPR and no for both CCPA and CPRA. For the GDPR, transfers of personal data outside the EU are restricted with the following exceptions: (1) OK to transfer to countries or territories deemed “adequate” by the European Commission in terms of the protection of personal data (note the US or states such as California do not have an “adequacy decision”; (2) where there is an EU-approved transfer agreement and/or mechanism (e.g. the EU-US Privacy Shield and/or binding corporate rules between a controller and a processor); or (3) there an exception to specific personal data such as explicit consent.
Next blog post: comparing enforcement!