CCPA & GDPR: Two Nations Divided by a Common Language
With six months to go before the California Consumer Privacy Act CCPA goes live in California, it seems we are progressively moving towards common ground when it comes to international privacy law…or are we…?
Technology has done wonders to democratise commerce. For the most part, goods and services can be bought and sold across borders with the click of a button. Yes, there is still a lot to do to truly facilitate global free trade but it seems we are moving in the right direction. Whilst innovation and entrepreneurship can move at lightning speed, legislation and regulation are always playing catch-up. A good case in point is international privacy law. Wouldn’t it be great if there were a single international standard for privacy adopted across the globe…
Are we moving a step closer to a unified approach with CCPA?
As I wrote in my book, The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection, the EU and the US have a very different approach to privacy. Historically, I surmise this has a lot to do with how privacy incursion has affected the lives of people in Europe. The impact of using citizen’s personal data to commit continental-scale atrocities is etched deep. Whilst younger citizens may not fully appreciate why it’s important to protect personal data, memorials such as Auschwitz-Birkenau serve hopefully to pass the message on from generation to generation that we should always be vigilant about how personal data can be leveraged to monstrous effect.
Whilst many in the US have been directly affected by the Holocaust, privacy is not engrained in the national psyche in the same way it is in Europe. Personal data is more often than not seen as a commodity, something that can be leveraged for commercial gain rather than something intrinsic to each citizen. Some in the US however are waking up to the realisation that the trade-off for a free app in exchange for their personal data isn’t such a fair trade, and if use of that data is not regulated it could even threaten the Republic (I’ve been told off too many times for calling the US a democracy!).
The genesis of CCPA – The Californian Consumer Privacy Act
Imagine a world where there are algorithms that can determine your sexuality based on your passport picture. Now consider a government who determine homosexuality to be illegal and in some cases punishable by death (full list here). Imagine those governments using the personal data of its citizens to carry out a mass purge of those people an algorithm has predicted may be gay. Notwithstanding I vehemently disagree with such a policy or criminalising someone on the basis of their sexuality, If such an algorithm was effective to say 99% accuracy, that could introduce an error of 1 wrongly identified person in every 100. Say this occurred in Saudi Arabia that could lead to the potential of 65,000 ‘innocent‘ people put to death.
Imagine a world where you could be tracked by where you have been. That you carried a device with you constantly reporting your position. Imagine that organisations could be alerted to those who entered a particular building through geofencing, places such as an abortion clinic. Imagine that these organisations could then specifically target people inside those buildings with targetted material, in order to influence their choices through biased information.
Imagine a world where your political views can be combined with your postal or zip code. Imagine a political candidate’s campaign team using this personal data to ask for specific donation amounts based on an algorithm’s determination of your disposable income maximising the donations from each donor. Imagine political candidates being able to determine if a person is racist or sexist and then use that information to target specific material to those people to influence their voting decisions.
Imagine a world where even when you have sex there is a public record of each and every encounter because you have chosen to wear a small accelerometer during the event and that is linked to an online public profile available for all to see…who knows, maybe you want everyone to know how many calories you burned during that intensive 3 minute birthday workout.
The thing is, we don’t need to imagine a world where this technology exists because we live in that world. We don’t need to imagine that technology being used in those scenarios. In the first example, this is something that theoretically could be done without regulation, but in the rest, they have already happened – on multiple occasions across the United States, and across the rest of the world too.
Enter CCPA creator Alastair Mactaggart
Whilst Member States of the European Union have been working on this for decades, in the US it seems the old modicum of:
“If you want something done right, you need to go out and do it yourself”
was the only way to get this done. From a fairly random source, that of a Real Estate guy called Alastair Mactaggart, a proposal for what is now the CCPA was born. He was concerned about the privacy issues raised above and rather than moan about it on the Internet [like a lot of people], he decided to do something about it. You can watch him describe the journey he took from concept to a signed law at IAPP Privacy. Security. Risk. 2018.
CCPA: Good Privacy is Good Business!
One of his key takeaways at IAPP Privacy. Security. Risk. 2018 is Good Privacy is Good business. Now, this is something I strongly agree with. The question for me though is does CCPA make for good privacy?
Does CCPA make for good privacy?
When we compare CCPA to GDPR, for example, there are some notable differences in terms of scope, content and rules. From what I can surmise is that there are some good things about CCPA but it just feels like a significantly watered down piece of legislation that is not going to make too much difference to how organisations – especially the big guys – operate.
“New Rights for Californians. Better definition of Personal Information”
CCPA Section 1798.140(o)(1)(A-K) is a very granular definition of personal information compared to the GDPR Art 4(1) definition of Personal Data. CCPA gives examples such as “real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” but also goes on to explicitly state a number of other items such as “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies” and “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.” and “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” GDPR is not so clear. Could CCPA set a precedent where there is ambiguity over what does and doesn’t constitute personal data? I’m not sure but if people are in doubt, it may serve as a good reference point.
Californian’s will now get new rights which mirror some of those in GDPR. Californians will now get a right to a right of disclosure (i.e. They can now make a Data Subject Access Request or DSAR); a right to Deletion (similar to the GDPR right to be forgotten), a right to data portability and opt-out right concerning the sale of their personal information to a third party. Californian businesses are also prohibited by the CCPA from discriminating against customers who choose to exercise their CCPA rights.
“Few People Covered, Very Few Organisations Covered”
The scope of CCPA is pretty limited and there are many exemptions. It’s is also a consumer-focused legislation, and whilst it does seem to attempt to expand the definition of consumers to include anyone who is a resident of California, I am sceptical about how this would actually work in practice. GDPR, on the other hand, provides all EU citizens with universal rights. Don’t get me wrong, this is one piece of legislation amongst a host of other US laws which do overlap but those benefiting from these improved rights is still pretty limited. In terms of which organisations are covered, again this is limited to three categories:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
In reality, this is going to take a significant volume of organisations out of the scope of CCPA. In comparison, to GDPR which applies to [pretty much] all organisations processing data, no matter how large or small. When you look at CCPA through this lens, it’s scope becomes very narrow indeed.
When you then look at enforcement, the situation becomes pretty dismal. What is maximum fine that can be imposed should a violation occur? US$7,500. For a company with gross revenue of US$25million+ that is chump change. Compare this to GDPR which links financial penalty to revenue in percentage terms (2% and 4% of gross annual worldwide turnover) and we are now world’s apart in terms of the teeth behind the black letter law.
“Lack of funding for enforcement. CCPA may even be unconstitutional.”
So, those covered are limited, those organisations in scope are also pretty limited and the fines are far too low to act as any real deterrent. What about enforcement? This is where it gets to the ugly stage. The resources at the Californian Attorney General’s disposal to support the legislation are diabolically underfunded. Back in February the AG had to put forward amendments to the CCPA to remove a specific clause which allowed any affected business to seek an opinion from the AG on how to comply with CCPA. I’m surprised lawmakers didn’t anticipate the impact of such a clause in the original draft! The amendment now gives the AG the latitude to publish general guidance…if it so chooses
Even if it were enforced, it’s likely any affected organisations would be able to easily challenge the constitutionality of the act itself. If CCPA was considered in light of Sorrel v IMS Health 2011 there could be 1st Amendment (Religion and Expression) issues as CCPA appears with its scope restrictions to restrict big organisations such as Facebook and Google whilst letting a lot of smaller organisations off the hook.
There is then the US Dormant Commerce Clause (think EU competition law) which prohibits states from creating laws which are discriminatory or burdensome on companies in other US States (and abroad). There will be organisations outside of California that are affected by this law which if found to be in breach could seek to challenge the constitutionality of CCPA. It is assessed, in the laws current state, a challenge would be successful. Any amendments to the act would likely just water down consumer protection further.
GDPR all the way…
“Here lies CCPA, Rest in Peace”
CCPA, whilst well-intentioned, is a bit of a mess. CCPA will more than likely face further amendments before the implementation date next January and then there will be a similar wait-and-see period as we have seen under GDPR until someone falls foul of the legislation and enforcement action is concluded…if CCPA stays in its current form, it’s likely to be challenged on its constitutionality pretty quickly and I’m afraid that will then be CCPA’s death knell. It would be great if the US could move to adopt a similar approach to the European Union and enact a federal GDPR-esque law that gives US citizens similar protections to those enjoyed by EU citizens. US citizens may appreciate such rights but then again maybe not…we are after all similar but different.
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to offering GDPR advisory services, provides vCISO and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both 8×10 paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy which, amongst other things, helps client organisations with data protection and information security risk management. Call us on 020 8242 6047 contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 accountability article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning