In our webinar on January 17, 2019 with Perkins Coie LLP’s partner and Co-Chair of the Ad Tech Privacy & Data Management Practice, Dominique Shelton Leipzig, hosted by the IAPP (International Association of Privacy Professionals), she, along with OneTrust’s Director of Privacy and Privacy Counsel discussed the overlap and differences between The California Privacy Act (CCPA) and The General Data Protection Regulation (GDPR). We compiled the questions from webinar attendees, and the panelists provided their answers.
Q: Are companies automating DSAR processing?
A: Companies are trying to automate the overall consumer request process to the extent possible. The CCPA requires that a “Do not Sell My Personal Information” link be placed on the company’s web homepage for consumers to easily exercise their right to opt out of the sale of their personal information. When it comes to consumer rights and requests, the Act also gives other examples of “Designated methods for submitting requests”, which include a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request.
Q: Can we use legitimate interest for marketing activities under the GDPR?
A: GDPR states that legitimate interest can be used as the legal basis for direct marketing activities. However, some forms of marketing activities, such as the sending of direct marketing via electronic communications (e.g. e-mail, telephone marketing) are governed by ePrivacy rules and require prior consent of the person, unless an exception applies. If the marketing activity is in the scope of ePrivacy, consent is required, and legitimate interest cannot be used as the legal basis. Companies should make sure to identify which legal basis they are relying on for each of their marketing-related processing activities.
Q: What is the likelihood that California will amend the CCPA to clarify that it does not apply to information a business has on its own employees?
A: This request was made by the California Chamber of Commerce before SB 1121, and it was not incorporated. It is unclear whether the legislature will be willing to clarify that employee data is not covered. The problem is that the law is very broad, and the legislation is popular. The best opportunity for clarification may be the AG public hearing process going on now through Feb. 13.
Q: Are a company’s employees considered “consumers” under the CCPA?
A: Technically, yes. The definition of consumers captures employees as consumer in CCPA is defined as any natural person who is a California resident. The term resident is defined in the California tax code and includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents. Under this definition, an individual may be a resident although not domiciled in this State, and, conversely, may be domiciled in this State without being a resident.
Q: How does the CCPA define ‘selling’ information?
A: The definition of selling in the CCPA is contained in CCPA 1798.140 (t). It is very broad and does not necessarily involve a payment. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. However, there are a few exceptions to what constitutes a sale or selling (e.g. if the businesses transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction provided the third party does not materially alter how it uses or shares the personal information). Note also that CCPA specifically excludes from its scope of application collecting and sharing of some categories of personal information (e.g. sale of information to or from consumer reporting agencies; publicly available personal information, which is defined as information that is lawfully made available from federal, state, or local government records.)
Q: Have you seen any examples of what constitutes as “valuable consideration” under the CCPA?
A: There is an excellent article on the IAPP website on valuable consideration. The proponents and community groups take the position that any exchange for potential financial benefit is “valuable consideration.”
Q: CCPA does not apply to nonprofit organizations, are any efforts underway to change this?
A: This is technically correct, but it would be good to plan for substantial compliance based upon litigation risks in California.
Q: You mentioned public comment and the lack of verticals represented. Do you see issues particularly relevant to businesses that deal with COPPA?
A: Yes. It would be very good for companies to be involved in either the public comments. At perkinscoie.com/adtech there is also a link to submit comments anonymously.
Q: Is biometric data / facial recognition covered under the CCPA?
A: Yes, facial recognition is covered in the definition of biometric data in California 1798.140.
Both biometric and facial recognition data are covered under the CCPA. The Act includes a definition of biometric information under 1798.140 (b) and biometric information is listed as an example of personal information (1798.140 (o) (1) (E)).
Under GDPR, biometric data are considered special categories of personal data and their processing is prohibited unless an exception applies (e.g. if the person has given explicit consent).
Q: How much amendment of the CCPA should we expect ahead of Jan. 2020?
A: Not much. The law is extremely popular in California. If any additional amendments are passed, they will likely rectify some existing inconsistencies but unlikely to change the Act substantially.
Q: Can a data subject designate a third-party to submit a DASR request on their behalf?
A: Yes. The AG’s office will be promulgating guidelines on how to verify. A verifiable consumer request means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General to be the consumer about whom the business has collected personal information. The GDPR does not explicitly address this.
Q: What are the GLBA and HIPAA exemptions under the CCPA?
A: The CCPA does not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106102), and implementing regulations. However, such personal information is still covered by section 1798.150 of the CCPA which gives a right of action to consumers whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
The CCPA does not apply to (i) protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 1115), (ii) covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information
Q: I didn’t see that the requirement for portability is to provide the personal data to another company (e.g. like GDPR) but the requirement is to give it to the individual in a format so that the INDIVIDUAL can transfer it to another company. – Can you elaborate on your POV?
A: Correct. The business must disclose and deliver the personal information free of charge to the consumer. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
Q: The legislation mentions 3 criteria for the CCPA (+25M revenue, 50% from selling personal info, deals with information from +50K of Cal consumers). Do businesses need to meet all 3?
A: No. The CCPA applies to businesses, which are defined as:
- for-profit organizations that collect personal information about residents in California,
- determine the purpose and means of the processing,
- does business in the State of California, AND
- that meets one or more of (i) annual gross revenues in excess of twenty-five million dollars ($25,000,000), (ii) alone or in combination, annually buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives fifty percent or more of its annual revenues from selling consumers’ personal information (1798.140 (c)).
Q: Are CCPA’s response timings as tight as with GDPR?
A: No. The general rule to respond to requests under CCPA is 45 days. Businesses must honor requests (meaning disclosing and delivering the required information) within 45 days of receipt of a verifiable consumer request. It is possible to extend the timeline for 45 days, if reasonably necessary and the business notifies the consumer of the extension. Another provision of CCPA (section 1798.145 (g)(1)) even states that the time period a business has to respond to a verified consumer request may be extended by up to 90 additional days, where necessary and taking into account the complexity and number of requests. The business must notify the consumer within 45 days of receipt of the request as well.
Q: If a company does not ever sell information, does the CCPA still require the “do not sell” button?
A: No. The requirement to provide a clear and conspicuous link on the business’s internet homepage titled “Do Not Sell My Personal Information” only applies to businesses that sell personal information about consumers to third parties.
Q: What does deletion mean? How can we “delete” data that we must keep in some form (anonymized) for audit requirements?
A: Deleting means removing from all your systems (including back-ups). The CCPA includes nine exceptions to the right of deletion, notably, a business or service provider is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to comply with a legal obligation. The GDPR has a similar exception for the right to erasure.
Additionally, please note that if data are truly anonymized, they no longer qualify as personal information under CCPA or personal data under GDPR and are therefore not in the scope of a deletion or erasure request. In the EU particularly, it will be extremely hard (almost impossible) to prove that data were anonymized. Pseudonymization is considered a security control.
For more information on the CCPA, check out: