Introduction
In the global economy during this digital era personal data has grown to increase in value, also requiring due protection (Heward-Mills & Turku, 2020). A realisation of the increased business opportunities that present themselves in the use of personal data has gained quantum momentum, this simultaneously making privacy and data protection more vulnerable to misuse (Schünemann & Windwehr, 2020). Another impetus for growing data protection is that privacy is “one of the fundamental elements of democracy in the digital age” (Heward-Mills & Turku, 2020, p. 321).
The European and USA Definitions of Data Protection
Comparing data protection regulation in the world, Europe is the forerunner (Schünemann & Windwehr, 2020). Data protection in the European Union (EU) is (along with privacy) protected also in the EU Charter of Fundamental Rights. The European Data Protection Supervisor (edps)[1] defines data protection as it relating to
“protecting any information relating to an identified or identifiable natural (living) person, including names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other information such as IP addresses and communications content – related to or provided by end-users of communication services – are also considered personal data.”[2]
The above definition and other provisions of the GDPR indicate the primary focus of the GDPR to be the protection of the rights of data subjects (being the identified or identifiable natural persons) through various means including granting control over the collection and processing of their personal data (Abiteboul & Stoyanovich, 2019).
In Article 4(1) of the GDPR, personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person”.
Data protection at federal level in the United States of America remains fragmented – controlled by a multitude of agencies – however, with the Federal Trade Commission (FTC) being an important agent, in this respect (Williams, 2021). As at January 2021, the FTC considers personal data to constitute
“information that is linked or reasonably linkable to a specific individual, which could include IP addresses and device identifiers.”[3]
The concept of personal data (in the context of data protection) at federal level in the USA, is narrow, compared to that in Europe.
This paper seeks to dive deeper into data protection regulation in the State of California, as the current regulation is perceived to be “the strictest consumer data protection law in the country” (Tashea, 2019, p. 34), providing an interesting comparison to the EU GDPR.
Data Protection in the USA: Focus on California
As before mentioned, the US approach to the regulation of data privacy is not holistic also in that it protects private persons against government access and regulates data privacy only in specific industries like education, finance, health and video rentals (Krishnamurthy, 2020), as such not governing data protection at federal level. However, some American states do offer sufficient levels of data protection (IT Governance Privacy Team, 2019). The above are the reasons that the USA (as a country) does not appear on the list of countries, in respect of which the European Commission has made an adequacy decision[4]. This omission to be added to the list is surprising to many, as the USA and the EU are collectively recorded as having the highest net export of digitally enabled services (Hamilton & Quinlan, 2020).
State of California
In November 2020, California introduced the California Privacy Rights and Enforcement Act (CPRA), which increasingly regulates company data practices, especially in relation to advertising and how companies collect and use consumer data, particularly in online advertising (Sloane, 2020). This new Act is effective from 01 January 2023 and, similar to the EU GDPR, grants rights to individuals to request that their stored data be deleted or to be corrected (Gilbert, 2021).
Until the date of operation of the CPRA, the California Consumer Privacy Act (CCPA) of 2018 applies. This legislation is described as a “landmark privacy law” (Morris, 2020, p. 96), establishing a range of privacy rights for individuals while simultaneously increasing the non-compliance risks for companies (Morris, 2020).
In the CCPA, the definition of personal information is
“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[5]
The CCPA goes on to list identifiers of personal information to include commercial information (for example, products purchased), biometric information, geolocation data as well as professional or employment-related information[6]. This definition is significantly broader than that by the FTC and while, on the face of it, more voluminous than that of the GDPR, the definitions in both the GDPR and the CCPA make reference to an open list of identifiers.
In terms of application, the CCPA applies to corporate entities that collect personal information in respect of consumers, provided such entities meet the following three thresholds (Shatz & Chylik, 2020):
-
A minimum annual gross revenue (of a business, in combination with its affiliates) of US$ 25.000.000 – There is no further indication in the statute on the source of the revenue(s);
-
Whether the business, in a year, purchases, accesses for commercial purposes, sells or shares the personal data of at least 50.000 California consumers, households or internet-connected devices;
-
Businesses that derive at least 50% of their annual revenues from selling consumers’ personal information.
From the above requirements, it can be read that the affected businesses must conduct business for profit. Furthermore, the CCPA prescribes that the company must collect personal information and must determine the purposes of processing as well as the means of processing (Mesarčík, 2020).
Glaring Differences between the CCPA & the EU GDPR
The first glaring difference relates to the territorial scope of application – the CCPA is a State law (thus not a federal law), which applies to businesses trading in California and that satisfy the requirements listed above, while the EU GDPR is a Union directive (applying to the EEA member states), which has express extra-territorial application in that the collection and processing of the personal data of EU residents is protected even when such collection and processing occurs outside of Europe (Mesarčík, 2020)[7].
Secondly, while the CCPA applies only to a selected set of companies (as set out above), the GDPR applies against data processors, who can be “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”[8] and against controllers, who determine “the purpose for which and the means by which personal data is processed”[9]. The GDPR, as such, does not place a minimum threshold on the size, maturity level nor business set-up of controllers and processors. This means that companies cannot be too small nor too young to transgress against GDPR provisions.
In the third instance, the CCPA, in addition to protecting the personal information pertaining to an identifiable person, goes a step further to also regulate information in and of households in California (Determann & Gupta, 2019). The GDPR explicitly protects the personal data of data subjects, being “identified or identifiable natural persons”[10], who are either European citizens or residents.
Fourthly, the potential consequences for violations are vastly different: the GDPR, in Art. 83(5), sets a punitive framework of up to € 20 million or, in the case of an undertaking, up to 4% of the total global turnover (in the preceding fiscal year) of such undertaking. In the CCPA, the penalties for transgression range between US$ 2.500 and US$ 7.500 per transgression, where the first amount relates to civil penalties and the latter to each intentional violation.
The above differences are by no means exhaustive. The aim of this article is to provide just an impression of some of the existing differences.
Closing Remarks
While the CCPA is perceived to be “the most comprehensive and far-reaching state data privacy law” (Williams, 2021, p. 226) in the USA, it is especially the definite and extensive extra-territorial application of the GDPR as well as the potentially colossal penalties for trangressions that compels tech companies around the world to get familiar with or seek professional advice on the degree to which the GDPR may apply to them. Penalties for transgressions against the GDPR could be fatal for the transgressing persons, even more so for SMEs and start-ups.
Bibliography
Abiteboul, S., & Stoyanovich, J. (2019). Transparency, Fairness, Data Protection, Neutrality: Data Management Challenges in the Face of New Regulation. Journal of data and information quality.
Determann, L., & Gupta, C. (01. 01 2019). India’s Personal Data Protection Act, 2018: Comparison with the General Data Protection Regulation and the California Consumer Privacy Act of 2019. Berkeley journal of international law, 37(3), S. 481-516.
Gilbert, A. (23. May 2021). California Consumer Privacy Act (CCPA) compliance guide: Everything you need to know. – https://www.osano.com/articles/ccpa-guide
Hamilton, D. S., & Quinlan, J. (2020). The Transatlantic Economy 2020: Annual Survey of Jobs, Trade and Investment between the United States and Europe. Washington D.C.: Foreign Policy Institute.
Heward-Mills, D., & Turku, H. (2020). California and the European Union Take the Lead in Data Protection. Hastings International and Comparative Law Review, 43(2), S. 319-338.
IT Governance Privacy Team. (2019). EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide (Bd. 3). Cambridgeshire: IT Governance Ltd.
Krishnamurthy, V. (2020). A Tale of Two Privacy Laws: The GDPR and the International Right to Privacy. AJIL unbound, 114, S. 26-30.
Mesarčík, M. (2020). Apply or not to Apply? A Comparative View on Territorial Application of CCPA and GDPR. Bratislava Law Review, 4(2), S. 81-94.
Morris, K. M. (01. 02 2020). Slicker Than a Boiled Onion: What Texas lawyers need to know about data privacy, the GDPR, and the CCPA. Texas bar journal, 83(2), S. 96.
Ntouvas, I. (2019). Exporting personal data to EU-based international organizations under the GDPR. International Data Privacy Law, 9(4), S. 272-284.
Phillips, M. (2018). International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Human Genetics, 137, S. 575-582.
Ryngaert, C., & Taylor, M. (2020). The GDPR as Global Data Protection Regulation? AJIL Unbound, 114, S. 5-9.
Schünemann, J., & Windwehr, J. (2020). Towards a ‚gold standard for the world‘? The European General Data Protection between supranational and national norm entrepreneurship. Journal of European Integration, S. 1-16.
Shatz, S., & Chylik, S. E. (2020). The California Consumer Privacy Act of 2018: A Sea of Change in the Protection of California Consumers‘ Personal Information. Business Lawyer, 75(2), S. 1917+.
Sloane, G. (2020). Digital Advertisers Fret over California’s New Privacy Law. Advertising age, 2.
Tashea, J. (01. 01 2019). California’s new data privacy law could change how companies do business in the Golden State. ABA Journal, 105(1), S. 34.
Wagner, J. (2018). The transfer of personal data to third countries under the GDPR: when does a recipient country provide an adequate level of protection? International Data Privacy Law, 8(4), S. 318-337.
Williams, S. (19. 02 2021). CCPA Tipping the Scales: Balancing Individual Privacy with Corporate Innovation for a Comprehensive Federal Data Protection Law. Indiana law review, 53(1), S. 217-243.
Yakovleva, S., & Irion, K. (2020). Pitching trade against privacy: reconciling EU governance of personal data flows with external trade. International Data Privacy Law, 10(3), S. 201-221.
Notes
[1] The edps is the EU’s independent data protection authority set up to „serve as an impartial centre of excellence for enforcing and reinforcing EU data protection and privacy standards, both in practice and in law.“ – edps.europa.eu/…/about-us_en
[2] edps.europa.eu/…/data-protection_en
[3] dlapiperdataprotection.com
[4] The European Commission is empowered by Article 45 of the GDPR to determine „whether a country outside the EU offers an adequate level of data protection“ – ec.europa.eu/…/adequacy-decisions_en
[5] 1798.140 (o) (1) of the CCPA
[6] 1798.140. (o) (1) (A) – (K)
[7] For an valvisio international article going into more detail on the GDPR prescripts pertaining to international data transfer, and thus the extra-territorial application of the GDPR, please visit this link: valvisio.ag/vulnerability-in-international-data-transfer
[8] Art. 4(8) of GDPR
[9] ec.europa.eu/…/what-data-controller-or-data-processor_en
[10] Art. 4(1) of GDPR
