A landmark data privacy law went into effect in California on Jan. 1, the first of its kind in the United States. In 2018, a similar law took force in Europe. Their differences highlight issues regarding data privacy legislation that may continue to arise as similar laws roll out in other places.
In California, it’s called the California Consumer Privacy Act (CCPA). In Europe, it’s called the General Data Protection Regulation (GDPR).
The CCPA has been called “California’s GDPR,” but that’s somewhat of a misnomer.
Both laws grant consumers the right to access, correct, and delete their data collected by companies. And both laws give consumers the right to stop companies from sharing their data with third parties. But two industry insiders highlighted for The Epoch Times key differences in the laws.
Opting In, Opting Out
Firstly, in California you have to actively tell businesses not to sell your data. You have to opt-out. Whereas in Europe, businesses have to ask you if they can sell your data. You have to opt-in.Jessica Berman, Principal Product Manager for the global video advertising platform SpotX, said that CCPA assumes “business as usual” in terms of data usage unless a user opts out.
To use the analogy of a club, the GDPR mandates that consumers—or “data subjects”—have to consent to joining the club. The CCPA, on the other hand, assumes everyone is a member of the club, but deserves the opportunity to cancel their membership if they choose.
Max Schrems, Austrian lawyer and privacy activist, talks with journalists ahead of the introduction of the EU's new GDPR regulations in Vienna, Austria, on May 24, 2018. Joe Klamar/AFP via Getty Images
European Union Justice Commissioner Vera Jourova addresses a press conference in Brussels taking stock of the General Data Protection Regulation (GDPR), one year after its entry into application. Emmanuel Dunand/AFP via Getty Images
The “opt-out” right under CCPA is also known as a “Do Not Sell” right, said Alan Friel. He co-leads the U.S. Consumer Privacy practice for the law firm BakerHostetler, which counsels clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes.
He said exceptions exist. A potential exception would be a business that shares data with third parties in the interest of security and fraud prevention.
Another difference between the CCPA and the GDPR, Friel said, is how they protect consumers against discrimination as a result of opting out.
The CCPA outlines distinct ways in which consumers may not be discriminated against: they cannot be denied, charged different prices or rates, nor provided a different level for goods or services as a result of opting out.
The GDPR does implies protection against discrimination, but not so explicitly. It states that data subjects must be informed of any consequences related to automated decision-making.
Enforcement
“It has been pretty popular,” Friel said of the GDPR. “A lot of people are exercising their rights. Under the GDPR, there are data protection authorities that are tasked with enforcing it and they’ve been ramping up their enforcement after an initial period of letting companies try to get it together. I think we’ll probably see something similar here.”Berman, however, noted a few unanswered questions around CCPA. How will media owners determine if a user is a California resident? How will consumers find a consistent way to opt-out of advertising? When will technology companies receive clear communication from the state regarding timing for implementation?
The law took effect on Jan. 1, but the Attorney General’s regulations on how CCPA will be enforced won’t be finalized until July.
“The technical implementation of CCPA is complicated,” Berman said.
