As we all know by now, on May 25 2018 the General Data Protection Regulation (GDPR) came into force, signalling the enhancement and extension of personal data protection for citizens throughout the European Union (EU). The EU, however, is no longer alone in updating its privacy legislation to meet the demands of the digital age. January 1 2020 saw the introduction of the California Consumer Privacy Act (CCPA) which, in various aspects, is interesting enough to take a closer look at.
The CCPA applies to organisations doing business in the state of California, having an annual gross revenue in excess of 25 million dollars and selling or sharing the personal information of 50,000 or more consumers, households or devices, or deriving 50% or more of their annual revenues from selling consumers’ personal information.  The CCPA does not specify what exactly qualifies as ‘doing business’ in this context, which means that for companies established outside of California, it is unclear to what extent and under which conditions they have to meet the obligations laid down in the CCPA. 
The protection offered by the CCPA is limited to personal information related to consumers and households residing in the state of California  who, as is true for residents of the EU, have the right of information on, access to and removal of their personal data. Surprisingly, the CCPA’s definition of ‘personal information’ does not include information available in government records. In contrast, the CCPA does specifically mention commercial information, including purchasing history and all online activities  as types of personal information. One interesting provision of the legislation is that it explicitly prohibits discrimination of consumers for having exercised their rights under the CCPA.  Consumers, for instance, may not be denied goods or services nor may they be charged different prices for having requested access to their personal data.
The right to opt-out
Another interesting detail of the CCPA is the introduction of ‘the right to opt-out’, which means that consumers can always object to companies selling their personal information to third parties, where ‘selling’, in the sense of the CCPA, also includes transferring data or making data available to third parties for monetary or ‘other valuable consideration’.  Now, companies are required to provide a clear and visually prominent ‘’do not sell my personal information’’ link in their websites. 
The CCPA’s broad definition of ‘selling’ seems to be intended to prevent businesses from bypassing ‘the right to opt-out’ with the familiar claim of simply ‘sharing personal information with trusted partners’. Apparently however, Facebook, based in California as are numerous other tech companies, has already stated, back in October of 2019, that they are under no obligation to add an opt-out link to their website.  The contention being that the practice of collecting tracking data, commonly known as Facebook Pixel, does not qualify as ‘selling’ in the sense of the CCPA. In a blog post the company claims that ‘the CCPA recognizes that many common activities are not “sales,” such as if a consumer directs a business to share their information, or if a consumer’s information is transferred for a business purpose with certain limitations on the recipient’s use.’ Whether or not this interpretation holds water, will eventually be for a court to decide. And this ruling, if it does come to that, will most definitely also impact the many other tech companies making money from digital advertising.
Under the GDPR, serious infringements of its provisions are subject to fines of up to 20 million Euros or 4% of the organisation’s total worldwide annual turnover, whichever is higher. The CCPA, on the other hand, provides for maximum fines of 2500 dollars per violation, or 7500 dollars in case of intentional violation.  These fines however, are not directly imposed by a designated authority, as is the case under the GDPR. Instead, they are part of a judge’s ruling, at the end of a civil lawsuit filed by the Attorney General.
In other words, consumers themselves do not have the right to claim damages, with the exception of cases involving a data breach, where they can be awarded 100 to 750 dollars of compensation . Remarkably however, consumers cannot claim damages, nor will a civil procedure be initiated by the Attorney General, where a company ‘cures’ violations within 30 days of their occurrence and notifies consumers in writing that the violations ‘have been cured’ and that no further violations will occur.
With the CCPA coming into force, the United States have also taken a first step in reinforcing the right of personal data protection. Which is a good thing, if only inasmuch as it may inspire other states to follow suit. In terms of the exact interpretation of the CCPA, however, much still remains ambiguous, which leads me to believe that the CCPA does not come close to offering the level of protection, nor enforceability, provided by the GDPR, nor even by previous European data protection legislation. Enforcing by the General Attorney, in fact, will not be possible until July 1 2020. It will be interesting to see what sort of effects the CCPA will eventually have, for American and European businesses alike.
1. 1798.140, c
2. OneTrust DataGuidance & Future of Privacy Forum have stated as their conclusion that, based on the definition of ‘doing business’ suggested by the California Franchise Tax Board, it is not unlikely for businesses established outside of California nevertheless to fall under the scope of the CCPA.
3. 1798.140, g and o.
5. 1798.140, d and f.
8. 1798.140, t.