CCPA, face to face with the GDPR: An in depth comparative analysis

PDF Cover

By: Gabriela Zanfir-Fortuna and Michelle Bae

The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.

The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA will take effect on January 1, 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.

As highlighted by this Guide, the two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.

However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. Regarding the latter for example, the GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. Conversely, the CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.

It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA.

Moreover, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies.

Further, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”

This Guide aims to assist organizations in understanding and comparing the relevant provisions of the GDPR and the CCPA, to ensure compliance with both pieces of legislation.

This Guide provides a comparison of the two pieces of legislation on the following key provisions:

  1. Scope
  2. Key definitions
  3. Legal basis
  4. Rights
  5. Enforcement

Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between the GDPR and the CCPA. The degree of similarity for each section can be identified using the key below.

 

READ FULL REPORT

To stay up-to-date on our work, please subscribe to our distribution list.

Genetic Testing Will Be the Talk of the Table this Thanksgiving

This Thanksgiving, as families gather around the dinner table and discuss heritage and history, genetic testing is sure to be on the menu. Genetic testing companies are offering Black Friday and Cyber Monday discounts on kits to help you discover your genealogy and are sure to report record sales.

It is no surprise that as families come together this week, heritage, health, and the other fascinating information that can be drawn from DNA will be the talk of the table. From conversations about new family connections and serious health conditions to what types of wines best fit your genetic taste profile, DNA insights are becoming an important part of family discussions. And as with any family discussion, navigating serious or sensitive topics takes thoughtfulness and diplomacy; choosing a genetic testing provider also calls for careful consideration.

While today it is easier than ever to learn about family history, individuals should also be aware that genetic data is one of the most sensitive categories of personal information and warrants a high standard of privacy protection. Genetic data may be used to identify risk of future medical conditions, contain unexpected information that may be unsettling, and reveal information about the test taker’s family members. Because genetic information is so sensitive, you’ll want to know how a company will protect and use genetic data before buying Grandpa a kit on Black Friday.

One key way to assess a company’s genetic privacy practices is to look to the principles highlighted in the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services, a set of standards for the collection, use, and sharing of genetic data. Companies that currently support the Best Practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, FamilyTreeDNA, and Living DNA.

You also should carefully examine the company’s privacy policy to be sure you are choosing a company that has your genetic privacy in mind. Here are five important questions you should consider when deciding which genetic test to purchase (hint: all the answers should be YES):

  1. Does the Company Ask for Your Consent Before Sharing Your Individual-Level Genetic Data with Third Parties? People choose to share their genetic data with third parties for a range of purposes (e.g., participate in scientific research or connect with potential relatives). However, genetic testing companies should never share your individual-level genetic data with third parties without your knowledge, particularly with insurers, employers, and educational institutions.
  2. Does the Company Provide You the Ability to Delete Your Genetic Data and Destroy Your Biological Sample If You Choose? Companies may have default policies to destroy all samples once testing is completed, retain data or samples for only a finite period of time, or retain data and samples indefinitely or until you close your account. Companies should be clear about their retention practices and offer prominent ways to delete your genetic data and destroy your biological sample.
  3. Does the Company Require Valid Legal Process before Disclosing Your Genetic Data to the Government? As we have seen in recent cases like the Golden State Killer, genetic data can be a powerful investigative tool for government. However, government access to your genetic data should not be as easy as pumpkin pie, as it presents substantial privacy risks. Companies should require that government entities obtain valid legal process before they disclose genetic data.
  4. Does the Company Notify You of Material Changes to Its Privacy Statement and Ask You to Agree to the Changes? Companies may modify their privacy statements occasionally, and sometimes they significantly change how genetic data is collected, used, and stored. Companies may also be bought, sold, or go out of business. But before changes are implemented, you should be notified and given an opportunity to review the changes and choose whether or not you want to continue using the services.
  5. Does the Company Have Strong Data Security Practices? As more than 12 million individuals have had their DNA tested, the potential for hacking and data breaches has become an increasing concern. Given the uniqueness of genetic data, companies should maintain a comprehensive security program through practices such as: secure storage of biological samples and genetic data, encryption, data-use agreements, contractual obligations, and accountability measures.

As we gather this week to give thanks for our families and heritage, let us also take a moment to consider the ways that genetic data can bring us closer together … and why it is important to protect it.

Limor Shmerling Magazanik Joins Israel Tech Policy Institute as Managing Director and Future of Privacy Forum as Senior Fellow

FOR IMMEDIATE RELEASE

November 20, 2018

Contact: Melanie Bates, 202-768-8950, [email protected]

Limor Shmerling Magazanik Joins Israel Tech Policy Institute as Managing Director and Future of Privacy Forum as Senior Fellow

Former Senior Official at Israel’s Privacy Protection Authority to Lead ITPI

Washington, DC – November 20, 2018 – The Israel Tech Policy Institute and Future of Privacy Forum today announced Limor Shmerling Magazanik as ITPI Managing Director and FPF Senior Fellow. In this role, Magazanik will provide leadership on day-to-day operational matters of ITPI, including directing ITPI’s policy agenda; engaging policymakers, regulators, academics, and business leaders; convening multi stakeholder groups for discussion; and overseeing communications with the public and the advisory board.

“We are thrilled that Limor has joined our team,” said Jules Polonetsky, FPF CEO and ITPI Co-Founder. “She has a proven track record of success bringing together senior leaders from government, academia, civil society and the private sector to shape data governance principles and practices. We look forward to expanding our footprint in Israel under her thoughtful leadership.”

Major projects for ITPI in 2019 include data protection law, digital economy issues, supporting Israel’s emerging leadership in privacy technologies and enabling smart city and connected transportation deployments.

Magazanik comes to ITPI and FPF after a decade with the Privacy Protection Authority, serving most recently as Director of Strategic Alliances and previously as Director of Licensing & Inspection. She led policy initiatives and regulation in technology driven sectors and promoted compliance with data protection, privacy, cybersecurity and digital identity regulation. She is an adjunct lecturer at the Hebrew University Faculty of Law and the IDC Herzlia School of Law, has LL.B., MA and LL.M. degrees from Tel Aviv University and is a CIPP/E, CIPP/US, CIPM.

“After 10 years with the Privacy Protection Authority, I am excited to help connect the Israeli tech community to the Future of Privacy Forum’s world-class tech policy expertise,” said Magazanik. “I believe Israel can be a leader in developing technologies that enhance privacy protection.”

ITPI Co-Founder Omer Tene said, “Limor, who in her previous position coordinated extensively with European data protection regulators, is perfectly placed to bridge between regulators and policymakers on the one hand and tech innovators from Tel Aviv to Silicon Valley on the other hand.”

Magazanik has deep experience tackling information society issues such as the Internet of Things, autonomous vehicles, smart cities, biometrics, social networks, digital health care, credit data, fintech and more. She has a multifaceted background in both government and the private sector, having practiced corporate, property and banking law, as well as working in product and project management in the Israeli high-tech industry.

###

About Israel Tech Policy Institute

Israel Tech Policy Institute is an incubator for tech policy leadership and scholarship, advancing ethical practices in support of emerging technologies. Learn more about ITPI by visiting www.techpolicy.org.il.

About Future of Privacy Forum

Future of Privacy Forum is a global non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.

Long Overdue: Comprehensive Federal Privacy Law

FPF has long supported federal comprehensive consumer privacy law. We believe that both businesses and consumers will gain from one clear standard that provides consumers with needed protections and provides industry with certainty and guidance.

On Friday, FPF filed comments to the National Telecommunications and Information Administration (NTIA) in response to the Administration’s September 2018 Request for Comments on a federal approach to consumer privacy. The NTIA has requested input on the best approach to strengthen existing consumer data protections in the United States while promoting the administration’s high-level goals, including: enhancing legal clarity; reducing legal fragmentation; and increasing national and global interoperability.

In our comments, we called on Congress to draft and pass a national comprehensive consumer privacy law that would create baseline legal protections for individuals in the United States. In doing so, we recommend that such a law address issues of interoperability with existing federal sectoral laws and global privacy frameworks, and avoid creating conflicting requirements with existing frameworks in order to promote beneficial cross-border data flows (as an example, we have previously addressed the unintended consequences of various nations’ data localization laws).

We also note that a national privacy law would be likely to preempt some similar state legislative efforts, both as a natural outcome of the Supremacy Clause and as a matter of policy to support clarity and consistency in businesses’ compliance obligations. We also believe that consumers should not expect to have fewer privacy rights — such as the right to access, correct, or delete information, or to exercise meaningful control over whether that information is used for unexpected purposes, shared with others, or sold — simply because they live in one state rather than another. However, we flag for the Administration certain key implementation questions that should be carefully considered — such as the effect of a national law on the role of state attorneys general, enforcement actions under generally applicable business practices laws, and existing state constitutional rights to privacy.

We also recommend that the Administration address a range of important substantive considerations of a draft bill, including:

We commend the NTIA and the Department of Commerce for their engagement on this important issue, and look forward to continuing to engage with stakeholders on a federal approach to guaranteeing clear, consistent, and meaningful privacy and security protections in the United States.

Read FPF’s comments HERE.

Lauren Smith Appears on CBS This Morning to Talk Connected Cars

FPF Policy Counsel Lauren Smith runs our Connected Car Project. Today, she appeared on CBS This Morning to talk connected cars. Lauren explains:

“So the truth is, that yes, our cars are learning more about us, but what they learn may save our lives.”

Video

Video Credit: CBS Interactive Inc.