The EU’s sweeping data privacy law – GDPR (General Data Protection Regulation) – will celebrate its one year anniversary later this month. In this time, the GDPR is credited with, among other things, inspiring other jurisdictions, including the United States, to adopt similar legislation designed to protect the rights of individuals over their personal data and increase the transparency of data collection and processing activities. By now, you’ve likely heard about California’s latest amendments to its data privacy legislation – the California Consumer Privacy Act (CCPA) – and its implications for companies doing business in California. Other states are not far behind, and a federal law that also aims at giving individuals more control over their data is also being discussed in Congress. Fortunately, many U.S. companies have already invested considerable resources into complying with GDPR. Because the principles underpinning CCPA are the same, lessons learned from GDPR compliance efforts will provide a significant head start in preparing for CCPA. For those companies who have yet to examine their data protocols, leveraging these lessons will be a wise place to begin. So, what has complying with GDPR taught us that we can use to prepare for the CCPA? Here are 3 key take-aways: It’s important to note that, despite their similarities, there are several key differences between these laws, such as an annual revenue threshold for applicability under CCPA which does not exist with the GDPR. In any case, the CCPA goes into effect on January 1, 2020, with enforcement by the U.S. Attorney General beginning on July 1st of that year. We are advising clients to begin preparations now, however, in light of a CCPA provision which requires companies to be able to show at any time a 12-month tracking record of personal information collected on California consumers. Outside GC is well-positioned to assist with your compliance efforts in the U.S and EU. Our data privacy team includes California-based attorneys, as well as EU-trained lawyers based in the U.S, all of whom bring significant in-house counsel experience and can support companies with domestic and foreign operations. Like our GDPR readiness checklist, a similar tool for CCPA compliance will be shared in the next couple of months. In the meantime, we would be happy to answer your questions relating to the CCPA, the GDPR, or data privacy in general. Feel free to reach out directly to any member of our privacy team (below) or request more information by visiting our Contact Us page. Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. [email protected] Mark Johnson has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C. [email protected] Bill Porter brings over 20 years of experience advising emerging technology companies on a diverse range of general corporate matters, including privacy and data security. [email protected] Lakshmi Sarma Ramani served as the lead global attorney for privacy matters at The Nature Conservancy, where she also managed a wide range of legal and regulatory compliance matters, including cybersecurity, tax, finance, technology, marketing, membership and fundraising. [email protected]
A primary objective of both the GDPR and the CCPA is holding businesses accountable for not only their ability to document their processing activities, including information on what data has been collected, for what purpose, and with whom it may have been shared, but also for their readiness to timely respond to individuals’ requests regarding the use of their data. With respect to data access requests, the GDPR mandates that impacted companies respond to such inquiries within 30 days; accordingly, response protocols had to be created around this requirement. Although the CCPA’s timeframe for responding to consumers’ requests is not finalized, CCPA-impacted companies should prepare to be able to respond to consumers’ requests for information in a consistent manner.
GDPR also requires that businesses create an incident reporting system for responding to claims of data breach, including timeframes for notifying affected individuals and protocols for escalating claims to the appropriate governing authorities within such timeframe as required by the GDPR. Under the CCPA, the same system will be necessary, and businesses can easily adapt their GDPR protocols to fulfill this requirement.
The GDPR requires that specific elements be included in the website privacy policies of impacted companies. For example, policies must state which categories of personal data are being collected, for what purpose, with whom they are being shared and for what purpose, how long the data is retained, what security measures around the data have been implemented, and what access rights to their information users have. Although CCPA privacy notices will be separate from GDPR website notices, the same level of granularity will be mandated.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.