Operationalising multijurisdictional privacy requirements – the GDPR and the CCPA

April 2020  |  EXPERT BRIEFING  |  DATA PRIVACY

financierworldwide.com

 

The California Consumer Privacy Act (CCPA) is the most sweeping privacy law in the US, rivalling that of the EU’s General Data Protection Regulation (GDPR). Generally, it requires organisations that conduct business in California to observe rights of transparency, access, control and portability for California ‘consumers’, which carries a similar meaning to that of a data subject under the GDPR – natural individuals. Since the enactment of the GDPR, companies have developed data maps, systems, teams and automated processes to comply with a number of sweeping requirements. With new, and sometimes divergent, data privacy and protection laws blossoming around the world, companies are assessing the best strategies for holistic and uniform multijurisdictional compliance. As efforts to protect personal information increase, companies are likely to see new laws that are asymmetrical from one jurisdiction to the next, which creates compliance issues for organisations conducting business in multiple jurisdictions.

These additional requirements necessitate action beyond the steps that impacted businesses may have already taken for GDPR compliance. The divergences in these privacy and protection laws, however, can create compliance and operational challenges. This article discusses some of the most significant divergences between the GDPR and the CCPA, and provides an overview of how companies around the world are internalising and operationalising these compliance distinctions.

The CCPA

On 1 January 2020, the CCPA officially went into effect as the most extensive US state law governing consumer privacy. Much like the GDPR, the CCPA’s breadth is far-reaching, and although it only affords rights to California residents, it applies to any for-profit organisation that conducts business in California and either: (i) earns annual gross revenues in excess of $25m; (ii) possesses the personal information of 50,000 or more consumers, households or devices; or (iii) earns more than half of its annual revenue from selling consumers’ personal information. Though the CCPA has various exemptions to avoid overlap with other US data privacy laws, like the Health Insurance Portability and Accountability Act and the finance-focused Gramm-Leach-Bliley Act, such exemptions are not absolute.

And, while CCPA is similar to the GDPR on many levels, it is narrower in some important respects. For example, the CCPA does not specifically provide individuals the right to correct inaccurate personal data, restrict processing or object to processing, and it provides somewhat more limited rights for individuals to access and delete personal data. However, the CCPA includes specific and certain unique requirements for businesses to verify individual identities and requests prior to disclosure of information, to provide detailed information about the collection and use of personal information, to create a mechanism for accommodating restrictions on the sale of personal information and to observe requirements for vendor management.

Request and identity verification

As a preliminary matter, businesses must assess whether they want to apply varying privacy regimes uniformly throughout their operations or observe only those rights provided within a particular jurisdiction. Although both the CCPA and the GPDR require organisations to verify an individual’s identity prior to responding to various exercisable rights, there may be complications verifying an individual’s residency. A uniform approach to compliance is becoming more favoured simply because of the ease of defensibility. For example, Microsoft recently announced that it intends to observe CCPA rights for all individuals, regardless of residency and jurisdiction. On the other hand, an approach that honours requests only from an individual’s jurisdiction, such as only observing CCPA rights for California residents, at a minimum, should leverage a robust process to verify residency and socialise robust training to personnel responsible for assessing and responding to such requests.

Transparency requirements

Like the GDPR, the CCPA requires businesses to provide specific information to individuals prior to or at the time of collection of personal information. The principal mechanism to deliver such information is typically an online privacy notice or statement. Businesses that seek a uniform approach to privacy compliance will often address all multijurisdictional requirements in one document. The benefit of such an approach is uniformity in message and minimising the management of compliance documents. On the other hand, certain businesses maintain a primary privacy notice with a supplemental California-specific privacy notice, such as a separate privacy link: ‘Your California Privacy Rights’. Such an approach creates more information for individuals to parse, but allows a business to make clear distinctions between the business’s overall privacy practices and legally required information.

Sale of personal information

As an interesting point of divergence from the GDPR, the CCPA requires businesses to provide a mechanism for individuals to opt-out of the ‘sale’ of their personal information. Broadly defined under the CCPA, the ‘sale’ of personal information is any exchange of personal information to a third party for monetary or other valuable considerations, which can implicate a number of routine disclosures of personal information to suppliers, vendors or partners.

Irrespective of approach, honouring opt-out requests requires a business to have a full picture of all third parties to which the business sells information, as well as a mechanism for ensuring that the individual’s personal information is no longer sold. This creates complex logistics problems. In addition, the CCPA regulations excepts the opt-out requests from the otherwise legally required verification process. As a result, businesses must rely either on sophisticated technologies to verify that the request originates from a California resident or rely on the individual to voluntarily provide the information. Either way, the sectoral approach presents defensibility challenges. In this instance, most businesses that sell personal information honour requests uniformly.

Requests to delete personal information

Both the GDPR and the CCPA provide consumers with a right to have businesses delete their personal data, known colloquially as the ‘right to be forgotten’. The GDPR requires a business to delete personal information in certain enumerated instances and where no exception applies. The CCPA, however, outlines a broader right to delete personal information, but the exceptions tend to be broader than the GDPR’s exception. For CCPA-specific requests to delete, a business must delete an individual’s personal information unless it is necessary: (i) for the transaction or other internal uses that are reasonably expected by the context of the collection; (ii) to detect security incidents; (iii) to prevent fraud or other illegal or deceptive conduct; (iv) to debug problems with intended functionality; (v) to promote free speech or participate in scientific, historical or statistical research; or (vi) to comply with another legal obligation.

Attempting to balance this right has proven a challenge for businesses to uniformly operationalise. By its very nature, the response calls for a judgment from the business unless it chooses to waive any applicable technical requirements or exceptions. In fact, to create a uniform approach while respecting individual rights, businesses are becoming more permissive with deletion requests unless the personal information is necessary for compliance, exercising or defending a legal claim, to complete a transaction or contract or other necessary reasons.

Vendor management

In a first of its kind requirement, the GDPR explicitly requires controllers to enter into written agreements with vendors, also known as processors, that process personal information on behalf of the controller. By law, these agreements must contain explicit processing instructions, along with various requirements to protect and limit the use of personal information. The CCPA provides for a similar relationship with third-party processors, known as service providers. With a qualified service provider contract, a business enjoys two primary benefits – certain protections from liability if the service provider improperly uses personal information and the transfer of personal information to a service provider acts as an exception to the sale of personal information.

The contractual requirements are less stringent but are unique to the CCPA, which can make the procurement process challenging. In order to qualify as a service provider, there must be a written contract between the parties that prohibits the service provider from retaining, using or disclosing the personal information for any purpose other than for the specific purpose in the contract, or as otherwise permitted under the CCPA. The service provider is also required to certify that it understands and will comply with the contractual restrictions. Businesses can amend their papers to encompass both GDPR and CCPA requirements, but this often results in protracted negotiations or renewals. In addition, the CCPA-required provisions can sometimes contradict the GDPR-required provision. Taking an ad hoc approach, though, can be burdensome for a business’s procurement provision. To resolve this tension, some businesses are adopting procurement standards that require certain contracts or relationships of a certain monetary value or a certain sensitivity to move through different review groups, such as privacy or legal, prior to execution.

Because cross-border operations are a reality that many companies deal with every day, the ability to leverage existing compliance systems and processes to address multijurisdictional legal requirements reduces costs and maximises resources without sacrificing compliance. Businesses should take care, though, when deciding to take a holistic and uniform approach to compliance. Strategies should consider the impact of unintentionally conferring rights upon individuals where they have none or waiving certain exceptions or rights that a business should otherwise reserve.

Matthew R. Baker is a partner and Katie Barajas is an associate at Baker Botts LLP. Mr Baker can be contacted on +1 (415) 291 6213 or by email: matthew.baker@bakerbotts.com. Ms Barajas can be contacted on +1 (202) 639 7734 or by email: katie.barajas@bakerbotts.com.

BY

Matthew R. Baker and Katie Barajas

Baker Botts LLP

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.