Comparing Consumer Rights: GDPR vs. CCPA vs. CPRA
The California Privacy Rights Act (CPRA) is “Version 2.0” of the California Consumer Privacy Act (CCPA) and is likely heading to the California voting booth in November 2020. It would not be a net new law per se, but if passed by California voters in the fall would significantly amend the existing CCPA law. Namely, the CPRA changes the scope of the CCPA in a few significant ways while also providing additional rights to consumers and new obligations to businesses. It also adds meaningful enforcement via a new regulatory agency called the California Privacy Protection Agency (PPA) — and note the backers of this ballot initiative are strongly messaging the enforcement angle to voters.
In my last blog I discussed the scope of the CPRA and compared it to EU’s General Data Protection Regulation (GDPR) — what is typically considered the “gold standard” of data privacy and protection laws — as well as compared it to its Version 1 (aka the CCPA). For this blog I will dig into the consumer rights (or in GDPR parlance what is known as “data subject rights” and what I will also sometimes refer to as “Individual Rights”) that the CPRA proposes and compare those rights to what GDPR and CCPA provides.
Executive Summary of Consumer Rights Offered by GDPR, CCPA and CPRA
Let’s first cut to the chase and simply summarize what rights each one gives and provide a high-level table that compares the three. The nitty-gritty details are then covered in sections below for each right.
Typically, most analysts consider the GDPR as providing 8 individual rights (as also described here, here and here). The eight are the
Right to be Informed (aka Right to Know or Right to be Notified);
Right to Access;
Right to Correct (aka Right to Rectification);
Right to Delete (aka Right to Erasure or Right to be Forgotten);
Right to Restrict Processing;
Right to Data Portability;
Right to Object to Processing; and
Right to Reject Automated Decision Making and Profiling.
When the CCPA came out, it provided some of the rights above, but really focused on emphasizing two additional rights (both of which are implicitly covered by the GDPR, just not called out as formal rights per se):
Right to “Opt-Out” of Sale of Personal Information (aka Right to Say No)
Right of No Retaliation (aka Right to not be Discriminated Against)
The CPRA is a superset of the CCPA and delivers the Right to Correct which was not in the CCPA. It also proposes a net new right (which is also implicitly covered by the GDPR):
Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)
and modifies the "Opt-Out"/"Right to Say No" right to stop selling your personal data to also include stopping the “sharing” of personal information (which also is implicitly covered by the GDPR):
Right to “Opt-Out” of Sale and Sharing of Personal Information (aka Right to Say No)
So, if you add everything up, we will focus on comparing the 11 rights that are specifically called out in the GDPR, CCPA and CPRA. Here’s how they look in a summary table and what each provides:
So, the “net net” is that the CPRA is very close to the GDPR in terms of providing individual rights (again “consumer rights” in CCPA/CPRA vernacular and “data subject rights” in GDPR vernacular). In fact the CPRA is more prescriptive and provides more definition than the GDPR when it comes to the rights that consumers have vis a vis the selling and sharing of their personal information and the limitation of the use of their sensitive personal information. The point is that the GDPR is no longer the sole world’s “gold standard” for data privacy and protection — if it makes on the California ballot in November and passed by voters, the CPRA is neck and neck with GDPR (but remember the CCPA is no slouch either!) in terms of individual rights.
The two rights where the CCPA and CPRA is not matching the GDPR is the right to restrict processing and the right to object to processing. This I believe has to do with the interpretation of the US Constitution's 1st Amendment that in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). The CCPA/CRPA does require that a business disclose what categories and the purpose for which they are collecting personal information (i.e. Right to be Informed), so as long as the consumer is informed and they don't opt-out (or opt-in in the case of minors) or limit usage, the business can collect and can’t be restricted and/or deal with objections (again except when it comes to selling/sharing personal information and/or limiting the use of sensitive data). Note that Section 5(a) of the FTC Act does provide some consumer protection vis a vis objection/restricting processing in that it provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful” per 15 U.S.C. Sec. 45(a)(1).
Let’s now look at the eleven in more detail.
#1 Right to be Informed (aka Right to Know or Right to be Notified)
All three require that individuals are informed of the categories and purpose of the collection of data and if their personal data will be sold. GDPR and CPRA also requires notification if the personal information will be shared. Furthermore, all three require that the data subject be notified of their individual rights (e.g. delete) vis a vis their personal data. GDPR does call for notifying data subjects re: the “legal basis for the processing,” which is not required for CCPA/CPRA. CPRA also requires notification if the information collected is sensitive personal information (see scope blog post for an explanation of that categorization of personal information). Finally, GDPR and CPRA requires notification of length of time the data will be stored.
#2 Right to Access
All three support the right to access to the categories of personal data, the recipients of the data, the purposes of collection and processing, as well as the actual data itself.
#3 Right to Correct (aka Right to Rectification)
GPDR and CPRA support this, CCPA does not.
#4 Right to Delete (aka Right to Erasure or Right to be Forgotten)
All three support, but each have slightly different exemptions. All three require any entities that were given the personal data to also delete. CPRA specifically says a service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer to that service provider or contractor.
#5 Right to Restrict Processing
GDPR lets a data subject to have the right to restrict the controller’s processing of the data subject’s data under a few scenarios including the accuracy of the personal data is contested by the data subject or the processing is unlawful. Furthermore, the controller must take steps to inform other recipients of that subject's personal data being restricted.
CCPA does not offer this consumer right per se, except for the right to opt-out of the selling of personal information (see below). CPRA gets a consumer’s rights much closer to this GDPR right by not only providing the right to opt-out of the selling of personal information, but also the sharing. Furthermore, CPRA can limit the use of sensitive personal information, and given the broad definition of sensitive personal information, many scenarios are covered in the ability to restrict processing.
#6 Right to Data Portability
Yes, all three support. In case this is not self-explanatory, CPRA describes this as a business shall "provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer's request without hindrance."
#7 Right to Object to Processing
GDPR supports this and describes this right as: "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her." Objections can be based on concerns over profiling, direct marketing, scientific and other matters.
CCPA does not offer this consumer right per se, except for the right to opt-out of the selling of personal information (see below). CPRA gets a consumer’s rights much closer to this GDPR right by not only providing the right to opt-out of the selling of personal information, but also the sharing. Furthermore, CPRA can limit the use of sensitive personal information, and given the broad definition of sensitive personal information, many scenarios re: objections could conceivably be covered.
#8 Right to "Opt-Out" of Sale and Sharing of Personal Information (aka Right to Say No)
This is not one of GDPR's formally defined rights per se, but GDPR does provide other rights that can net the same result. e.g. the right to object: "Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." In addition, data subjects could revoke their right of consent as part of their right of erasure vis a vis direct marketing.
In the case of CCPA, "a consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”
CPRA extends this right to include sharing. The CRPA defines “sharing” as transferring/disclosing/etc. personal information to a third party for cross-context behavioral advertising (think “retargeting” of digital ads based on your internet behavior and activity) — whether you do so for monetary value or not.
#9 Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)
This is not one of GDPR's formally defined rights per se, but this is an implicit right in that the use of sensitive personal information is prohibited: "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. For other categories of personal information that are found in the CPRA definition of sensitive data, GDPR provides the right of restriction and objection (see above).
CCPA has not such classification or call out of sensitive personal data but CPRA does, and defines “sensitive personal information” (SPI) as being
social security, driver’s license, state ID card, or passport number;
account log-in (including access code and password), financial account, debit card, or credit card number
precise geolocation;
racial or ethnic origin, religious or philosophical beliefs, or union membership — ala the GDPR;
mail, email and text messages, unless the business is the intended recipient of the communication;
genetic and biometric data;
personal information collected and analyzed concerning a consumer’s health; and
personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
As it relates to what rights a consumer gets vis a vis sensitive personal information, the CPRA states that "a consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services."
Note I am highlighting "precise geolocation" in the description of this right as the group behind CRPA is really pushing this a key “new feature” in Version 2 as shown in the screenshots below
#10 Right to Reject Automated Decision Making and Profiling
The GDPR has this as its 8th and final right: "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." Exceptions include the data subject's explicit consent or the performance of a contract.
The CCPA has no such right, but the CRPA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency.
#11 Right of No Retaliation (aka Right to not be Discriminated Against)
This is not one of GDPR's formally defined rights per se, but GDPR is implicit that discrimination is not allowed. e.g. "The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to ... rise to discrimination".
The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include:
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
The CPRA states the same as the CCPA, but also adds a further clarification that this right "does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs."
Possible #12 Right?
Another potential "right" is the "Right of Private Action," i.e. for consumers/data subjects to initiate legal action against businesses/controllers. I will actually cover this right for the three in a future blog post on enforcement.
......
So those are the rights, let’s next talk about the business obligations that the CPRA introduces.
