23 April 2020
The United States, unlike many other legal jurisdictions, has no general privacy or data protection law. At the federal level, CAN-SPAM regulates commercial email, COPPA covers websites and apps aimed at children, and the Federal Trade Commission provides some best practice guidance.
The state of California has long been at the forefront of regulating online privacy in the United States. Since 2004, website admins and businesses have been creating Privacy Policies to comply with the California Online Privacy Protection Act (CalOPPA). California's privacy law, the California Consumer Privacy Act (CCPA), passed in June 2018, and took effect on Jan 1, 2020.
The laws are very different. Compliance with CalOPPA looks relatively easy compared to the CPPA. But the scope of CalOPPA is much broader, and many businesses will not have to worry about complying with the CCPA.
Let's take a look at how the two acts compare, and how they might apply to you.
There are some similarities in terms of the scope of the two acts. They are both data protection laws, intended to protect the privacy of consumers in California. "Consumers" refers to anyone residing in California.
Both acts are addressed to commercial enterprises.
Despite these similarities, the laws are trying to achieve quite different aims among different types of businesses.
The first line of CalOPPA makes it clear who the Act applies to:
"An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service [...]"
There's no restriction here. The operator of a commercial website could come from Fresno or France. They could be turning over a billion dollars a year or making no money at all. All that matters is that the commercial website collects personal information about California residents. We'll look at how the Act defines personal information below.
It's important to note that CalOPPA does not apply to Internet Service Providers or other services that process personal information on behalf of a third party. It's aimed squarely at website and online service operators. However, it does apply to other types of service providers.
Those online services, by the way, include mobile apps - as was confirmed in October 2012 when the California Attorney threatened scores of non-compliant mobile app providers with fines under CalOPPA.
The CCPA uses the same language as CalOPPA in terms of its geographical scope. It doesn't only apply to California businesses. It applies to any business that impacts people in California.
Beyond this, the scope of the CCPA is very different. This is best explained by looking at how the Act defines "business."
For the purposes of the CCPA, a "business" is any legal entity which:
Whenever you see the CCPA refer to a "business," this is what it means. The law is basically designed to hit social networks, data brokers and large corporations. Non-profits, individuals and small or medium-sized businesses don't have to comply.
As we've seen, the two acts both regulate personal information - but they define "personal information" differently.
A lot has changed since CalOPPA first passed in 2004. Perhaps most significantly, the EU passed the General Data Protection Regulation (GDPR). EU privacy law takes an extremely broad definition of personal information. The influence of EU law on CPPA is clear in this respect.
Instead of "personal information," CalOPPA uses the term "personally identifiable information," which it defines as:
"individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form"
The following examples are given:
That last point is important. Information collected by browsers, such as cookies and IP addresses, might be personally identifiable information under CalOPPA - depending on how this information is stored. If you store someone's IP address alongside their another piece of personal information, for example their email address, the IP address constitutes personal information. Otherwise, it does not.
The CCPA defines "personal information" as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This definition is very similar to that given under the strict privacy laws of the EU - and in fact seems even broader, given the inclusion of the word "household."
The CCPA gives a lot of examples. We won't look at them all. But significantly, in addition to those given under CalOPPA, the CCPA includes:
"Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement."
The CCPA also makes reference to IP addresses and location data, which constitute personal information in their own right.
There are big implications here - information that websites collect as a matter of routine, for example in their web server log files, now unambiguously qualifies as personal information - and must be treated as such.
Firstly, the Policy must disclose:
Here's an example from Agency Central:
You'll also need to include Information about procedures and processes:
Here's an example from October Club:
CalOPPA was amended in 2014 so that Privacy Policies now also have to include technical information such as:
This is a browser setting which requests that website does not apply tracking technology to the visitor. Note that CalOPPA doesn't specify how you should treat such signals, only that you disclose how these are treated. You can also link to a resource such as a browser extension that will provide this facility.
Here's an example from Apple:
Whilst fewer businesses are required to comply with the CCPA than with CalOPPA, compliance takes a lot more work.
If you're familiar with the EU's GDPR, you'll know about the rights it gives EU residents in relation to their personal information. The CCPA provides Californians with a similar set of rights. It's the job of businesses to help them access these rights:
The CCPA also requires that children opt in to any sale of their personal data.
Businesses that fall within the CCPA's scope must amend their Privacy Policies to include certain information, and must update this information once per year.
The CCPA also requires the business to provide a conspicuous link reading "Do Not Sell My Personal Information," which leads to a page where the consumer can notify the business that they do not wish them to sell their personal information. A toll-free phone number must also be provided by some businesses.
The CCPA has Notice requirements that you'll need to become familiar with as well, which we address in detail in our article: CCPA Notices.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Violating either act can lead to fines and could be disastrous for any business. However, there are differences concerning who can bring an action, and what the maximum penalty is under each act.
That doesn't sound too bad - until you consider what counts as a "violation." Each time a California resident visits your non-compliant website or downloads your non-compliant app could count as an individual violation.
There's no way for an individual to bring a private case based on a CalOPPA violation - the law is enforced by the California Attorney General.
The enforcement of the CCPA is a little more complicated. There are three ways that a company might end up being fined under the CCPA.
Firstly, like CalOPPA, the Attorney General can issue penalties of up to $2,500 per Section 17206 of the Business and Professions Code. Twenty percent of the total penalty will be paid into a Consumer Privacy Fund, designed to help the Attorney General recover the costs of legal action brought under the Act.
Secondly, the CCPA also states that a business that intentionally violates the Act may be fined up to $7,500 for each violation.
Thirdly, private claims can be brought by consumers. This is only possible in the event that a business covered by the CCPA allows "unauthorized access and exfiltration, theft, or disclosure" of a consumer's data, owing to a failure to maintain "reasonable security procedures."
Each consumer can recover between $100 and $750 per incident, or actual damages - whichever is higher. "Actual damages" means any amount of money or property that the consumer actually lost as a result of the security incident.
CalOPPA and the CCPA are among the most comprehensive privacy laws in the United States. Together, the acts provide a powerful set of protections for California consumers' privacy.
They share some similarities and differences in terms of scope:
They have slightly different definitions of personal information:
The acts have different requirements:
There are also different penalties for each act:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.