< BACK TO ALL BLOGS
CCPA Series 1: Interpretation of CCPA, the most stringent privacy law in the United States, which
companies need to pay attention to?
Aug 2, 2023
1. What is CCPA—the US version of GDPR
The California Consumer Privacy Act (CCPA) is another important law in the field of data privacy following the promulgation of the European Union's General Data Protection Regulation (GDPR). It was officially promulgated on June 28, 2018, and has been revised several times in the following two years. It will be officially implemented on July 1, 2020.
CCPA is the first comprehensive legislation on data privacy in the United States. The United States currently does not have a general data protection law such as GDPR, only in some special industry or field legislation, the content about privacy protection is scattered in it. For example, the Health Insurance Portability and Accountability Act (HIPAA) mentions how to protect patient privacy information, and the Children's Online Privacy Protection Act (COPPA) is a federal law specifically formulated to protect children's personal information. The introduction of CCPA has made up for the gap in the United States in terms of special data privacy legislation. It aims to strengthen the privacy and data security protection of consumers in California. It is considered to be the most stringent consumer data privacy protection legislation in the United States.
Although CCPA is a state-level legislation, its legislative significance is far beyond the United States. California is the most economically developed state in the United States. In 2018, its GDP reached 3 trillion US dollars, surpassing the United Kingdom to become the fifth largest economy in the world. Silicon Valley, known as the source of global innovation, is also located in California. A large number of technology companies that have had a profound impact on the global information industry were born here, and have played an absolute role in promoting California's economic growth. For any Internet business that wants to enter the United States, California is undoubtedly an important market that must be contested.
The protection object of CCPA is any "natural person who is a resident of California", which means that as long as an enterprise providing services to California residents meets the applicable threshold of CCPA, it must abide by its regulations when collecting, processing, and buying and selling users' personal information. Privacy Policy.
At present, most international technology giants such as Microsoft, Amazon, and Apple have specifically informed users in their privacy policies that when users are California residents, they will collect, process, and sell personal information in strict accordance with CCPA regulations. For example, TikTok also listed California as a special jurisdiction in its privacy policy, promising to abide by relevant regulations and protect consumers' privacy rights. As a piece of local legislation, CCPA can be written into the privacy policies of many international giants, and its impact is as far-reaching as the EU's GDPR.
2. Applicable Threshold of CCPA
CCPA and GDPR also show different regulatory tendencies in terms of applicable objects.
The CCPA stipulates that the act applies to businesses operating in California for profit or economic benefit, whose business involves collecting and/or processing personal information, and meets one or more of the following conditions:
(1) Annual revenue exceeding US$25 million;
(2) Purchase, collect, sell or share personal information of 50,000 or more consumers, households or devices individually or in aggregate each year for commercial purposes;
(3)50% or more of the annual income is obtained by selling personal information of consumers.
In setting applicable thresholds, CCPA focuses more on enterprises that carry out data processing activities for profit purposes. The CCPA sets a "US$25 million annual income threshold" and a "(50,000) threshold for the number of consumers, households, and equipment" for companies under its jurisdiction, focusing more on the jurisdiction of large-scale companies with a large impact and high risk. It should be noted that the $25 million refers to the total global revenue of the company, not just the revenue in California.
Compared with the "differentiated treatment" of CCPA, the regulatory scope of GDPR covers almost any organization or enterprise that handles the personal data of EU citizens, and the exemption threshold set for small and medium-sized enterprises is too strict, making it difficult for small and medium-sized enterprises to actually enjoy the exemption The benefits greatly increase the compliance burden of small and medium-sized enterprises. Article 3 of the GDPR stipulates that the GDPR applies to the following three situations:
(1) If the data controller or data processor has a place of business in the EU, regardless of whether the data processing takes place in the EU or abroad;
(2) The data controller or data processor does not have a business establishment in the EU, but provides goods or services to EU data subjects, or the network behavior being tracked takes place in the EU;
(3) Although the data controller and data processor have not established business premises in the EU,
the laws of EU member states should be applied according to public international law.
CCPA reasonably excluded two types of entities, non-profit organizations and small and medium-sized enterprises that did not meet the applicable threshold, at the beginning of the regulations on the applicable objects. As a leading gathering place of the global IT industry, on the basis of protecting consumer privacy, California has also fully considered how to avoid legislation that would cause excessive compliance burdens on small and medium-sized enterprises and inhibit the vitality of corporate innovation.
3. Which Enterprises are not Governed by CCPA?
1. Industries covered by federal legislation such as finance and medical care are not governed by CCPA
According to the laws of the United States, when the jurisdictional content of federal legislation and state-level legislation overlaps or even conflicts, the federal legislation should take precedence. CCPA is a state-level legislation, which should be strictly followed at the state level. The privacy protection of industries covered by federal legislation is not governed by CCPA. Businesses entering the United States should determine whether their industry is subject to the CCPA. For example, the consumer installment Internet platform belongs to the financial industry and should abide by the regulations on user privacy protection in federal legislation such as the Financial Services Modernization Act, and CCPA is no longer applicable. The following are some of the industries to which federal legislation applies:
(1) Medical industry - "Health Insurance Portability and Accountability Act"
(2) Financial industry - "Financial Services Modernization Act"
(3) Driver information - "Driver Privacy Protection Law"
(4) Credit bureaus - "Fair Credit Reporting Act"
(5)Consumer Reporting Agency - United States Code
2. Data service providers (service providers) are not subject to the jurisdiction of CCPA. Data service providers refer to enterprises that provide data processing services under the entrustment of data controllers. CCPA stipulates that as long as the following two conditions are met, data service providers can be exempted from being directly subject to CCPA jurisdiction:
(1) The data controller informs consumers in the privacy policy that the collected personal information will be shared with the data service provider;
(2) Data service providers are not allowed to additionally collect, sell, or use personal information
of consumers, except for necessary commercial purposes.
Although data service providers are not directly under the jurisdiction of CCPA, they should abide by the terms of the contract signed with the data controller and take measures to ensure data security. In addition, providers should still take care to comply with the privacy protection provisions of other federal legislation. For example, when the entrusted data contains personal information of children under the age of 13, the data service provider should take measures to protect the children's data in accordance with the Children's Online Privacy Protection Act.
4. Compliance Recommendations
Although CCPA is a privacy protection law specifically aimed at California consumers, considering California's world-leading economic size and technological innovation strength, the significance of CCPA is far beyond California. As the first comprehensive legislation in the field of data privacy in the United States, the promulgation of CCPA also has an important demonstration effect on the legislative process of other states. To enter a U.S. company, you should first clarify whether your industry is under the jurisdiction of the CCPA, and whether the company's revenue scale and personal information processing volume meet the applicable threshold. For example, audio and video, games, and social platforms should focus on CCPA when they enter the United States, and financial lending and consumer installment apps should focus on federal laws related to the financial industry such as the Financial Services Modernization Act, and adjust their privacy policies in a timely manner to avoid violations.