California Privacy Law VS GDPR: individuals’ rights with respect to their personal data
We have been discussing the similarities and differences between the CCPA and GDPR. In our first article (see here), we compared the applicability of the regulations and the basis for processing personal data. In this second article, we will look at individuals’ rights with respect to their personal data.
Individuals’ Rights with Respect to Their Personal Information/Data
Data subjects/consumers have certain rights regarding their personal data/information under both the GDPR and the CCPA.
According to the GDPR, a data subject has the right to request a data controller to provide the individual with information about and access to their data, erase the data, correct it, and to have the data transmitted to another controller (data portability), as well as object to or restrict the processing of their data. The data controller must inform data subjects of these rights. If the personal data is being collected and processed based on the data subject’s consent, the data controller must also inform the data subject of their right to withdraw such consent. This information is provided in a privacy notice.
The CCPA also provides consumers with certain rights regarding their personal information and businesses must notify consumers of these rights. If a business collects personal information, a consumer has the right to ask that business to disclose the categories and specific pieces of personal information the business collected. This right to access also includes a de facto right to data portability as the data must be provided to the consumer in a portable format, permitting the consumer to transmit their personal information to another entity. Consumers also have the right to have their personal information deleted.
Under the CCPA, if a business sells personal information, the consumer can request that the business tell the consumer the categories of personal information collected, categories of information sold and the categories of third parties to whom the information was sold. Note that a third party who purchased the personal information from a business cannot further sell that personal information unless the consumer has obtained specific notice about the sale and is given the opportunity to opt-out of it.
A business must honor these California consumer rights only when the business receives a verifiable request from a consumer. When a consumer requests disclosure of the personal information the business has collected, the business is required to disclose the information that was collected, sold, and disclosed within the past 12 months. When a valid request is received, then the business must disclose and deliver this information to the consumer for free within 45 days. This deadline for a business to fulfill a consumer’s request to access personal information or have it deleted is longer under the CCPA than the GDPR. In general, under the GDPR organizations must fulfill such requests within one month of receipt.
Right to Opt-Out of Sale of Personal Information
The CCPA often focuses on data already in the hands of businesses, compared to the GDPR that has greater focus on data before it is collected and processed. For example, the CCPA, unlike the GDPR, does not require a legal basis, such as prior consent from consumers, before processing personal information. A business also does not need prior consent before selling the personal information of non-minor consumers. However, these non-minor consumers do have the right to request that a business selling their personal information not sell it. In other words, consumers can opt-out of the sale of their data.
To enable consumers to exercise their right under the CCPA to opt-out of the sale of their data, it is important that a company provides very clear directions on their websites/apps on how consumers can exercise this right. To this end, the CCPA requires that a business have a link/button on their website that clearly states, “Do Not Sell My Personal Information”. This allows the consumer to easily and quickly opt-out of the third-party sale of their personal information. If your company is a business for purposes of the CCPA, then you need this link/button on your website/app for residents of California to allow consumers to exercise their right to opt-out of such sales. Note that the “sale” of personal information under the CCPA does not necessarily involve making a monetary payment in exchange for the personal information. If your business receives other valuable consideration for the personal information, that is still considered a “sale” under the CCPA and you must give consumers the right to opt-out.
The CCPA has different requirements regarding the sale of minor’s personal information. For minors (under 16 years of age), the consumer does not opt-out of the sale of personal information. Instead, the CCPA requires opting in for such sales. If a child is under 13 years of age the parent must provide consent for the minor’s information to be sold. If the child is 13-15 years of age, they can provide their own consent. Under the GDPR, if consent is the legal basis for processing personal information, such consent must be provided by a parent if the child is under 16 years of age.
The CCPA and GDPR both provide consumers/data subjects with certain rights regarding their personal information/data. The rights afforded data subjects under the GDPR are broader, including the right to rectify incorrect data, to object to or restrict processing, and the explicit right to data portability. Both pieces of legislation require businesses/organizations to notify individuals of their rights. Under the CCPA, consumers have the right to opt-out of the sale of their personal information and a business must provide this opt-out on its website/app.