California and European Privacy FAQs: If a company already drafted a privacy notice to comply with the GDPR, does it need to change the notice to comply with the CCPA?

March 15, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a company already drafted a privacy notice to comply with the GDPR, does it need to change the notice to comply with the CCPA?

Yes.

While the CCPA incorporates many of the privacy notice disclosure requirements found within the GDPR, some disclosure requirements are unique to the CCPA and other disclosure requirements are unique to the GDPR.  The net result is that a well-drafted GDPR-compliant privacy policy will need to be revised in order to fully comply with the CCPA.

The following chart compares the requirements of the GDPR and the CCPA with regard to privacy notice disclosures:

Required Privacy Notice Disclosure

CCPA

GDPR

1.    Ability to object to processing for certain purposes

X

Y

2.    Ability to opt-out of sale of information

Y

Y1

3.    Ability to withdraw consent to processing

X

Y

4.    Access rights of individuals

Y

Y

5.    Categories of personal information shared with services providers

Y

X

6.    Categories of personal information sold to third parties

Y

X

7.    Contact information for company

Y

Y

8.    Contact information for data protection officer (if any)

X

Y

9.    Cross border transfers of information.

X

Y

10. Data retention period

X

Y

11. Erasure rights of individuals

Y

Y

12. Identify specific categories of data fields collected

Y

X

13. Purpose for which information will be used

Y

Y

14. Rectification rights of individuals

X

Y

15. Right to lodge cojmplaints with regulators

xX

Y

16. Sources from which personal information was collected

Y

Y

17. Third party recipients of information

Y

Y

18. Toll free telephone number for submitting requests

Y

X

19. Types of personal data collected.

Y

Y

20. Use of data for automated decision making

X

Y

 


1. The GDPR does not require that an organization provide individuals with an ability to opt-out of the sale of information, but it does require that organizations notify individuals about their right to object to certain types of processing which, in some instance, could include the sale of information to a third party.