Turkish Law Blog
Will the California Consumer Data Privacy Act Affect Your Business?
It is already well- known that the European General Data Protection Regulation (“GDPR”) has had an impact well beyond the borders of the European Union. Many businesses worldwide have taken privacy measures to comply with it. Turkey may have been on the “lucky” side because the Turkish Personal Data Protection Law (No: 6698) stems from the European Data Protection Directive, which was succeeded by the GDPR.
Now, California has introduced legislation that -similar to GDPR- will apply beyond businesses in California. The California Consumer Data Privacy Act (“CCPA”) was enacted in June 2018; it will become effective as of January 1, 2020. The CCPA requires that the California Attorney General publish regulations about the implementation, which have not been published until date.
The CCPA applies to a certain type of businesses and individuals. A business that is subject to CCPA is any for-profit entity that collects consumers' personal data, and which does business in California. Importantly, it should be noted that the business does not have to have a place of business in California, doing business in California is sufficient to meet the requirement. It applies to businesses that satisfy at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million, which of course may change in light of inflation;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers' personal information.
The CCPA applies to California residents, which is defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It further says that personal information includes “commercial information” (including “records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”), “Internet or other electronic network activity information”, “education information” and “audio, electronic, visual … or similar information.”
The CCPA was enacted for the purposes of enabling consumers to know what personal data is being collected of them. To this extent, businesses should notify consumers what personal information is being collected, how that information is being collected and used, also to whom it is being disclosed. Consumers will have a right to say “no” to the sale of their personal data. Unlike the “opt-in” option foreseen under the GDPR, the CCPA provides an “opt-out” option. Nevertheless, the CCPA does provide for “opt-in” concerning minor consumers who are under the age of 16. For any minor under the age of 13, parental consent is required, which tends to be in line with the parental consent requirement under the Federal Children's Online Privacy Protection (COPPA).
Similar to the “right of erasure” foreseen under the GDPR, the CCPA provides for a right to be forgotten. Businesses should delete information if there is a “verified request” as defined under the CCPA. Businesses should also ensure that personal information is deleted by third-party contractors with whom the business may have previously shared such information.
Another underlying aspect of the CCPA is equal protection. Businesses should provide equal service and price, even if the consumer chooses to opt-out. However, businesses may provide for financial incentives. Also, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
The CCPA excludes information that is aggregated, de-identified, medical or health-related collected by those governed by the Federal Health Insurance Portability and Accountability Act (HIPAA) or California medical regulations. It also excludes publicly available information. However, biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained is not within the scope of the exclusion.
As a final note on enforcement, the CCPA provides for a public right of action, including a right for class actions- which is foreign to many European jurisdictions, including Turkey. However, the private right of action requires the fulfillment of certain procedures and the Attorney General may choose to pursue an action instead. In case of violations, the statutory damages foreseen under the CCPA seem to be lower than those foreseen under the GDPR. Also, a Consumer Privacy Fund will be created to support the purposes of the CCPA and for its enforcement.
As already stated, the CCPA will have an impact beyond the borders of the state. California is “the heart” of the global tech industry. Therefore, especially tech companies operating anywhere across the globe but nevertheless that are engaged in activities in California may be required to implement new privacy compliance measures within their organization: Any worldwide business meeting the threshold and engaged in activities in California will be required to comply with the CCPA. Are businesses across the globe prepared for the CCPA, are Turkish tech businesses that engage in activities in California ready, are businesses adopting adequate privacy compliance programs: This we will see as 2020 rolls in.