The scope of the GDPR, the CCPA, and the 2020 Washington Privacy Act bill compared

Thanks @https://commons.wikimedia.org/wiki/File:Data_privacy.svg

UPDATE On Washington privacy Act 

March 2020 – Washington Privacy Act fails again

It was almost given for granted that the Washington Privacy Act would have passed this time. The Washington State House and Senate were debating two similar bills. The major difference was in the enforcement mechanism: while in the House’s Bill both the Attorney General’s office and any Washington resident had a right of action, the Senate’s bill allowed only fines by the Attorney General’s office. The House’s version was preferred by consumers’ organizations and the Attorney General’s office itself, while the Senate’s one was preferred by the tech companies (even if some of the most important tech companies had ended up coming around the House’s version at last).

On March 12, 2020, the House and the Senate could not find an agreement and thereafter the two legislative bodies announced that the Privacy Act could not be passed. They also announced an intention of working again on the legislation next year.

_______________________________________________________________________

Three privacy laws are the object of much discussion recently.

The GDPR (EU General Data Protection Regulation), which came into force in June 2016 but whose application was delayed to 25 May 2018 is already in force and strictly enforced.

The California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq. (“CCPA”) was passed in June 2018 and amended in September 2018; additional substantive amendments were signed into law on October 11, 2019; the law entered into force on January 1, 2020. According to the law, its enforcement will start after 6 months from the publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. A ballot initiative is pending the California Privacy Rights and Enforcement Act (CPREA, colloquially called CCPA 2.0), which proposes to modify and extend in part the CCPA.

The Washington Privacy Act (SSB 6281) (“WS 2020 Bill”) is not the law yet; last year a similar act failed to pass in Washington State but the WS 2020 Bill is likely to be approved in March. See here.

Which law has the broadest scope?

The GDPR has the broadest scope. It actually defines its scope in terms of “processing” and not in terms of protected individuals (called “data subjects”). Article 3.1 provides that the GDPR applies to “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Therefore, if the organization has an establishment in the EU, every data subject is protected, either a EU resident or not, if the processing of their data is “in the context” of that establishment. Whereas clause (22) clarifies that “Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”  It is not always easy to decide whether an organization has a EU establishment. Also, when an organization has several offices around the world, including one in Europe, it is not extremely easy to identify when the processing is “in the context” of the latter.

GDPR Article 3(2)(a), provides that the Regulation

applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;

Under this provision, if an organization has no establishment in the EU but targets the EU, the GDPR applies to the processing of data of “data subjects who are in the Union”; it is worth noticing that the data subjects don’t need to be residents. Some of the targeting criteria that meet this definition are listed in Whereas (23) and have been further clarified by the EDPB’s Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU.

GDPR Article 3(2)(b) provides that the Regulation applies

to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to(2) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Not every monitor qualifies for this purpose (“it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”).

While the exact contours of the GDPR can be fuzzy sometimes, the scope of CCPA and of the 2020 Washington Privacy Act (SSB-6281) (“WP Bill”) appears to be much more straightforward. Both the CCPA and the WS Bill protect the residents of those states (California residents for the CCPA and Washington residents for WP Bill).

Unlike the GDPR,[i] the CCPA and the WP Bill do not apply to everyone who processes data:

  • The CCPA imposes the obligations on for-profit businesses doing business in the State of California and meeting one of these three conditions: (1) $25 million annual revenue; OR (2) 50,000+ consumers; or (3) 50% of annual revenue derived from selling consumers personal data. CCPA 140(b)[ii]
  • The 2020 WP Bill imposes the obligations on non-governmental legal entities, not covered by HIPAA, that “conduct business in Washington or produce products or services that are targeted to residents of Washington meeting one of two conditions (1) more than 100,000 consumers during a calendar year; OR (2) derives more than 50% of annual revenue from the sale of personal data AND processes or controls personal data of more than 25,000 consumers.[iii]

It is worth noticing that, unlike the GDPR, that applies to “data subjects”, both in the CCPA and the 2020 WS Bill, the reference is to “consumers”. Under CCPA  “Consumer” “means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”  Section 1798.140(g).[iv] It should be noted that “resident” is not the equivalent of “domiciled”; the former is broader than the latter. The Section 17014 of Title 18 of the California Code of Regulations has the purpose of identifying people who are subject to taxation in California; that definition needs to be quite generous. For example, a person who is studying at a California university, who probably will want to return to their original domicile after the degree is obtained, is probably a protected resident under the CCPA.

More on the term “resident” under the CCPA in What is a ‘consumer’ under the CCPA?, available here.

In addition, it should be noted that “all Californians who meet the residency and domicile requirements … are considered consumers. Even when they are not acting as such. […] Although the CCPA is written specifically in order to protect California consumers—as the name of the law itself tells us—the text of the law never makes a distinction between individuals in their capacity as consumers and otherwise. According to the CCPA, all Californians, in all of their capacities, are consumers under the CCPA. ” How the CCPA Defines “Consumer”, available at https://www.sixfifty.com/how-the-ccpa-defines-consumer/

Some exclusions have been passed by the California legislator (for example for job applicants information until January 2021), somewhat restricting the scope in certain transactions. However, the principle remains: a business should think that the protection is NOT limited to people individual acting in their traditional consumer’s capacity.

“Consumer” under the 2020 WS Bill would seem more straightforward (amendments are still possible of course): (6) “Consumer” means a natural person who is a Washington  resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.” 2020 WS Bill Section 3, Definition.

It is worth pointing out that the 2020 WS Bill, unlike the CCPA, does not require the organization to actually conduct business in Washington state; a targeting of the resident of that State is sufficient (the echo of the GDPR is quite clear here): the law “applies to legal entities that conduct business in Washington or  produce products or services that aretargeted to residents of Washington” (emphasis added).  That this is different from the CCPA has already been noted by the early commentators,[v] but more specification from the Washington legislator is probably needed on this targeting criterium.

In conclusion, the GDPR has the broadest scope, followed by the 2020 WS Bill, and then the CCPA. The scope of the GDPR – literally very broad – has been refined by guidelines given by the EU authorities (e.g., EDPB’s Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU) even if only the concrete application to specific situations could clarify residual doubts. The exact grasp of the CCPA and the 2020 WS Bill is still uncertain. Exactly as it is for those organizations dealing with data of Europeans, no organization (above medium size) that deals with California and Washington State consumers is allowed to rest easy.

For more information, Francesca Giannoni-Crystal

____________________________

[i] If a controller/processor is in the scope of the GDPR, the GDPR applies (irrespective of the dimensions of the organization and the number of data subjects whose data are processed) unless one of the few exceptions apply. Article 2. At least one the obligations of the GDPR, however, do not apply to small organizations. See 30(5). Records of processing activities.

[ii] CCPA 1798.140

(b) “Business” means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’s commercial purposessells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

[iii] Section 4 of 2020 WP Bill

This chapter 7 applies to legal entities that conduct business in Washington or 8 produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following thresholds: (a) During a calendar year, controls or processes personal data of one hundred thousand consumers or more; or11 12 (b) Derives over fifty percent of gross revenue from the sale of 13 personal data and processes or controls personal data of twenty-five thousand consumers or more.

Section 4(2) of 2020 WP Bill lists the exceptions from the scope of the Bill, which are articulates but basically are governmental entities and quasi-governmental (“State agencies, local governments, or tribes” and “Municipal corporations”), entities covered by HIPPA, “activities relating to a consumer’s credit worthiness, personal data governed by the Gramm-Leach-Bliley Act, personal data governed by the Family Educational Rights and Privacy Act.” Mitchell Noordyke, Comparing the new Washington Privacy Act to the CCPA (“Comparing WPA to CCPA”) available here.

As for the non-profit industry, at least a commentator has noted that the lack of express exclusion doeas not necessarily mean that non-profit are included:

The WaPA does not specifically exclude nonprofits, but the jurisdictional scope section states it applies to entities “conducting business in” or that “target Washington residents,” so we may see some clarification during the legislative process.” Comparing WPA to CCPA, cited above.

[iv] Section 17014 of Title 18 of the California Code of Regulations provides:

“The term “resident,” as defined in the law, includes “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”

The meaning of “temporary or transitory purpose” is given by Section 17014(b) of Title 18.

(b) Meaning of Temporary or Transitory Purpose. Whether or not the purpose for which an individual is in this State will be considered temporary or transitory in character will depend to a large extent upon the facts and circumstances of each particular case. It can be stated generally, however, that if an individual is simply passing through this State on his way to another state or country, or is here for a brief rest or vacation, or to complete a particular transaction, or perform a particular contract, or fulfill a particular engagement, which will require his presence in this State for but a short period, he is in this State for temporary or transitory purposes, and will not be a resident by virtue of his presence here.

If, however, an individual is in this State to improve his health and his illness is of such a character as to require a relatively long or indefinite period to recuperate, or he is here for business purposes which will require a long or indefinite period to accomplish, or is employed in a position that may last permanently or indefinitely, or has retired from business and moved to California with no definite intention of leaving shortly thereafter, he is in the State for other than temporary or transitory purposes, and, accordingly, is a resident taxable upon his entire net income even though he may retain his domicile in some other state or country.

[v] A New U.S. Model for Privacy? Comparing the Washington Privacy Act to GDPR, CCPA, and More, available here:

The 2020 Washington Privacy Act (SSB-6281) would govern legal entities in Washington that collect data from Washington residents. Although narrower in scope than the GDPR, the WPA contains a significantly broader scope and territorial reach than the CCPA. Unlike the CCPA (which governs for-profit businesses), the WPA would also govern non-profit organizations, including public charities and foundations. In some cases, the WPA would even govern entities that do not “conduct business” in Washington, if they produce products or services “targeted to” residents of Washington.