WPA vs CCPA

WPA vs CCPA

If your company operates in or targets consumers in the United States, there's a good chance you'll need to comply with California and Washington state's privacy laws. These laws are known as the California Consumer Privacy Act (CCPA) and Washington Privacy Act (WPA), respectively.

The CCPA went into effect on January 1, 2020 and is a new addition to California's collection of laws aimed at protecting the privacy of its residents.

The WPA law has yet to pass the Washington House at the time of writing. The key elements in the WPA are largely similar to that of the CCPA, since both sought to mirror the EU's General Data Protection Regulation (GDPR).

Nevertheless, both acts contain provisions that are unique to them which we will cover in this article.

To comply with the WPA and CCPA, you'll first need to understand:

  • Who they apply to
  • How you can comply with them
  • Their key similarities and differences

Applying the WPA and CCPA

Applying the WPA and CCPA

Who Do the Laws Apply to?

The WPA applies to businesses that:

  • Control or process data of 100,000 or more consumers, or
  • Derive over 50% of gross revenue from the sale of personal data, and process or control the personal data of 25,000 or more Washington state consumers

The CCPA applies to businesses that:

  • Generate annual gross revenues of over $25 million, or
  • Buy, receive, sell or share the personal information of 50,000 or more devices, households or consumers annually for commercial purposes, or
  • Derive 50% or more in annual revenue from the sale of personal information

Definition of "Business"

In the WPA, businesses refers to:

  • Entities who do business in Washington
  • Entities who produce products or services that intentionally target Washington state residents

This includes all legal entities except for state and local governmental entities.

In the CCPA, businesses refers to entities based in California or who collect data from its residents.

This includes:

  • Sole proprietorships
  • Partnerships
  • Limited liability companies
  • Corporations
  • Associations
  • Legal entities with a profit motive

Definition of "Consumer"

In the WPA, consumer refers to Washington state residents acting in a private context. Note that this does not include those acting in a commercial or employment context.

In the CCPA, consumers refers to California residents

Definition of Personal Data / Information

Under the WPA, personal data covers data that can be linked to or associated with a specific individual.

Note that this does not include de-identified data, i.e. data that cannot be directly or indirectly linked to a specific individual.

Under the CCPA, personal information covers information that is directly or indirectly linked to a specific individual or household.

Publicly-available information from federal, state or local government records is not considered personal information under both Acts.

Complying with the WPA and CCPA

Complying with the WPA and CCPA

When Collecting Consumer Data

A common requirement of privacy laws is to have a Privacy Policy.

But what exactly must you include in your Privacy Policy?

WPA Privacy Policy

Under the WPA, you are obligated to notify consumers of the following when or before collecting their personal data:

  • The categories of personal data that you collect
  • How their data will be used
  • Their rights under the WPA
  • If you'll be sharing their data with third parties, and if so, what categories will be shared and its purposes, and
  • If you'll be processing their data for advertising purposes, and if so, how can the consumer submit a request to object to such processing

If your business utilises facial recognition technology in its physical premises, the consumer must be notified upon or before entering the premises.

CCPA Privacy Policy

Under the CCPA, you are obligated to notify consumers of the following when or before collecting their personal data:

  • The categories of personal data that you collect and
  • How their data will be used
  • A list of consumer privacy rights under the CCPA
  • A list of categories of personal information that your business has or has not collected, sold and/or disclosed about consumers in the last 12 months, and

You also must provide a visible and easily-accessible link with the title "Do Not Sell My Personal Information" that links to a webpage where they can opt out of having their information sold.

Remember that you cannot collect additional information or use said information for additional purposes without notifying the consumer and getting their consent before doing so.

Also, your Privacy Policy and related information should be updated at least once a year or more often if needed.

When Addressing Consumer Concerns

When Addressing Consumer Concerns

WPA

If you receive a verified consumer request asking for changes to be made to their personal data, you are obligated to make the necessary changes as soon as possible.

The consumer has a right to:

  • Request a copy of their personal data
  • Request correction of inaccurate data
  • Request completion of incomplete data
  • Request the deletion of their data
  • Opt out of the sale of their data
  • Object to the processing of their data for targeted advertising, and
  • Request that you restrict the processing of their data if they find that such data is being processed for illegal purposes or reasons inconsistent with that that they were informed of at the time of collection or consent

You must respond within 30 days of receiving the consumer's request, whether to deliver on their request or to inform them that more time is needed.

The response period can be extended by up to 60 additional days.

Here's how Spotify informs users of their rights:

Spotify Privacy Policy: Your rights and your preferences: Giving you choice and control clause

CCPA

Should you receive a verified consumer request, you are obligated to take steps to honor the request and respond as soon as possible. Information that a consumer has a right to request includes:

  • Categories of information you've collected about them
  • Categories of sources from which the information was obtained
  • Categories of third parties that the information was shared or sold to
  • The business or commercial purpose(s) for collecting or selling this information, and
  • Specific pieces of information that was collected about the consumer

The consumer also has the right to request that their information be modified or deleted, and they can also opt out of having their information sold to third parties.

There also needs to be at least two ways to submit requests, such as through a toll-free telephone number or email address.

You must respond to the consumer's request within 45 days of receiving it, whether to deliver on their request or to inform them that more time is needed.

The response period can be extended by up to 45 additional days.

When verifying requests:

  • Be sure to first verify that the person who submitted the request really is the consumer (or someone authorised to act on the consumer's behalf) that your business has collected information on before responding to their request.
  • You cannot require the consumer to create an account with your business in order to make a verifiable request.

Here's how the Bear app informs users about how their request will be processed:

Bear App Privacy Policy: How to exercise these rights clause

When Processing Consumer Data

When Processing Consumer Data

Both the WPA and CCPA require businesses to adopt comprehensive data security measures to safeguard consumer data that they have collected.

However, there are several provisions that are exclusive to the WPA that were drafted with the aim of making the parameters for data processing as unambiguous as possible. These provisions are applicable as follows:

When "Profiling" Consumers

The WPA prohibits businesses from profiling consumers according to their economic, health or other specific factors unless:

  • The consumer consents to it
  • It is permitted by law, or
  • It is necessary to do so in order to execute your contract with the customer.

When Making "Final Decisions"

The WPA prohibits businesses from making decisions that may have a significant effect on consumers (legal or otherwise) based only on data that was processed through automated means. This means that decisions that may impact a consumer in a big way must go through some form of human review and not be solely decided by machines.

You can see this clause included in 23andMe's Privacy Policy:

23andMe Privacy Policy: Automated individual decision-making including profiling clause

When Handling "Sensitive Data"

The WPA requires businesses to take extra care when processing and storing sensitive data, and abstain from using such data unless absolutely necessary.

Sensitive data includes a minor's data or data about an individual's:

  • Race or ethnicity
  • Sexual orientation or sex life
  • Health
  • Uniquely identifiable biometric data

Conducting a "Risk Assessment"

The WPA requires that businesses conduct risk assessments before processing a consumer's data to determine the benefits of processing said data and the risks that it might pose to the consumer. If the risks outweigh the benefits, then the data should not be processed without the consumer's consent.

In its Privacy Policy, 23andMe stipulates risks that the consumer may not have considered:

23andMe Privacy Policy: Risks and Considerations clause

Key Similarities and Differences

Key Similarities and Differences

Key Similarities

As you can see above, both acts give consumers a similar bill of privacy rights and require businesses to take great care when handling a consumer's personal data.

We can see that both acts:

  • Require businesses to notify consumers of the categories of data your business is collecting, the purpose of collecting such data, and whether or not the data will be shared with or sold to third parties before collecting their data
  • Require businesses to adopt comprehensive security practices to safeguard consumer data
  • Give consumers a right to access, correct and obtain a copy of their data
  • Allow consumers to opt out of letting businesses sell their data or ask for their data be deleted, but with limitations, which we cover below

Key Differences

While both acts share similar fundamental elements, there are a few differences that set them apart. This includes provisions on profiling, risk assessment and facial recognition technology that are exclusive to the WPA.

Definition of "Personal Data"

Unlike the CCPA, the WPA excludes de-identified data from its definition of "personal data." This means that data that cannot be directly or indirectly linked to an individual would generally not be protected under the WPA.

Unlike the WPA, the CCPA includes "households" and not only individuals under its definition of "personal data." This would include information such as a physical address that points to a "household" and not a specific individual.

Definition of "Consumer"

Unlike the CCPA, "consumers" under the WPA does not cover employment records or individuals acting in an employment context.

Definition of "Sale"

Unlike the CCPA, the WPA not only allows consumers to opt out of of letting businesses sell their data to third parties, but it also allows consumers to opt out of letting your business use their data for any purpose, including marketing and advertising.

Enforcement

Unlike the CCPA, there is no private right to action under the WPA.

Provisions Exclusive to the WPA

The WPA raises the bar when it comes to protecting a consumer's data as unlike the CCPA, it:

  • Requires businesses to weigh the risks and benefits posed to the consumer before processing their data
  • Prohibits businesses from profiling consumers based on their economic or health status without their consent
  • Prohibits businesses from relying solely on automated data processing to make decisions that have a significant impact on consumers, and
  • Discourages the use of a consumer's sensitive data

Summary

The requirements under the WPA and CCPA are largely similar. After determining if the laws apply to your business, be sure to:

  • Notify consumers of the categories data you're collecting and why
  • Tell them if their data will be shared or sold to third parties and why
  • Provide a list of their privacy rights
  • Get their consent before you do anything to their data
  • Update your Privacy Policy at least once a year
  • Notify consumers if there are major changes to your privacy policy
  • Respond to their requests as soon as possible
  • Keep your data security measures as complete as possible at all times
Last updated on 23 June 2020

Article categories