WPA vs CCPA
If your company operates in or targets consumers in the United States, there's a good chance you'll need to comply with California and Washington state's privacy laws. These laws are known as the California Consumer Privacy Act (CCPA) and Washington Privacy Act (WPA), respectively.
The CCPA went into effect on January 1, 2020 and is a new addition to California's collection of laws aimed at protecting the privacy of its residents.
The WPA law has yet to pass the Washington House at the time of writing. The key elements in the WPA are largely similar to that of the CCPA, since both sought to mirror the EU's General Data Protection Regulation (GDPR).
Nevertheless, both acts contain provisions that are unique to them which we will cover in this article.
- 1. Applying the WPA and CCPA
- 1.1. Who Do the Laws Apply to?
- 1.2. Definition of "Business"
- 1.3. Definition of "Consumer"
- 1.4. Definition of Personal Data / Information
- 2. Complying with the WPA and CCPA
- 2.1. When Collecting Consumer Data
- 2.2. When Addressing Consumer Concerns
- 2.2.1. WPA
- 2.2.2. CCPA
- 2.3. When Processing Consumer Data
- 2.3.1. When "Profiling" Consumers
- 2.3.2. When Making "Final Decisions"
- 2.3.3. When Handling "Sensitive Data"
- 2.3.4. Conducting a "Risk Assessment"
- 3. Key Similarities and Differences
- 3.1. Key Similarities
- 3.2. Key Differences
- 3.2.1. Definition of "Personal Data"
- 3.2.2. Definition of "Consumer"
- 3.2.3. Definition of "Sale"
- 3.2.4. Enforcement
- 3.2.5. Provisions Exclusive to the WPA
- 4. Summary
To comply with the WPA and CCPA, you'll first need to understand:
- Who they apply to
- How you can comply with them
- Their key similarities and differences
Applying the WPA and CCPA
Who Do the Laws Apply to?
The WPA applies to businesses that:
- Control or process data of 100,000 or more consumers, or
- Derive over 50% of gross revenue from the sale of personal data, and process or control the personal data of 25,000 or more Washington state consumers
The CCPA applies to businesses that:
- Generate annual gross revenues of over $25 million, or
- Buy, receive, sell or share the personal information of 50,000 or more devices, households or consumers annually for commercial purposes, or
- Derive 50% or more in annual revenue from the sale of personal information
Definition of "Business"
In the WPA, businesses refers to:
- Entities who do business in Washington
- Entities who produce products or services that intentionally target Washington state residents
This includes all legal entities except for state and local governmental entities.
In the CCPA, businesses refers to entities based in California or who collect data from its residents.
- Sole proprietorships
- Limited liability companies
- Legal entities with a profit motive
Definition of "Consumer"
In the WPA, consumer refers to Washington state residents acting in a private context. Note that this does not include those acting in a commercial or employment context.
In the CCPA, consumers refers to California residents
Definition of Personal Data / Information
Under the WPA, personal data covers data that can be linked to or associated with a specific individual.
Note that this does not include de-identified data, i.e. data that cannot be directly or indirectly linked to a specific individual.
Under the CCPA, personal information covers information that is directly or indirectly linked to a specific individual or household.
Publicly-available information from federal, state or local government records is not considered personal information under both Acts.
Complying with the WPA and CCPA
When Collecting Consumer Data
Under the WPA, you are obligated to notify consumers of the following when or before collecting their personal data:
- The categories of personal data that you collect
- How their data will be used
- Their rights under the WPA
- If you'll be sharing their data with third parties, and if so, what categories will be shared and its purposes, and
- If you'll be processing their data for advertising purposes, and if so, how can the consumer submit a request to object to such processing
If your business utilises facial recognition technology in its physical premises, the consumer must be notified upon or before entering the premises.
Under the CCPA, you are obligated to notify consumers of the following when or before collecting their personal data:
- The categories of personal data that you collect and
- How their data will be used
- A list of consumer privacy rights under the CCPA
- A list of categories of personal information that your business has or has not collected, sold and/or disclosed about consumers in the last 12 months, and
You also must provide a visible and easily-accessible link with the title "Do Not Sell My Personal Information" that links to a webpage where they can opt out of having their information sold.
Remember that you cannot collect additional information or use said information for additional purposes without notifying the consumer and getting their consent before doing so.
When Addressing Consumer Concerns
If you receive a verified consumer request asking for changes to be made to their personal data, you are obligated to make the necessary changes as soon as possible.
The consumer has a right to:
- Request a copy of their personal data
- Request correction of inaccurate data
- Request completion of incomplete data
- Request the deletion of their data
- Opt out of the sale of their data
- Object to the processing of their data for targeted advertising, and
- Request that you restrict the processing of their data if they find that such data is being processed for illegal purposes or reasons inconsistent with that that they were informed of at the time of collection or consent
You must respond within 30 days of receiving the consumer's request, whether to deliver on their request or to inform them that more time is needed.
The response period can be extended by up to 60 additional days.
Here's how Spotify informs users of their rights:
Should you receive a verified consumer request, you are obligated to take steps to honor the request and respond as soon as possible. Information that a consumer has a right to request includes:
- Categories of information you've collected about them
- Categories of sources from which the information was obtained
- Categories of third parties that the information was shared or sold to
- The business or commercial purpose(s) for collecting or selling this information, and
- Specific pieces of information that was collected about the consumer
The consumer also has the right to request that their information be modified or deleted, and they can also opt out of having their information sold to third parties.
There also needs to be at least two ways to submit requests, such as through a toll-free telephone number or email address.
You must respond to the consumer's request within 45 days of receiving it, whether to deliver on their request or to inform them that more time is needed.
The response period can be extended by up to 45 additional days.
When verifying requests:
- Be sure to first verify that the person who submitted the request really is the consumer (or someone authorised to act on the consumer's behalf) that your business has collected information on before responding to their request.
- You cannot require the consumer to create an account with your business in order to make a verifiable request.
Here's how the Bear app informs users about how their request will be processed:
When Processing Consumer Data
Both the WPA and CCPA require businesses to adopt comprehensive data security measures to safeguard consumer data that they have collected.
However, there are several provisions that are exclusive to the WPA that were drafted with the aim of making the parameters for data processing as unambiguous as possible. These provisions are applicable as follows:
When "Profiling" Consumers
The WPA prohibits businesses from profiling consumers according to their economic, health or other specific factors unless:
- The consumer consents to it
- It is permitted by law, or
- It is necessary to do so in order to execute your contract with the customer.
When Making "Final Decisions"
The WPA prohibits businesses from making decisions that may have a significant effect on consumers (legal or otherwise) based only on data that was processed through automated means. This means that decisions that may impact a consumer in a big way must go through some form of human review and not be solely decided by machines.
When Handling "Sensitive Data"
The WPA requires businesses to take extra care when processing and storing sensitive data, and abstain from using such data unless absolutely necessary.
Sensitive data includes a minor's data or data about an individual's:
- Race or ethnicity
- Sexual orientation or sex life
- Uniquely identifiable biometric data
Conducting a "Risk Assessment"
The WPA requires that businesses conduct risk assessments before processing a consumer's data to determine the benefits of processing said data and the risks that it might pose to the consumer. If the risks outweigh the benefits, then the data should not be processed without the consumer's consent.
Key Similarities and Differences
As you can see above, both acts give consumers a similar bill of privacy rights and require businesses to take great care when handling a consumer's personal data.
We can see that both acts:
- Require businesses to notify consumers of the categories of data your business is collecting, the purpose of collecting such data, and whether or not the data will be shared with or sold to third parties before collecting their data
- Require businesses to adopt comprehensive security practices to safeguard consumer data
- Give consumers a right to access, correct and obtain a copy of their data
- Allow consumers to opt out of letting businesses sell their data or ask for their data be deleted, but with limitations, which we cover below
While both acts share similar fundamental elements, there are a few differences that set them apart. This includes provisions on profiling, risk assessment and facial recognition technology that are exclusive to the WPA.
Definition of "Personal Data"
Unlike the CCPA, the WPA excludes de-identified data from its definition of "personal data." This means that data that cannot be directly or indirectly linked to an individual would generally not be protected under the WPA.
Unlike the WPA, the CCPA includes "households" and not only individuals under its definition of "personal data." This would include information such as a physical address that points to a "household" and not a specific individual.
Definition of "Consumer"
Unlike the CCPA, "consumers" under the WPA does not cover employment records or individuals acting in an employment context.
Definition of "Sale"
Unlike the CCPA, the WPA not only allows consumers to opt out of of letting businesses sell their data to third parties, but it also allows consumers to opt out of letting your business use their data for any purpose, including marketing and advertising.
Unlike the CCPA, there is no private right to action under the WPA.
Provisions Exclusive to the WPA
The WPA raises the bar when it comes to protecting a consumer's data as unlike the CCPA, it:
- Requires businesses to weigh the risks and benefits posed to the consumer before processing their data
- Prohibits businesses from profiling consumers based on their economic or health status without their consent
- Prohibits businesses from relying solely on automated data processing to make decisions that have a significant impact on consumers, and
- Discourages the use of a consumer's sensitive data
The requirements under the WPA and CCPA are largely similar. After determining if the laws apply to your business, be sure to:
- Notify consumers of the categories data you're collecting and why
- Tell them if their data will be shared or sold to third parties and why
- Provide a list of their privacy rights
- Get their consent before you do anything to their data
- Respond to their requests as soon as possible
- Keep your data security measures as complete as possible at all times