What's the Difference Between the California Consumer Privacy Act (CCPA) & the Washington State Privacy Act (WPA)?
The State of Data Privacy Protection
Growing public awareness regarding the extent and vulnerabilities of commercial data mining has fostered consumer pushback against data brokers and fueled a movement for passing new consumer privacy protections.
Congress has thus far shunned a leadership role, spurring a number of states to seize the legislative initiative around data privacy protection.
Consumers appear to welcome the long-overdue oversight, but a patchwork of incongruous laws that change across borders creates a compliance nightmare for businesses operating nationally and internationally.
Positioned at the nexus of progressive politics and tech innovation, it’s no surprise that Pacific states have spearheaded the movement via the California Consumer Privacy Act (CCPA) and the pending Washington Privacy Act (WPA) - measures with similar goals but different provisions.
Businesses operating in these markets will need to modify their data collection and handling practices to fall in line with the WPA and CCPA.
Sifting through the stipulations of the various US data protection laws and state-driven privacy acts can be frustrating and confusing—but don’t worry, MatrixPoint’s privacy experts are here to help.
Our privacy data consultants can help your business navigate the process of becoming WPA and CCPA compliant.
For immediate assistance, please contact us for a free consultation by calling 800-683-6983 or by filling out our contact form.
California Consumer Privacy Act vs Washington Privacy Act: What Are the Differences?
Designed to protect citizens from the exploitation or erroneous collection of personal data, both the CCPA and the WPA trace their roots to the European Union’s landmark General Data Protection Regulation (GDPR) – the global gold standard in the field since its enactment in 2018.
Neither the CCPA nor the WPA go as far as the GDPR, but both represent bold first steps for domestic consumers while imposing tricky burdens on stateside businesses.
Each also differs from the other, most notably in breadth of application, available remedies, and methods of enforcement.
In most areas, the WPA’s provisions go further than those of the CCPA; Washington’s version will apply to a wider swath of companies, bestow greater rights on consumers with more responsibilities for businesses, and empower public enforcement.
As of spring 2020, the Washington legislature has not yet passed a definitive version of the WPA, while an upcoming ballot initiative threatens to further amend the CCPA.
Therefore, the details of each law remain in flux, but that will likely continue to be the case for years.
The best way to ensure your company’s policies are in line with current data protection laws will be to enlist the help of a privacy consulting firm like MatrixPoint.
Below is a detailed assessment of each bill as they currently exist, noting the difference between the CCPA and WPA, followed by a preview of potential updates to each bill, and data privacy laws in general.
What is the CCPA?
The movement to protect Californians’ personal data started with grassroots advocacy.
A group called Californians for Consumer Privacy launched a petition drive to place a privacy protection initiative on the 2018 ballot, spurring state lobbyists and legislators to craft a bill that would temper demands and pre-empt the popular proposition.
In June of that year, Sacramento lawmakers unanimously passed the CCPA, which went into effect on January 1, 2020 (with enforcement slated to commence in July).
The bill was the first of its kind in the United States and included significant measures providing Californians control over the collection and dissemination of their online data.
Consumer Rights Under the CCPA
The CCPA gives California residents access to all personal data collected by companies on request, and further grants them rights to restrict the sale of this data, demand the data be deleted, and opt-out of further data collection/sale by the company.
Additionally, per the CCPA, companies cannot sell the personal data of minors without an affirmative confirmation by the consumer, and when the consumer is under the age of 13, such confirmation must come from a parent or guardian.
The law also specifically codifies consumers’ right to sue companies for damages in the event of data breaches.
Even without a physical presence in California, businesses shall be subject to CCPA provisions if their services are operational/accessible in the state and meet any of the following criteria:
- Annual gross revenues of $25 million; OR
- Annually buying, selling or disclosing the personal information of 50,000 or more consumers, households or devices; OR
- Generating 50% or more of their annual revenues from selling personal data.
Not-for-profit businesses, healthcare companies and public sector offices are currently exempt from the provisions.
If the CCPA applies to your company, compliance measures must be enacted to accommodate all consumer rights afforded under the act.
Web portals must provide clear, easy links for California residents to access their private data, request data deletion, and opt-out of future collection.
Measures must also be taken to assess the consumer’s age and tailor collection/permissions accordingly.
Finally, reasonable security protocols must be in place to protect collected personal data.
Aside from sanctioned class-action lawsuits in the event of uncured data breaches, all enforcement of the CCPA is vested in the Attorney General of California.
Penalties levied by the state can range from $2500 up to $7500 per consumer depending on severity, duration and level of negligence involved.
What is the WPA?
Following the 2016 passage of European guidelines and the 2018 ratification of the CCPA, Washington State introduced its own privacy act in 2019.
Modeled after the CCPA, the WPA passed the state Senate but was considered too business-friendly by members of the House, where it floundered.
The bill was re-introduced in modified form during the 2020 session, where it enjoys broad bipartisan support, but contention on enforcement mechanisms have held up its passage.
The WPA generally adopts the base protections of the CCPA and expands upon several of its rights, definitions and jurisdictions. Below is a discussion of the broad provisions of the bill as it now stands.
Consumer Rights Under the WPA
Like the CCPA, the WPA grants Washington residents the right to access their personal data, have it deleted, and to opt-out of its collection or sale.
The WPA goes further in empower consumers by allowing them to opt-out not only of data collection but also targeted marketing, and decrees that businesses establish an appeal process for any denied requests.
As an added protection to consumers, their decision to opt-out of data monetization also forbids companies from “sharing” personal data among themselves or limiting available services based upon opt-in status.
Like the CCPA, Washington’s law would govern all companies accessing their consumer market, regardless of their physical location, and applies to companies meeting the following criteria:
- Control or process personal data of ≥ 100,000 consumers annually, OR
- Generate 50% or more of annual revenues from selling personal data AND process or control personal data of 25,000 consumers.
The law will also apply to non-profit entities and companies targeting Washington citizens with advertising even if they do not collect personal data within the jurisdiction.
The WPA requires establishing an infrastructure that satisfies a whole host of conditions, including:
- Grants consumers access to a portable form of their personal data
- Provides a process for the correction of data
- Reviews appeals of denied requests
- Supplies easy methods to opt-out of data collection and targeted advertising
- Affirmatively seeks permission for the collection of sensitive data (or any data of younger consumers), and
- Takes reasonable measures to safeguard all collected information
And it also imposes certain internal logistical responsibilities for data-collecting businesses.
Echoing the European goal of narrowing overall data collection, the WPA obligates companies to justify the motivation and means for all information amassed while instilling guidelines for data minimization, purpose limitation, and a duty to avoid secondary use of collected private information beyond the purpose at hand.
The WPA further imposes a duty to perform internal Data Protection Assessments for all processing activities involving high-risk personal data or changes in handling protocol.
Such assessments should comprehensively weigh necessity/benefits versus potential dangers involving this sensitive class of data, but specific parameters are not delineated by the act.
The law is also more attentive to the handling of pseudonymous and de-indentified information (data not directly attached to specific consumers).
For the moment it is more lenient with its collection and use, but acknowledges that such categories are not beyond possible regulation.
Enforcement of the WPA has proven the primary sticking point to its passage, with the Washington Senate (under lobbying pressure of home state tech titans) content to defer to the state’s Attorney General, while the House of Representatives would permit individual citizens to bring civil actions for violations as an extended private method of oversight.
The office of Washington’s Attorney General has admitted that limited resources would preclude more than a few prosecutions under the act per year, while the internal nature of several WPA compliance provisions would seem to defy proactive enforcement from outside companies.
Conversely, the commercial sector argues that enforcement accomplished by individual civil suits would create a litigious tsunami that would cripple the state’s business climate.
Possible compromises include allowing private suits only over a certain threshold of alleged violations or empanelling an independent regulatory board charged only with applying the Act’s provisions.
MatrixPoint is monitoring the negotiations and how they will impact ultimate passage/enactment of the bill.
CCPA vs WPA
Weighing the Washington State Privacy Act vs California Consumer Privacy Act, one notes that they are similar in many respects, from overall philosophical aim to specific legislative provisions.
Both acts provide citizens with access and control over personal data collected by the growing information industry.
Both laws enable consumers to demand deletion of their personal data and cease collection of additional information, while expecting reasonable protection of all retained files.
And both extend the reach of state governments to police companies around the globe by basing jurisdiction on access to markets rather than corporate location.
However, there are many nuanced differences between the two acts regarding their scope, the rights they afford, and corporate obligations.
Differences: Scope of Application
There are slight differences regarding thresholds triggering company’s adherence to each state’s provisions.
By pure metrics, California boasts slightly broader inclusion, but in practice, Washington might prove more widely applicable by including non-profit organizations and interests that merely target residents with demographic advertisements.
Differences: Consumer Rights
The WPA goes beyond CPA provisions by permitting Washington consumers to not only access and delete personal data, but also correct it as necessary.
It also incorporates restrictions on “sharing” data and requires opting-in for any sensitive data.
Washington residents also have the right to appeal any refused data requests.
Differences: Corporate Obligations
Beyond bestowing consumer rights related to private data, the WPA goes further than the current CCPA in prescribing protocols that govern its collection and use.
By requiring regular Data Protection Assessments and codifying considerations that would trim data acquisition from invasive wholesale absorption to more narrowly-tailored collection, the Washington law imposes greater responsibilities and citizenship considerations upon businesses.
Similar measures are part of the proposed 2020 California ballot initiative, so the laws may ultimately be more aligned in this respect down the road.
How Do the CCPA & WPA Affect Business?
With potentially crippling fines and penalties levied for violation of privacy laws, it’s important for all subject companies to quickly come into compliance.
While the Washington Privacy Act is still under legislative consideration, the California Consumer Privacy Act went into effect on January 1st, 2020.
In addition to public-facing mandates (including prominent data request links and opt-out buttons visible for all California IP addresses), businesses should follow several other steps to enact best practices in accordance with the regulation:
- Review data collection/maintenance protocols
- Ensure all relevant employees are versed in the legalities of the WPA and CCPA
- Establish compliance teams within the company
- Establish clear expectations with clients, vendors, and consumers
- Prepare IT departments for upcoming changes mandated by the WPA, CCPA, and others
Rather than tackling the requirements of these new data privacy laws piecemeal, companies would be well-served to enlist the aid of a privacy consulting company like MatrixPoint, who can ensure that they’re dealing with the new restrictions appropriately and efficiently.
Contact MatrixPoint for Assistance
It’s certainly a time of turbulent developments for any business that collects personal data, but MatrixPoint is here to help.
We know the GDPR, we understand the CPA, and we’re monitoring the WPA, along with several active bills in Florida, Massachusetts, New York, and Virginia.
We’ve helped numerous other companies prepare, adapt, and revise practices to ensure that they’re in full compliance with data privacy laws, and we’re ready to help you too.
Don’t be distracted from your mission and don’t take chances navigating a confusing web of emerging requirements.
Schedule a free consultation with MatrixPoint by calling 800-683-6983 or filling out our contact form.