CCPA vs GDPR. In this blog we take a look at similarities and differences between the CCPA and the GDPR. 

It has been a year and a half since the GDPR started to apply. Did you think you were done adapting all your data processes to the Regulation? Don’t miss this post! You might still have a lot of work to do with the new California Consumer Privacy Act (CCPA).

The CCPA was enacted in 2018 and it will be effective from January 1, 2020. It is the first law in the US to provide the consumers with privacy rights. Businesses collecting, selling or disclosing California residents personal information might be subject to the CCPA requirements.

At this stage you may be wondering if the CCPA is the ‘Californian GDPR’. Don’t panic! We have prepared this blog to let you answer that question yourself. Aphaia has gone through the CCPA and the GDPR thoroughly in order to identify the most relevant similarities and differences between them and we have put together our findings in the lines below.

Who is obliged to comply with the CCPA?

While the GDPR applies to “controllers” regardless of their nature or their activity, the CCPA requirements only apply to for-profit entities (“businesses”) that:

are for-profit;
collect consumers’ personal information, or on the behalf of which such information is collected;
determine the purposes and means of the processing of consumers’ personal information;
do business in California; and
meets any of the following thresholds:
has annual gross revenue in excess of $25 million;
alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA also applies to any entity that controls or is controlled by the business.

Are there territorial limits?

The CCPA applies to organisations that do business in California and, similar to the GDPR, even though it is not explicitly mentioned, it also seems to be applicable to those ones established outside of California if they collect, sell or disclose California consumers personal information while conducting business in California.

Who has rights under the CCPA?

The GDPR covers the privacy rights of ‘data subjects’, who are defined as “an identified or identifiable natural person”, whereas the CCPA protects ‘consumers’,understood as natural persons who are California residents.

Which processes involving data fall under the CCPA?

Whilst the GDPR refer the ‘processing’ of personal data, the CCPA specifically includes ‘collecting’ and ‘sharing’ personal data.

It is important to note that ‘collecting’ covers “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means” and ‘selling’ comprises “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration”. It should be stressed that ‘selling’ does not necessarily involve a payment to be made in exchange for personal information.

What rights does the CCPA provide the consumers with?

Similar to the GDPR, the CCPA provides consumers with new rights, including a right to transparency about data collection, a right to be forgotten, and a right to opt out of having their data sold, which becomes opt in for minors.That said, Californian consumers have the following rights:

The right to know whether their personal information is being collected about them.
The right to request the specific categories of information a business collects upon verifiable request.
The right to know what personal information is being collected about them, the categories of sources form which the information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
The right to say “no” to the sale of personal information.
The right to delete their personal information.
The right to equal service and price, even if they exercise their privacy rights.

It is clear that the CCPA will have large implications for businesses in California (and all around the world!) as it is the strictest privacy law ever enacted in the US. However, with appropriate help, organisations will be able to manage the requirements and implement them step by step as happened with the GDPR almost two years ago.

Do you require assistance with CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

Apple data sharing

Apple faces scrutiny for data sharing practices

Apple accused of potential improper data-sharing.

Earlier this month American multinational technology company Apple came under scrutiny for its data-sharing practice of sending IP addresses from users of its Safari browser to Google and Chinese-based tech company Tencent.

Apple has since defended this practice, noting that it is a Safari Fraudulent Warning security feature aimed at flagging websites known to be malicious. In an interview with iMore, Apple reportedly noted that When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never sharedwith a safe browsing provider and the feature can be turned off.

It is of note that Apples Fraudulent Website Warning setting is automatically set to on. As such users would have to delve into their settings and toggle this off if they do not want to have their IP address forwarded to Google and Tencent when using the Safari browser. It is also reported that toggling this setting to offwould potentially render browsing sessions less secure.

Potential GDPR and CCPA implications?

Considering that IP addresses can reveal user locations and can also be used to profile users,they are deemed as online identifiers, thus they are personal data as covered by Recital 30 GDPR, which means that this feature would be subject to GDPR compliance.

The recent Cookies Consent ruling by the CJEU, explored in one of our recent blog posts could also potentially affect the way Apple handles its default permission settings.

Moreover, with the California Consumer Privacy Act Regulations (CCPA Regulations)schedule to take effect on January 1, 2020introducing  consumer rights related third party sharing for companies doing business with California residents; it is likely that Apple would also have to review this practice to ensure CCPA compliance.

This practice was explained in the privacy policy within the section “About Safari & Privacy” and it was publicly accessible to anyone who opened the Settings app. However, one should note that even though the privacy policy shall contain every personal data processing carried out by the controller for the sake of transparency and in line with articles 13 and 14 GDPR, it does not mean that any data processing added to the privacy policy will automatically become lawful, for which a valid legal basis for the processing (contract, consent or legitimate interest among others) is required.

Does your company website facilitate data sharing to third parties? Aphaia’s  GDPR and CCPA adaptation services, including our  data protection impact assessments and Data Protection Officer outsourcing will help you ensure compliance with the soon to be effected CCPA Regulations and GDPR.

Reference: iMore

CJEU cookies active consent”

CJEU says active behavior required for cookies consent

The CJEU clarifies that “consent” in data protection and privacy laws in relation to cookies compliance refers to consent through active behaviour.

This week, the Court of Justice of the European Union (CJEU) issued a ruling resolving the definition of the term consent in regards to cookies compliance.  This came about as a result of a dispute between the Federation of Consumer Organisations, Germany) (the Federation’) and online gaming company, Planet49 GmbH.

Background of the Case

The case centered on Planet49s organization of a promotional lottery on website in September 2013.

In order to participate in the online lottery, internet users were required to provide their names, addresses and postal codes. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first checkbox required users to provide their consent to being contacted by third party sponsors and cooperation partners. Meanwhile the second box focused on consent for the installation of cookies on the users device. This second checkbox contained a preselected tick. In addition, participation in the lottery was possible only if at least the first checkbox was ticked.

The court judgement document explains that the Federation had issued a letter to Planet49 asserting that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy some of the requirements of the German Civil Code (BGB), the German Law against Unfair Competition and the German Telemedia Act (TMG). This letter was however unanswered.

Subsequently in March 2014 the Federation filed an injunction requiring Planet49 to cease using such declarations and to pay it EUR 214 plus interest from 15 March 2014. This action was upheld by the regional court.

Planet49 in turn filed an appeal before the higher regional court. The higher court held that the Federations injunction order was unfounded on the basis that; first, the user would realise that he or she could deselect the tick in that checkbox and, second, the text was set out with sufficient clarity from a typographical point of view and provided information about the manner of the use of cookies without it being necessary to disclose the identity of third parties able to access the information collected.

This ruling was subsequently appealed by Federation before the Federal Court of Justice, Germany. The Federation asserted that Planet49s success before the higher court centered on the interpretation of some articles of the ePrivacy Directive and the former Directive on Data Protection.

According to the judgement document,harbouring doubts as to the validity, in the light of those provisions, of the consent obtained by Planet49 from internet users of the website by means of the second checkbox and as to the extent of the information obligation provided for in Article 5(3) of Directive 2002/58, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and refer to the Court of Justice for a preliminary ruling.”

Specifically, the following question was posed:

Does it constitute a valid consent within the meaning of Article 5(3) and Article 2(f) of Directive [2002/58], read in conjunction with Article 2(h) of Directive [95/46], if the storage of information, or access to information already stored in the users terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent?

The CJEU ruling

Following an analysis of EU data protection laws and regulation—namely, ePrivacyDirective, former Directive on Data Protection and GDPR—the CJEU concluded that:

  [The laws and regulations] must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website users terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.

As such cookie compliance requires consent through active behavior.

What is a cookie?

Norton explains that a cookie, known formally as an HTTP cookie is a a term for a packet of data that a computer receives, then sends back without changing or altering it.

It further explains that the purpose of cookies is to help the website keep track of your visits and activity.

Considering that cookies store large amounts of data which could potentially identify an individual, they are considered personal data. Cookies are therefore subject to GDPR compliance.

What are the implications of the CJEU ruling?

Aphaia Partner Bostjan Makarovic believes that, although not unexpected, the CJEU ruling has important implications for online business:Since the 2009 ePrivacy rules first required consent for cookies, there has been a lot of discussion whether this consent might be implied rather than expressly stated. For example, until recently, even the UK Information Commissioner was showing an openly lenient attitude regarding the matter. This is now clearly changing. Online businesses need to urgently rethink their current approaches to cookies.

Does your company utilize cookies on your website? Does your current use of cookies require active consent from users? Aphaia provides GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today to ensure that your company website is fully compliant.

AI, IoT, Big Data

Combining AI, IoT and Big Data: Can Regulation Cope?

In last week’s vlog we delved into the regulation of AI, IoT and Big Data when used together.

AI, IoT and Big Data—these technologies and digital concepts undoubtedly play a major role in today’s highly connected era. As they are now; and continue to become more and more; integral in our day to day lives, several regulatory measures—including the GDPR and DPA 2018—have been implemented in order to protect individuals’ personal data, privacy and associated rights. But how should they be regulated when they all work together?

First of all we need to understand what each of these concepts means:

Artificial Intelligence (AI): John McCarthy, who coined the term in 1956, defined it as “the science and engineering of making intelligent machines.” A more modern definition explains AI as “the simulation of human intelligence processes by machines, especially computer systems. These processes include learning (the acquisition of information and rules for using the information), reasoning (using rules to reach approximate or definite conclusions) and self-correction”.

Internet of Things (IoT): IoT is understood as “a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction”.

Big Data: a popular definition of Dig Data, provided by the Gartner IT glossary, is “…high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.”

As you can see, all of them involve data processing, so it is clear that all of them should comply with the GDPR when the information affected is personal data or with the Free Flow of non-Personal Data Regulation when it doesn’t. But are there any other mandatory requirements laid by Law apart from the data protection and privacy ones that they should meet? Actually there are, but the challenge is that each of them has different features and needs.

For example, AI raises many ethics concerns, as discussed in some of our previous videos and IoT is dependent on 5G and Telecoms Regulation, while Big Data may tackle challenges from both AI and IoT.

That said, how can regulation cope all these technologies when they apply together, e.g. in a project?

We suggest different scenarios about how this could be addressed:

o Impose an obligation to businesses, universities, public bodies, etc. to count with a legal ITC professional in the team before carrying out any project that involve the use of AI, IoT, Big Data or similar technologies. A specific certificate for these professionals might be issued by accreditation bodies.
o Tech-specific Regulation and Legislation that put together most of the ITC risks and challenges with mandatory minimum requirements on how they should be applied.
o Independent Legal Tech EU Body which launches guidance and code of conducts about the main ITC issues and challenges.

Even though regulation and codes of conduct may help to unify standards, due diligence and commitment from the managers and the team involved in a project are still essential and key to ensure appropriate safeguards regardless of the specific externally-imposed requirements.


If you need advice on your AI product, Aphaia offers both AI ethicsand Data Protection Impact Assessments.