Data security has been a hot topic for a few years, and particularly since the EU’s adoption of the General Data Protection Regulation of 2016 (GDPR). Several states are now instituting similar legislation to protect their residents. The first state to pass comprehensive data collection regulation is California in the form of the California Consumer Privacy Act of 2018 (CCPA). Beginning on January 1, 2020, companies will need to be compliant with this new law. 

This FAQ will hopefully shed some light on this new regulation, which is both similar to and distinct from the GDPR. 

What is the CCPA?

The CCPA is California’s response and solution to public outcries resulting from massive data security breaches and sales of data that compromise the safety and privacy of its residents. The EU was the first to pass a comprehensive body of regulation on data security—the United States Congress has made several attempts to regulate the Internet generally, but most (such as the Communications Decency Act) focused on content and thus did not pass constitutional muster under the First Amendment. 

As data security has less to do with content and more to do with a constitutionally recognized right to privacy, CCPA will almost certainly survive constitutional scrutiny, so it’s safe to assume that even if challenged this new regulation will be upheld. 

What if I’m already complying with GDPR?

If you are already complying with GDPR, you will have less to do to meet CCPA standards, but you will need to comply with those regulations specific to CCPA as well. While the two laws have similarities, you should not assume that GDPR compliance means you are also compliant with the CCPA. There are some notable differences. 

How does CCPA differ from GDPR?

While there are more similarities than differences between the two regulations, those differences are significant. First, CCPA requires operators to include a “Do Not Sell My Data” link on their privacy policy where users may opt out if you are selling user data to third parties. It is important to note, here, that CCPA’s definition of a “sale” is intentionally vague and would likely include data transfers to personalized ad providers, or where such personal information is otherwise monetized. 

There is also a non-discrimination component to the CCPA that sets it apart from GDPR. Under this regulatory requirement operators are prohibited from offering fewer products or services, or charging users more if they elect to opt out of selling data. There is an exception to this—operators can charge an additional fee for services provided to users who opt out of data sales so long as that fee does not exceed the actual monetary value of the personal information being sold. 

CCPA is also specific in ways that the GDPR is not—for example, GDPR leaves certain things up to member states (such as when operators must respond to GDPR rights requests), whereas CCPA requires action on such rights requests within 45 days. CCPA also requires that operators disclose any sales of data made within the preceding 12 months, and this is retroactive. So when you update your privacy policy, your disclosures concerning data transfers and sales can no longer be treated as a snapshot based only on what you are currently collecting—you will need to disclose sales and transfers for the entire year prior to the disclosure, and you must update these disclosures annually.  

What does this mean for my game?

CCPA lays out specific qualifications for companies that must comply with CCPA. Unfortunately, most game companies will likely need to comply on some level if they collect user data and operate in the US due to the high likelihood of collecting data from California residents. There are some exceptions, but for the most part, if you’re collecting end user data for your game (including analytics), there’s a high chance you will need to satisfy CCPA in your consumer disclosures and business practices. Even if that data is not being sold to third parties, you will need to include an updated policy that addresses CCPA if you collect user data for any purpose, regardless of whether that data is anonymized or pseudonymized. 

So what should I do now?

If you are already compliant with GDPR, you should still reach out to an attorney to discuss the additional steps you will need to take to also comply with CCPA. If you are not compliant with GDPR or do not need to comply with GDPR (e.g., you don’t distribute games in the EU), complying with CCPA will likely require an overhaul of your current data collection process and record-keeping. Please note that the deadline for compliance in January 1, 2020—at a minimum, it’s probably best to begin the compliance process before the regulation goes into effect due to the time needed to satisfy CCPA’s extensive requirements.