Fact Sheet: Wicker Privacy Proposal vs. California Consumer Privacy Act (CCPA)
December 2, 2019
Principles | CCPA | Wicker Bill | Stronger |
Scope | Only applies to entities operating in CA that meet 1+ of the following: collect information of CA residents; produce gross revenues of $25M+; buy, receive, sell or share information of 50,000 consumers; obtain 50% of revenue from personal information. |
Applies to all "Covered Entities" in the U.S. meaning any person, |
Wicker Bill |
Loyalty | Prevents businesses from discriminating against a consumer because the consumer exercised his or her privacy rights. It also establishes that any contract or agreement that purports to waive or limit a consumer's privacy rights shall be deemed contrary to public policy and shall be void and unenforceable. | Prevents covered entities from denying goods and services to individuals exercising their privacy rights. It also prohibits covered entities from waiving an individual's privacy rights in any agreement between the individual and the covered entity. | Same |
Transparency | Requires businesses to notifiy consumers about what data is collected, how it is used, and with whom it is shared when requested by a consumer. The Wicker bill's "transparency" section is far more detailed in terms of the requirements imposed on covered entities. | A covered entity that processes covered data must provide individuals with comprehensive and detailed information about its data processing and transfer activities in a privacy policy that is clearly disclosed to an individual and made available in a clear and conspicuous manner to the public. | Wicker Bill |
Access, Correction, Deletion and Portability | Grants consumers with the right to access, delete and port covered data upon receipt of a verifiable consumer request. | A covered entity is required to provide an individual, immediately or as quickly as possible (and in no case later than 45 days) after receiving a verfied request, with the opportuinity to access, correct, delete or port his or her covered data. | Wicker Bill |
Consent | Requires businesses to allow consumers to opt-out of the sale of their personal information. It does not distinguish between sensitive and non-sensitive personal information. | Requires a covered entity to obtain affirmative express consent (opt-in) before collecting, processing, or transferring the sensitive covered data of an individual. Also requires covered entities to allow individuals to withdraw their consent from further processing of their data. | Wicker Bill |
Data Minimization | No explicit provisions | Prohibits covered entities from collecting, processing, or retaining the covered data of an individual beyond what is necessary to provide a service or what is reasonably anticipated within the context of the covered entity's ongoing relationship with the individual. | Wicker Bill |
Data Security Requirements | Allows companies to use their data security practices as a defense when sued under the law's data breach-related private right of action. | A covered entity is required to establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of sensitive covered data. | Wicker Bill |
Corporate Responsibility | No explicit provisions | A covered entity is requied to designate a privacy and security officer. A covered entity is required to maintain internal controls and reporting structures to ensure that the appropriate senior management officials are involved in assessing risks and making decisions that implicate compliance with the Act. | Wicker Bill |
Whistleblowers | No explicit provisions | Provides that in the event a covered entity is found to have retailiated against an individual who is a whistleblower, the FTC or State AG must consider that fact in seeking penalties in any enforcement action. | Wicker Bill |
Kids Privacy | Prohibits the sale of personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer's parent or guardian authorizes the sale. | Prohibits a covered entity from transferring covered data of an individual to a third party without consent from the individual or an indvidual's parent or guardian if the covered entity has actual knowledge that the person is under the age of 16. | Same |
Data Brokers | CA has a data broker registry law that was incorporated as an amendment to the CCPA. | Requires data brokers to register with the FTC. If the data broker fails to register there will be a civil penalty for each day the data broker hasn't registered. | Same |
Deep Fakes | No explicit provisions | Requires NIST to define the term "digital content forgeries". Also requires the FTC to publish a report regarding the impact of digital content forgeries on individuals and competition. Addtionally, the bill establishes a prize competition to help develop technical solutions that would assist the public in indentifying these forgeries. | Wicker Bill |
Algorithm Bias & Transparency | No explicit provisions | Directs the FTC to publish a study under section 6(b) of the FTC Act examining the use of algorithms in a manner that may violate Federal anti-discrimination laws. Additionally, whenever the FTC obtains information that a covered entity may have processed or transferred covered data in violation of Federal anti-discrimination laws, the FTC shall cooperate with Federal and state agencies that have the authority to initiate proceedings relating to such violation. | Wicker Bill |
Privacy Impact Assessments | No explicit provisions | Requires covered entities that are large data holders to annually conduct privacy impact assessments that weigh the benefits of the covered entity's data collection, processing, and transfer practices against the potential adverse consequences to individual privacy. | Wicker Bill |
Service Providers | No explicit provisions | Establishes clear rules for how service providers are able to use data upon receipt from a covered entity. | Wicker Bill |
Enforcement | Authorizes the California Attorney General to enforce the law. | Provides for FTC and State AG enforcement, and allows other consumer protection officers authorized by the state to bring civil actions. Also provides the FTC with civil penalty authority for a first-time offense. | Wicker Bill |
Preemption | Applies only to CA residents. | Applies in all 50 states. | Wicker Bill |
Privacy Private Right of Action | Does not establish a private right of action for its privacy provisions. | Does not establish a private right of action for its privacy provisions. | Same |
Definitions | CCPA defines fewer terms with many being unclear, vague, and inconsistent. | The commerce bill defines over 25 terms with specific and clear meaning. | Wicker Bill |