No right to rectify?
Noga Rosenthal
General Counsel and Chief Privacy Officer at Ampersand| Advisory Board Member | Data Strategy | Policy | Technology Industry
Often, we talk about the similarities between GDPR and CCPA, hoping to bring the lessons we learned from GDPR to our compliance efforts for CCPA. One intriguing difference is that unlike GDPR, CCPA does not provide consumers with a "right to rectification."
Under Article 16 of the GDPR, data subjects are provided the right to request that a data controller rectify their personal data. This right also allows data subjects to have their incomplete personal information completed. For instance, a consumer could write a marketing company and ask that her name be changed on her catalog (and in the company's database) from “Mrs. Smith” from “Mr. Smith.” This is an essential right when it comes to legal or significant decisions made based on a personal data, such as personal data used in background checks for financial credit.
But CCPA does not offer a similar right. Why not? Why did the drafters not include this GDPR data subject right?
One opinion is that this was left out based on the different reasons why these laws were passed.
GDPR is a regulation that was passed to protect data subjects and offer them rights to their personal data. On the other hand, CCPA originated when Alistair McTaggart wanted to better understand what personal data companies held on him and other consumers. Meaning, CCPA’s underlying goal is to better understand the inner workings of companies and what data they collect and "sell" on consumers. There isn’t a vital need to rectify personal data under this philosophy.
An alternative explanation could be that U.S. companies have existing obligations to enable individuals the right to correct inaccurate information. For example, a job applicant may be able to correct inaccurate information when a background check includes wrong information. Perhaps the authors of CCPA did not see the need to add this right to rectify in other scenarios such as incorrect or incomplete personal information held in marketing databases.
After hearing from privacy pros, I am leaning towards the second explanation. The right of restriction is also missing from CCPA. Similar to the right of rectification, this right may very well be covered elsewhere under the CCPA through the ability of a consumer to opt-out under CCPA- which basically “freezes” the personal information. Or a consumer could have a legal hold put on her data, which is essentially what the right of restriction covers.
What are your thoughts on this?
Data Privacy and Security Attorney
4yFCRA includes a right of rectification and as federal law would supersede CCPA. FCRA covers many instances (but not all) that have significant legal and financial impact on a user (i.e. credit checks), so perhaps the decision was made that the most significant harms were already dealt with?