Navigating GDPR vs CCPA and the finalities of data privacy legislation can be overwhelming.
But, not to worry!
This post will give you some clarification on what you— as a business— can and cannot do when dealing with consumer data.
The international nature of online business means that complying with relevant privacy laws and guidelines is essential to safeguard your business from any privacy related legal dramas.
Both GDPR and CCPA compliance are to ensure that individuals have greater autonomy over their personal information that exists online.
The GDPR and CCPA requirements, in effect, are quite similar. The CCPA gives Californians, as consumers, more control over how businesses collect their personal information. The GDPR gives E.U. residents, as data subjects greater transparency of how their data is collected.
What is the CCPA?
The CCPA or California Privacy Rights Act is applicable to businesses operating within California, in which they handle the information of California residents. The 2018 data protection law aims to extend consumer privacy to cover the internet and make it easier for individuals to protect consumers’ personal information from businesses with commercial interests. Key rights of the California state law include, the right to deletion, the right to know, the right to opt-out and the right to non-discrimination.
What is the GDPR?
The GDPR or the General Data Protection Regulation is the toughest data privacy law in the world and also came into force in 2018. It is applicable to all businesses operating either within a European member state or outside the E.U. that process personal data of E.U. residents. This is why the GDPR is relevant for businesses operating in the United States, not just in Europe.
Under Article 5.1-2, there are seven protection and accountability principles and thresholds that need to be upheld to avoid a data breach. The data subject rights are as follows:
- Lawful, fair and transparent: Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy: You must keep personal data accurate and up to date.
- Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
GDPR vs CCPA: What are the key differences
Both GDPR and CCPA regulations are in place to protect consumers in today’s highly connected digital world. It has become easier than ever to communicate and transfer personal information from country to county at the click of a button. This is why an understanding of legislation around GDPR and its difference with CCPA is needed to prevent data misuse and privacy breaches.
While both pieces of legislation fundamentally share the same effect, the way they apply to businesses is different.
Is related to Californian consumers
Is related to E.U. residents as data subjects
Deals with personal information
Deals with personal data
Regulates for-profit organizations and their service providers in California
Regulates data controllers and data processors in relation to E.U. residents
Consumers do not have the right to correct incorrect personal data or any rectification measures
Consumers have the right to correct incorrect personal data or rectification measures
Requires a privacy notice to opt in or opt-out
Requires explicit consent
So, what even is personal information and data?
Personal information, as defined in the CCPA, relates to any information that describes or can be reasonably linked with a particular consumer or household.
Personal data as per the GDPR relates to any information that has the capacity to identify someone, whether it be directly or indirectly.
Under both the CCPA and the GDPR, examples of personal information or data include:
- Full name
- Home address
- Email address
- Passport number
- Driver’s license
- Social Security number
- Browsing history
- Employee data
- Medical Information
What are the rights of the consumers?
When undertaking a GDPR vs CCPA comparison, it becomes clear that consumer’s rights under both laws are quite similar.
Businesses need to make it clear to consumers about what personal data they collect and how they use it. Similarly, consumers are entitled to data portability and should have access to their personal information or data. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Consumers should also be able to request said information from businesses in writing and it be in an accessible and usable format.
Individuals can also choose to opt-in or opt-out of having their personal data used. Lastly, as per the privacy law, businesses must give users the option of having all of their information that has been processed by a business deleted.
What are Cookies? (and why you have to agree)
Cookies are more than just a tasty snack; they are small text files that are used to gather data online about individuals. The data retained by cookies can be used to profile user activity and interests online.
The privacy implications of these small data files are particularly important when your business is operating online. Cookies store information about website visitors, to track and analyze website use. This allows businesses to tailor a customer’s experience in order to facilitate a better user experience.
The nature of cookies is that they are data retainers. One-off data retention seems relatively harmless; however, it is the cumulative effect of data retention which has implications for personal privacy.
Cookies have revolutionized the way data is collected online, this means greater obligations on the part of businesses and website owners to protect user’s privacy. In turn, the GDPR and CCPA both prohibit businesses from tracking personal information through cookies unless users consent or opt-in.
Is it legal to sell data under the GDPR? What’s accepted and what’s not?
The CCPA, as a privacy regulation, provides the legal basis for businesses to process personal information by default, only if there is a clear option to opt out of having their information sold and shared.
Under the GDPR, processing data can only occur when one of the following grounds is applicable:
- Consumers can consent for their data to be used by a business. However, they need to have the ability to withdraw said consent at any time.
- Processing is carried out under a contract between an individual and the business.
- There are legal obligations that require information to be accessed.
- Vital interests are involved to protect someone’s life.
- It is in the public’s interest.
When looking for GDPR or CCPA compliance the safest way to mitigate legal risk is to simply notify consumers on how you plan to use their information or data and give them ample room to opt-in or opt-out of the processing of personal data.
CCPA vs GDPR enforcement
Under both the CCPA and the GDPR, relevant data protection authorities can issue fines for non-compliance.
In regards to the CCPA, the Attorney General of California can issue a fine of $7,500 for an intentional violation or a standard fine of $2,500.
Under the GDPR, fines can be as large as $20 million or even be 4% of a business’ global annual revenue or gross revenue.
GDPR and CCPA regulations protect consumers from data privacy breaches and allow them to have control over what happens to their information and data.
Knowing how to navigate these privacy protection laws is critical to protecting your business from unintended violations.
For any business operating globally, it is best practice to comply with both the CCPA and GDPR.