When the EU unveiled the General Data Protection Regulation (GDPR) framework, the impact echoed across the tech industry. In effect since 25 May 2018, GDPR established requirements for how data is collected, stored, and used in the 27 EU member states. It has global implications, affecting multinational companies and anyone who does business with EU residents.
The California Consumer Protection Act (CCPA) went into effect in August 2020 and protects California consumers regarding their right to know, delete, and opt-out of the sale of personal information collected by businesses.
There are some important similarities and differences between these frameworks as outlined below.
GDPR is the world’s strictest set of data privacy and protection rules. It contains 99 articles and seven key principles:
CCPA approaches data privacy by naming five rights for consumers residing in California:
There are some key differences between the two pieces of legislation. CCPA is less stringent than GDPR, so ensuring compliance with GDPR will likely go beyond what CCPA requires. However, it’s up to you to understand the provisions and how they impact your data practices.
The key differences you should be aware of fall into the following categories:
GDPR applies to businesses of all types and sizes that collect, store, or use consumer data in any way. GDPR rules protect EU residents, meaning anyone who does business with EU residents must comply, regardless of where the company is located. If an EU resident can access and use your website, you are responsible for complying with GDPR.
CCPA is similar but applies to California residents. If you do business with California residents, you must comply with CCPA regulations. However, CCPA limits the organizations that are impacted. Only for-profit organizations that meet at least one of these conditions must comply:
GDPR covers all personal data regardless of how it’s collected or processed. Organizations must obtain the consent of each user before collecting or accessing their data. CCPA requires businesses to provide consumers with the option to opt-out if personally identifiable data will be shared or sold.
CCPA does not apply to data that is already legally available to the public, such as information in government databases. It also does not cover information already protected under federal data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
Any personal data that can be attributed to an individual (directly or indirectly) falls under both CCPA and GDPR, but each regulation defines the actions to be taken with the data slightly differently.
GDPR regulates the processing of personal data, which includes any action performed on the data. Collecting, storing, structuring, using, analyzing, sharing, and selling data are all covered under data processing.
While regulating many of the same processes, CCPA further differentiates between different types of data handling. Processing, for example, refers to only the actions taken after the data are collected.
Under both GDPR and CCPA, consumers have the right to know how data is being collected, the planned use of personally identifiable data, and how they can enforce their data privacy rights.
CCPA requires companies to send reports to data subjects upon request for the preceding 12 months. These reports detail the information collected, sold, and disclosed for business purposes. Third-party companies acquiring consumer data must also notify consumers if they plan to sell data to other third-party entities
GDPR has stricter rules regarding what information must be provided to consumers. Consumers must be notified whenever data is collected or information is shared or sold. They must be told how long the data will be retained and the purpose for collecting, saving, and using the data.
Under both GDPR and CCPA, consumers have the “right to be forgotten.” A consumer can request that a company delete all information it has collected that is associated with said consumer, with few exceptions.
Under GDPR, penalties and fines may be 4% of the company’s total annual revenues or €20 million ($23.2 million) — whichever is higher.
CCPA levies fines per violation with a maximum of $7,500 for intentional violations with no cap. Unintentional violations can face fines of $2,500 per incident. Consumers can also receive direct payments between $100 and $750 without needing to prove harm.
So far, EU regulators have assessed nearly €294 million ($340 million) in fines for issues including lack of consent, advertising targeting practices, failure to secure data, data breaches, and purchasing data from providers without consent, among other violations.
Enforcement of CCPA has so far focused on warning companies and giving them time to comply. Enforcement is expected to become more stringent toward the end of 2021.
A more robust version of CCPA was passed by California voters in 2020 and will go into effect in January 2023. Called the California Privacy Rights Act (CPRA), it establishes an expansion of consumer privacy rights. In the US, Colorado, and Virginia have passed data privacy legislation as well, while six more states have bills pending.
Globally, 66% of all nations have enacted data privacy legislation and another 10% have drafts in progress.
Complying with an evolving sea of different legislative requirements is an ongoing challenge for organizations of all sizes.
Zendata conducts automated data risk checks to help enterprise legal teams, risk and compliance, IT security, and product teams find and fix the vulnerabilities in their data collection methods. We help you monitor and identify privacy issues before regulators or enforcement agencies find them.
To get started, contact the privacy compliance experts at Zendata today or try our automated solution right now for free.