CCPA and GDPR Comparison
If you run an SMB (small to medium business) in California you have probably heard of the California Consumer Privacy Act (CCPA) due to go into effect 1 January 2020. You might have heard of the European law; the General Data Privacy Regulation (GDPR). But how does CCPA vs. GDPR compare as to how they apply to your business and privacy compliance?
Both of these laws can affect your business and the way that it collects and uses information about customers and potential customers. Here we offer a short guide to get you started in understanding data privacy laws. This is by no means comprehensive, and it is not legal advice, you may need to consult with an attorney. It’s our hope to get you moving in the right direction.
Why do both CCPA and GDPR affect my business? Isn’t GDPR for Europe?
Because of the way each of these laws was written. For GDPR, if you collect data from any person who resides in a GDPR-protected country, then you must conform to GDPR in protecting that person’s privacy rights. For CCPA in California, you must protect any resident of California’s privacy rights under the law, but only if your company falls in one of these categories;
- Over 50% of your revenue comes from the sale of consumer data
- Your company’s gross revenue is over $25 Million per year
- Your business controls over personal information for over 50,000 consumers, households or devices
It’s important to note that you are responsible for protecting data acquired in the 12 months prior to enactment of the law, in other words all of 2019. If you don’t currently fall into one of these categories, you might in the near future, after which you must comply. So in general, unless your company is very stable well below these limits, you should plan to conform to these laws.
We don’t keep any credit card data, are we OK?
CCPA has 19 different types of Personally Identifiable Information that are protected, including not only such things as street address, personal online identifiers and IP address, but also inferred data that may be derived from collected data to form a profile of an individual. GDPR has similar requirements that don’t map exactly with those of CCPA.
Fine, so what do we have to do for GDPR vs. CCPA?
Let’s focus on CCPA first. This list is not inclusive, and amendments are being made regularly as of this writing. Here are some of your important action items. You must:
- Disclose to consumers what information is collected about them
- Your purpose for collecting their information
- Delete their information if requested
- Allow them to opt-out of the sale of their information
- Not discriminate against them for exercising their rights under the act
- Maintain notifications on your website informing consumers of their right to know what information you have, who else has it, how they can have it deleted, or opt-out of it being sold.
For GDPR the requirements are similar, the most notable exception to date being that GDPR requires you to disclose a legal basis for acquiring and holding consumer’s information.
My business is strictly B2B, so I don’t store any consumer data
CCPA also covers “consumers” representing a business entity other than themselves. Under an amendment signed into law in October, you have an additional year in which to comply with most of the requirements, excepting the opt-out requirement and the no discrimination requirement. Under a set of changes proposed in the last few days, this may be extended to 1 January 2023.
Actually, we don’t store any customer data ourselves, we have SaaS-based CRM and marketing automation systems.
You are still responsible for complying with CCPA and GDPR for the data held in your behalf.
Are we going to get sued?
CCPA does provide for individual lawsuits if a data breach occurs. Otherwise enforcement of CCPA vests with the California Attorney General. For GDPR, enforcement vests with the Data Privacy Administration (DPA) for the country where the consumer that has a complaint against you lives.
I’ve heard other states are also passing laws, will we have to comply with 50 different laws?
This is a real problem, which might be solved by Federal laws which would apply to everyone. There are two bills before the house right now, the Consumer Online Privacy Rights Act (COPRA), and the Consumer Data Privacy Act (CDPA). At this time, CDPA pre-empts state laws, COPRA does not. There are many similarities between the two bills, and many similarities with CCPA. It is probably best to begin a compliance program based on CCPA, and make adjustments for Federal Legislation if one is signed into law.
I have no idea how to even get started on this!
Get help. Many qualified people are available to advise on the correct course of action for CCPA. A few companies also have deep experience with GDPR, and some offer SaaS-based software services they will help you set up to manage your data and keep you compliant. Even if you are a B2B business with extra time to work with, the time to start understanding the data you have, where it comes from and where it is kept is now. You will need to be in compliance very soon.
For a more detailed comparison of CCPA vs. GDPR, download our whitepaper.
Do businesses need to worry about CCPA fines and penalties? Should they act now to comply with CCPA or wait for a federal law?GDPR Fines & Penalties Enforcement Actions
Since GDPR rolled, there has been growing number of data breach notifications, a number of which are starting to result in significant GDPR fines.Schrems II Case: International Data Transfers Statement
Schrems II Case: The Court of Justice of the European Union (CJEU) Advocate General (GA) released his opinion on data transfers.