CCPA and GDPR Comparison
If you run an SMB (small to medium business) or a large for-profit business in California, you have probably heard of the California Consumer Privacy Act (CCPA) which went into effect 1 January 2020. Similarly, if your company operates in Europe, will have heard of the European law; the General Data Privacy Regulation (GDPR). But how does CCPA vs. GDPR compare as to how they apply to your business and privacy compliance?
Both of these laws can affect your business and the way that it collects and uses information about customers and potential customers. Here we offer a short guide to get you started in understanding data privacy laws. This is by no means comprehensive, and it is not legal advice, you may need to consult with an attorney. It’s our hope to get you moving in the right direction.
Why do both CCPA and GDPR affect my business? Isn’t GDPR for Europe?
Both of the laws can impact your business, because of the way each of these laws was written. According to the GDPR for instance, if you collect data from any person who resides in a GDPR-protected country, then you must conform to GDPR in protecting that person’s privacy rights. This law applies to companies who are based in California and also have customers in other GDPR-covered regions. For CCPA in California, you must protect any resident of California’s privacy rights under the law, but only if your company falls in one of these categories;
- Over 50% of your revenue comes from the sale of consumer data
- Your company’s gross revenue is over $25 Million per year
- Your business controls over personal information for over 50,000 consumers, households or devices
It’s important to note that you are responsible for protecting data acquired in the 12 months prior to enactment of the law, in other words all of 2019. As the CCPA has been replaced with the newer CPRA, the alignment with the GDPR becomes even more resemblant. If you don’t currently fall into one of these categories, you might in the near future, after which you must comply. So in general, unless your company is very stable well below these limits, you should plan to conform to these laws.
We don’t keep any credit card data, are we OK?
Personal data includes any information that might identify a person and therefore means more than just credit card data. CCPA has 19 different types of Personally Identifiable Information that are protected, including not only such things as street address, personal online identifiers and IP address, but also inferred data that may be derived from collected data to form a profile of an individual. GDPR has similar requirements that don’t map exactly with those of CCPA.
Fine, so what do we have to do for GDPR vs. CCPA?
Let’s focus on CCPA first. This list is not inclusive, and amendments are being made regularly as of this writing. Here are some of your important action items. You must:
- Disclose to consumers what information is collected about them
- Your purpose for collecting their information
- Delete their information if requested
- Allow them to opt-out of the sale of their information
- Not discriminate against them for exercising their rights under the act
- Maintain notifications on your website informing consumers of their right to know what information you have, who else has it, how they can have it deleted, or opt-out of it being sold.
For GDPR the requirements are similar, the most notable exception to date being that GDPR requires you to maintain a record of processing activity and to disclose a legal basis for acquiring and holding consumer’s information. California business should be looking ahead to maintaining records of processing activities for risky categories of data as the deadlines for the new CPRA near. The California Privacy Rights Act (CPRA) which replaces the CCPA takes effect on January 1, 2023. The newly appointed California Privacy Protection Agency (CPPA) will begin enforcing the CPRA from July 1, 2023.
My business is strictly B2B, so I don’t store any consumer data
CCPA also covers “consumers” representing a business entity other than themselves and thus applies to for-profit B2B companies as well.
Actually, we don’t store any customer data ourselves, we have SaaS-based CRM and marketing automation systems.
You are still responsible for complying with CCPA and GDPR for the data held in your behalf.
Are we going to get sued?
CCPA does provide for individual lawsuits if a data breach occurs. Otherwise enforcement of CCPA vests with the California Attorney General. For GDPR, enforcement vests with the Data Privacy Administration (DPA) for the country where the consumer that has a complaint against you lives.
I’ve heard other states are also passing laws, will we have to comply with 50 different laws?
This is a real problem, which might be solved by Federal laws which would apply to everyone. There are two bills before the house right now, the Consumer Online Privacy Rights Act (COPRA), and the Consumer Data Privacy Act (CDPA). At this time, CDPA pre-empts state laws, COPRA does not. There are many similarities between the two bills, and many similarities with CCPA. It is probably best to begin a compliance program based on CCPA, and make adjustments for Federal Legislation if one is signed into law.
Does GDPR cover CCPA?
The GDPR has a more abstract approach to PII, while the CCPA provides precise concepts of what is and isn’t protected. Both laws reference anonymous data and do not consider it PII, but the criteria of both are essential. The GDPR is a general privacy law with no sectoral exemptions, and its provisions are uniformly enforceable in all EU Member States. The CCPA is only one of several systems in the United States that provide users with such privacy safeguards. To properly defend their privacy desires, consumers must be mindful of their protections under several other regulations, such as HIPAA or GLBA.
A company doing business in multiple countries may decide that compliance with the more strict GDPR will give them the best coverage overall. However they should also be mindful of specific unique CCPA requirements such as for “do not sell my data”.
Does GDPR replace the Data Protection Act?
Data Protection Act (DPA) was replaced by the GDPR in 2018. While the GDPR adds to the DPA, the biggest difference is that the DPA only applied to the United Kingdom. In contrast, the GDPR refers to any organization that maintains or processes the personal data of EU citizens, even when the organization is not situated in the EU. This also ensures that UK businesses that handle EU citizens’ data must abide even after Brexit.
Is GDPR the same as the Data Protection Act?
While the two privacy laws are similar and most companies are likely to be already partially compliant with the GDPR, the GDPR expands on the original DPA and adds specific compliance requirements organizations need to fulfill and protect. If they haven’t done so already, firms must start their journey towards privacy compliance as soon as possible.
What type of data is protected by GDPR?
The GDPR exists to provide the European Union with a single collection of privacy laws to protect its citizen’s personal data. Personal data embody any details relating to an individual who can be named or identified. This data type includes names, identification numbers such as a social security number, IP addresses, or location data. Even physical characteristics, political stances, and job information qualify as personal data. The only exceptions are data about the deceased, anonymous, and public information. If the answer to the question “Does the data my organization processes have the power to identify European citizens?” is yes, the data collected falls under the GDPR.
Is GDPR enforceable by law?
In short, yes. The European Commission essentially enforces the GDPR, but the European Data Protection Board (EDPB) advises the Commission. The EDPB’s responsibilities are outlined in Article 70, including providing guidance and recommendations, advising and interacting with the European Commission, and maintaining GDPR continuity. Supervisory Authorities exist for all 28 European member states to enforce the GDPR, among other purposes.
How is GDPR enforced?
GDPR fines are imposed as penalties for non-compliance by the data protection authorities of each European country. In France, for example, the CNIL is in charge of monitoring for GDPR compliance and fining for non-compliance or breaches, while in Italy, the Garante is in control. These Member state’s supervisory authorities monitor GDPR violations and determine fines based on the severity of the breach and the ten criteria of article 83 of the GDPR, which includes nature, extent, history, timeframe, etc., to name a few.
Who does the CCPA apply to?
The CCPA covers “consumers,” identified as persons residing in California for reasons other than a temporary or transitory stay, whose PII is obtained or handled by a CCPA-compliant company. Individuals are covered by the CCPA while being registered in California for taxation purposes, even if they momentarily provide an out-of-state address.
What data is covered by CCPA?
The CCPA defines protected information as “sensitive information” that identifies, extends to, represents, is capable of being identified with, or can reasonably be connected, directly or indirectly, to an individual user or residence. Personal data includes Legal Name, AKAs (aliases,) Mailing Address, Email Address, Unique online persona, IP Address, Name on accounts, and dozens more. The CCPA is only one of several systems in the United States that provide users with such privacy safeguards. To properly defend their privacy desires, consumers must therefore be mindful of their protections under a slew of other rules, such as HIPAA or GLBA.
How do I comply with CCPA?
Is IP address personal information under CCPA?
It depends. Generally, IP addresses fall under the CCPA’s personal data, but only when the IP address can identify a person. Frequently one cannot identify a person with an IP address alone as an ISP is needed. So, if a business collects an IP address that is unconnected to any individual consumer or household, an IP address does not fall under ‘personal data’ alone and is subject to change.
Is CCPA a data security law?
The CCPA is a state statute voted into effect on the California ballot in November of 2020 that is intended to enhance the privacy of California residents by allowing them to understand and see all information a company has saved on them and the third parties they share that data with. Inspired by the GDPR, this law offers California residents control about their data, who collects it, and how it is processed.
I have no idea how to even get started on this!
Get help. Many qualified people are available to advise on the correct course of action for CCPA. A few companies also have deep experience with GDPR, and some offer SaaS-based software services they will help you set up to manage your data and keep you compliant. Even if you are a B2B business with extra time to work with, the time to start understanding the data you have, where it comes from and where it is kept is now. You will need to be in compliance very soon.
For a more detailed comparison of CCPA vs. GDPR, download our whitepaper.
Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.Right of Access by the Data Subject
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.Subject Access Request Automation
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?