GDPR and CCPA: Understanding Your Compliance Obligations 

The GDPR took effect in May 2018, while the CCPA is set to take effect in January 2020.  Despite the increased risk of statutory penalties for failure to comply with new privacy laws, many businesses are not prepared, or do not fully understand whether they have any compliance obligations, and if so, what those obligations are. 

The statutes have a similar genesis in protecting the privacy of consumer data, but their legal structure is quite different: they differ significantly in what information is covered, what entities are obligated to comply and report, and what the relative penalties are for non-compliance. 

As businesses prepare yet a considerable number of businesses are not clear how to be ready for new privacy laws. What is the CCPA all about? How is it different from GDPR? Is compliance with the GDPR the same thing as complying with the CCPA? Many organizations are under the mistaken assumption that by complying with the GDPR regulations, they will be in full compliance with the CCPA.  This false assumption has serious financial (and reputational) ramifications. 

Since there are key differences between the regulatory regimes, businesses should prepare ahead of time to ensure they are in compliance with the CCPA prior to it becoming effective this January. 

What is the GDPR?

The European data privacy regulation became effective in May 2018. It is intended to detail an individual’s data privacy rights, increase business responsibility for securing those rights, enact penalties for failing to comply, and allowing consumers to know what happens to the data that they share. 

Referred to as revolutionary in data privacy law, the GDPA has pushed significant changes for WordPress websites (like display of cookie notification on those sites, drawing up of privacy policy, mandatory processing agreements, allowing the users to request/remove their personal information, and many more). It has also redefined key business roles, such as the Chief Information Officer (CIO) and Chief Marketing Officer (CMO).

Simply put, the GDPR has played a pivotal role in the way industry players managed customer data, from financial services players to healthcare providers and beyond.

Businesses that come under within the scope of the GDPR are required to follow data protection policies, implement data impact reviews, and make documents available on how all data is processed. Organizations with over 250 employees must document why consumer information is being collected, how the information is being stored, the time duration for which the information is being stored, and the security measures in place that are being used to prevent misuse.

What is the CCPA?

The CCPA will become effective in January 2020. It is the most significant development in privacy legislation in the U.S. in years.  Considered to be one of the toughest consumer privacy laws in the United States, the CCPA will help to protect the consumer rights of Californians, promote stronger privacy, and improve data transparency in general. Moreover, it will also empower Californians to request any business to disclose or delete their personal data that the business collects.

With the CCPA, Californians will be allowed to:

  • Know and access what personal data any organization is collecting, and request it be deleted
  • Know if their personal information is being shared with any third-party vendor, and if so, with whom
  • Decline to allow the sale of their personal information
  • Receive the same service and price, whether or not they decide to exercise their privacy rights

According to the CCPA, companies won’t be allowed to sell the personal information of consumers who are 13–16 years of age (unless the consumer opts-in); for customers who are 13 or younger, a parent or guardian will have to consent to the sale of their child’s data. Businesses are also required to update their privacy policy at least once every 12 months.

The CCPA vs. the GDPR: An in-depth comparison

There’s no denying that the CCPA has been inspired by the earlier enacted laws of the GDPR and may appear similar to its European counterpart; however, the core legal framework of each is different.

Here are some of the differences:

  • Definition of Personal information: While the CCPA covers “residents of California” only, the GDPR applies to “EU data subjects” with no mention about the citizenship or residency requirements of those individuals. While the CCPA offers protection of data linked to a specific household, the GDPR is concerned about the information related to individuals only.
  • Covered Entities: According to the GDPR, all organizations (businesses, public institutions, and non-profit companies) must comply to avoid penalty. The CCPA applies to “for-profit companies” that meet these criteria:
    • Annual gross revenues over $25 million.
    • Dealing with personal data of over 50,000 consumers, devices or households.
    • Minimum 50% of annual revenue made from selling customer data.
    • Collect and process customer’s data.
    • Doing business in California, although the CCPA does not offer clarity whether or not the company must be located in the state or fulfill particular profit thresholds.
  • Data: While all categories of personal data come under the scope of the GDPR, the CCPA applies to data not covered by the current federal privacy laws, such as Health Information Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
  • Transparency obligations: Both the GDPR and the CCPA require organizations to reveal what they do with the personal data that they have collected on a consumer. While the CCPA requires that businesses divulge details related to data sales and the data processing activities over the last 12 months, the GDPR does not bind organizations by such a limitation.
  • Right to delete: While the CCPA’s right to delete personal data is only applicable to the data collected from the consumer, the GDPR applies to all data concerning a subject matter, no matter where it came from.
  • Rights of the consumers: According to the GDPR, a business must take prior permission from data subjects for data processing and allowing third-party access to their data. In the CCPA, Californians can opt-out of the data sale if they wish, and businesses must share a visible link in their homepage for this purpose.
  • Data portability: Both the privacy laws offer the right to data portability, which means the consumer data has to be provided in a machine-readable format that can be transmitted to another entity. While under the GDPR organizations are obliged to transfer a data subject’s information to another data controller if requested, in the CCPA companies do not need to follow any such obligation and should offer consumers the information electronically in a readily useable format.
  • Penalties for non-compliance: Under GDPR, the fines are as high as 4% of the annual turnover or €20 million (about $22 million USD) (whichever is higher), and they are directed through an assigned data protection authority designated in each European Union member. A CCPA violation means the organization will be paying a $7500 fine plus $750 per individual involved and that it will be directed through the Attorney General of California.

Ongoing Concerns 

The differences between the GDPR and the CCPA make it clear that though the regulatory regimes address the same concerns over consumer data privacy rights, they do it quite differently. Preparation for compliance with both requires a broader program than simply complying with the GDPR.  Smart businesses are already data testing their operational and IT solutions. If you have concerns about your compliance, seek advice and input from a compliance expert.