For a long time, the US has remained without a single law to regulate the use of personally identifiable information. However, the recent adoption of the California Consumer Privacy Act (CCPA) has significantly changed the dynamics of data privacy in the US. While this is a state law that primarily affects businesses in the greater California region, it offers a valuable starting point for the other states to establish data protection laws. Besides the CCPA, the European Data Protection Regulation (GDPR) adopted in 2018 will act as a catalyst to stir the development of a state law that will guide the collection, storage, and transmission of personal data in the entire United States.
While there are similarities between GDPR and the CCPA, the assumption that they are alike can create confusion which may culminate into non-compliance. To help you understand the regulations, this article will breakdown all the contents of CCPA for your consumption and internalization.
Comparison between GDPR and CCPA
Who is regulated?
This question forms the basis for the first crucial difference between GDPR and CCPA. The GDPR has a broader scope as opposed to CCPA. It governs all the data handlers and processors in the European Union as well as those outside the region but has direct contact with personal information of EU citizens. As such, these regulations have a global impact!
On the other hand, the CCPA is somewhat limited in terms of its scope. This law targets all profit-oriented entities in California. Additionally, these businesses must meet the following criteria before being subjected to the regulations:
- Have a gross revenue of more than $25 million annually
- Handles personal data for more than 50,000 Californian consumers
- Should earn approximately 50% from selling personal information of California residents
Also, the CCPA regulates all the businesses that operate a familiar brand with an organization that’s bound by the regulations.
Who is protected?
While both CCPA and GDPR focus on data privacy, the definition of terms differs significantly. GDPR concentrates on data subjects where the personally identifiable Information can be linked to. These individuals may not necessarily be in the European Union.
On the contrary, the CCPA focuses on customers living in California or those that have a primary residence as California, but they are living outside the state. In their definition, the CCPA includes all employees, customers of household goods, and B-2-B transactions.
As such, it’s essential that you review the laws and determine whether they affect your business in any way despite it being outside the area of jurisdiction (EU and the California State)
What Information is protected?
The information that is protected by both laws is significantly similar. However, there exist slight differences between the scopes of information protected by the two regulations. For example, CCPA focuses more on households and devices when compared to the GDPR.
The GDPR prohibits the processing of personally identifiable data that relate to data subjects while the CCPA has a broader definition of the PPI. It defines it as any personal information that describes or can be linked (either directly or indirectly) to a specific device, household, or an individual. It’s crucial to note that, unlike GDPR, CCPA integrates devices including tablets, apps, and smartphones.
What are the Opt-Out Rights?
These aspects reveal one of the most crucial differences between the GDPR and CCPA. The former does not allow the creation of a right for a consumer to opt-out of the sale of personal data. On the contrary, CCPA dedicates an entire section to elaborate on methods that an organization should use to ensure that the consumers can easily opt out of the personal information sales arrangement.
The GDPR only constitutes rights including opting out of processing data used in marketing or withdrawing consent for all processing activities. While this may offer a perfect opportunity to opt-out, the law gives very little attention to the opt-out option as a method of enhancing data privacy. The CCPA compels all the businesses to include the opportunity in a visible location on the home page. Also, under the Californian law, the consumers are given up to 12 months to authorize sales of personal information.
What are the Rights of Data Portability?
Both the laws have a relatively similar focus of data portability rights. The GDPR ensures that personal data is stored and transferred in a structured and machine-readable format. Similarly, the CCPA allows any consumer to request for disclosure of their personal information, and the respective organizations are obliged to comply within 45 days from the time of the request. The information should be provided in easy-to-read copies.
Regulations Take on Security
Both the laws concentrate on ensuring that the consumers get direct control of the use of their personal information. The regulations are premised on the threats presented by cybercrime and the rising chances of private data compromise. The GDPR requires that each organization takes technical measures to mitigate all the risks that can interfere with the integrity of the PPI. It gives the customers an opportunity to seek compensation when damage occurs due to the negligence of the company to protect the personal data.
The CCPA provides private mechanisms that a customer can follow in case of a data breach. More importantly, the law in integrated into the California Civil Code which makes the violation of the regulations punishable by law. As clearly highlighted, the two laws vary on how they deal with violations.
When dealing with minors, CCPA only requires parental consent before the sale of personal data. However, GDPR incorporates all instances of data sales, and parental consent is not enough to handle a minor’s data. All the processes must be subjected to the regulations.
Role of Technology in CCPA Compliance
Every compliance process is characterized by a large volume of documents. Reading, internalizing, storage, and retrieval of these documents can pose a significant challenge. The use of technological software eases the process by streamlining all the processes. It integrates all the process making it easier to access all the requirements and comply. Additionally, communication among all the stakeholders is relatively easier which ensures seamless implementation of all the requirements into your organization.