(No Ratings Yet)

Loading...

• Facebook
• Twitter
• Google +
• LinkedIn
• Mail

November 6, 2019 Comments closed

CCPA vs GDPR: What You Need to Know About These Data Privacy Laws

in Hashing Out Cyber Security

These two far-reaching pieces of legislation are confusing — we’ll provide a bit of clarity about how they affect your organization

Looking at the information security and data privacy industries is much like looking at a bowl of alphabet soup: FIPS. PCI DSS. HIPAA. PIPEDA. CCPA. GDPR. Or, even more complicated — comparing two of them, like the CCPA vs GDPR.

A, B, C, D, E, F, G… 🎵

So many acronyms, so many audiences — so little time.

Without context or an understanding of what each of these different acronyms means, these data privacy laws and regulations can be confusing. Luckily, you have us to wade through the muck and break down the meaning behind these data privacy laws and regulations. 

In this article, we’ll compare and contrast the GDPR and CCPA — what each law is, how are they similar or different, and what they mean for your organization. 

So, as we like to say around here…

Let’s hash it out.

The Battle of Two Privacy Laws: CCPA vs GDPR

When comparing the European Union’s General Data Protection Regulation (GDPR) versus the California Consumer Privacy Act (CCPA), there are some blatantly obvious similarities and differences, as well as some more nuanced differences.

The first thing to note about these two regulations is that they affect two geographically different audiences:

• GDPR: It’s all about protecting the private data and personal information (PI) of “natural persons” (individuals) who are in the European Union from businesses, public bodies and institutions that are established inside and/or outside of the union.
• CCPA: It aims to protect the private information of California consumers from for-profit businesses that meet specific thresholds (more on that in a bit).  

Although they share some similar definitions, in many ways, the CCPA and the GDPR are also different in their approaches. They have different terminology concerning whose data is protected, what types or categories of data are protected, and the types of organizations or businesses that the laws apply to.

Comparing the CCPA vs GDPR is much like looking at apples and oranges. They have many similarities —they’re both roundish tree-grown fruits with stems and strong flavors (oh, and they both make juices that taste fabulous and are great additions to any sangria… but I digress.) — but when you get down to comparing CCPA vs GDPA, there are many differences between the two.

What is the General Data Protection Regulation?

The EU’s General Data Protection Regulation is a set of privacy regulations that have been in effect since May 25, 2018. The law aims to protect the fundamental rights and freedoms, particularly the right to protection of personal data, of “natural persons” (which, according to the regulation, are known as “data subjects”) in the European Union.

How does it do this? By requiring data “controllers” and “processors” — organizations and businesses that collect, use, or process the personal data of these data subjects — to disclose how the information they collect is processed and used. It also gives users more control over how their data is collected and processed.

So, basically, if you want to use people’s personal data, you need to explain why you’re collecting it, how it’ll be used, and what rights they have concerning access and consent. 

Now, let’s turn around attention to the west coast of the United States to briefly discuss the CCPA.

What is the California Consumer Privacy Act?

Sometimes called the U.S.’s version of the GDPR, the California Consumer Privacy Act is, in some ways, the toned-down version of its European counterpart. It’s the smaller, somewhat less imposing younger brother. However, it’s still significant and is poised to have a global impact considering that:

• The U.S. lacks a comprehensive federal data privacy law;
• California is the fifth largest global economy (ranking ahead of the U.K., France, and India); and
• The regulation applies to businesses worldwide who meet certain criteria.

The CCPA applies to any organization, regardless of location, that deals with California consumers and/or their private data. However, there are certain size requirements that the organizations must meet to be subject to the law (which we’ll address later). The regulation officially goes into effect Jan. 1, 2020, although it does have certain provisions that required organizations to provide certain information to consumers for the year leading up to it. It also has an amendment that will go into effect Jan. 1, 2021.

So, what else is there to know about the CCPA vs GDPR? A lot. We’ve covered a brief overview of what these laws are. Let’s see what similarities they share and how they differ.

6 Major Similarities Between the CCPA and GDPR

The California Consumer Privacy Act and the General Data Protection Regulation share several similar requirements and expectations. In this section, we’ll break down some of the top things that these two pieces of legislation share.

1. Both Laws Give Individuals the Right to View and Access the Data Companies Collect on Them

The California Consumer Privacy Act and the General Data Protection Regulation are similar in that both serve to ensure that covered individuals can exercise their rights to access or limit the use of their personal data. When comparing the CCPA vs GDPR, both of these data privacy laws establish additional protection for individuals who are age 16 and younger.

The GDPR enforces an individual’s right to access their EU personal data that’s processed and for that information to be imported or exported into a user-friendly format. They can access their personal data from the past 30 days (longer in some circumstances) and can request access to it an unlimited number of times.

The CCPA also requires that the information can be exported in a user-friendly format but there’s no requirement for importing it. Unlike the GDPR, however, the CCPA’s collected data has a 12-month window. Information about how their data is collected, used, or sold can only be requested up to two times in that period.

2. Businesses Are Required to Delete Personal Data Upon Request (With Some Exceptions)

When comparing the CCPA vs GDPR, both regulations also provide private individuals with a way to access and delete their personal information.

Under both the CCPA and GDPR, covered individuals have the right to request that a business or organization delete their personal information (under specific circumstances). Under the CCPA, that business must direct any service providers who also have that information to delete those records as well. However, a business doesn’t have to comply with this request if the consumer’s personal information is considered necessary for specific operations as outlined in 1798.105(a).

Under the GDPR, a covered individual’s right to erasure (as outlined in Article 17) is also known as “the right to be forgotten.” Catchy, no? This article specifies several grounds upon which an individual can obtain, without undue delay, the erasure of their information — many of which have legal bases.

3. Businesses Must Disclose Specific Details on How They Handle Personal Data

Both the CCPA and GDPR go to great lengths to require transparency about how their information is collected, shared, and used. Under the CCPA, for example, businesses must provide information as to:

• the categories of information they collect;
• whether the information will be sold or shared with third parties; and
• what rights the individual has concerning data erasure.

Under the GDPR, the “right to be informed” is made very clear concerning EU citizens (and people located in the EU, even just temporarily). It does, however, stipulate a difference between data obtained directly from that individual (Article 13) versus data obtained from another source (Article 14).

Both the CCPA and GDPR require detailed privacy notices from organizations and businesses that collect private and personal information. Under the GDPR, the law has different requirements for information that’s obtained directly from the data subject versus information obtained from another source. If the former, the person must be informed immediately (when the data is collected); if the latter, they must be informed “within a reasonable period of time, but at the latest after a month” unless the info will be used to contact them directly — then they must be informed “upon being approached.”

Under the CCPA, businesses that collect consumers’ personal information must inform them all or before the point of collection about what categories of information are being collected and how the info will be used. If a consumer submits a verifiable consumer request for their information, that info must be disclosed and delivered to them without charge within 45 days of their request being received.

Although the way that each law requires businesses to handle the data they collect or receive differs, the general takeaway is essentially the same: As a general rule of thumb, if you’re going to collect the private or personal information from individuals who fall under these protections, you should state up front what types of information you’re going to collect, how the information will be used, and what their rights are to opt out of the collection of that information.

4. Businesses Can Ignore Both Laws (But Only for Specific Reasons, Including Law Enforcement)

Both the CCPA and GDPR have exceptions to individuals’ rights to data privacy. These exceptions often include matters concerning law enforcement-related investigations, judicial proceedings, or public safety concerns. In Section 1798.145, the CCPA outlines that:

“(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:

(1) Comply with federal, state, or local laws.

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.”

The GDPR also makes similar exceptions — but on a much broader scale. Article 23 outlines that its obligations may be restricted when it comes to national and public security, defense, criminal investigations and prosecutions, judicial independence and proceedings, as well as multiple other considerations.

5. CCPA vs GDPR: Businesses Who Don’t Comply Will Be Fined

Both the CCPA and GDPR outline civil penalties that can be brought against businesses or other organizations for violations or infringements of the regulations. However, the civil penalties vary drastically between the two. We’ll speak more to that in the next section.

6. Both Laws Require Businesses to Implement Cyber Security Measures… But They’re Not Very Specific

When comparing the CCPA vs GDPR in terms of how well they provide strategies or guidance for mitigating risk, both regulations are lacking. In Article 32, it does mention the “pseudonymisation and encryption of personal data” but the law intentionally doesn’t provide specific recommendations. The CCPA isn’t much of a help in this area, either. It simply specifies that they must maintain “reasonable security procedures and practices” but doesn’t provide guidance as to how to accomplish this task. This is likely because lawmakers realize that technologies and processes change over time, so they thought it best to not list specific technologies or methodologies that will quickly become outdated or obsolete.

CCPA vs GDPR: 12 Key Ways That the Two Regulations Differ

Now that we’ve looked at the similarities, let’s compare the CCPA vs GDPR to see what some of what their most notable differences are. Some CCPA requirements overlap with existing GDPR requirements. However, some processes, systems, and policies will require updates or tweaking to match the specific requirements of the new Golden State law.

1. CCPA Gives Individuals the Right to Stop Companies from Selling Their Data

The CCPA and GDPR differ significantly in terms of their core frameworks and their scope of personal information processing. For example, the CCPA focuses primarily on transparency-related obligations and provisions that inform them about your company’s data sales practices and limit the sale of personal information. Businesses must include a “do not sell my personal information” link on their website home pages to give consumers the right to opt out of allowing their information to be sold.

The GDPR, on the other hand, doesn’t explicitly address the sale of information to third parties. This is just one of multiple ways in which the CCPA vs GDPR differ.

2. GDPR Requires Companies to Have 1 of 6 Legal Bases Before Processing Personal Data

The GDPR, on the other hand, focuses significantly more on accountability-related obligations and frequently requires having a “legal basis” concerning the need for data processing. (The CCPA requires no such legal basis as a justification for collecting and using personal info.)

Under Article 6, these legal bases include the following:

1. “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”;
2. “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”;
3. “processing is necessary for compliance with a legal obligation to which the controller is subject”;
4. “processing is necessary in order to protect the vital interests of the data subject or of another natural person”;
5. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
6. “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

3. CCPA vs GDPR: GDPR Took Years to Craft — The CCPA Was Passed Within Months

The two laws took significantly different amounts of time to prepare and build. On one hand, the GDPR, the first of its kind, is a sweeping piece of legislation that took several years to create and debate before being approved and, eventually, put into effect.

The CCPA, in comparison, was a rush job that took only months from the time it was introduced to the time it was approved by the governor and chaptered by the Secretary of State. This is because the law was passed quickly as part of a deal to avoid a more restrictive measure, a proposed initiative (No. 17-0039) that was known as the Consumer Right to Privacy Act 2018, from being placed on the ballot.

4. GDPR Protects the Personal Data of Anyone in the EU (No Matter Where Your Company is Located)

What Counts as Public Data?

In a nutshell, the GDPR applies to the processing of personal data of “data subjects” — more on what that means in just a moment.

So, what is considered “personal data?” Article 4 outlines that personal data includes a variety of direct and indirect identifying information such as:

• names,
• location data,
• online identifiers,
• economic information,
• physical, genetic, physiological or mental identifiers, or
• social or cultural identifiers.

The term “processing” refers to various types of operations, including the “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of personal data.

To put it another way, the law applies to any organization that accesses, collects, uses, alters, stores, or otherwise operates on covered individuals’ personal data in virtually any way. It’s important to note that the GDPR applies to publicly available data, whereas the CCPA does not.

Who or What Is a Data Subject?

But who or what is considered a “data subject” under the law? This term refers to someone:

[…] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.”

Essentially, Recital 14 states that it protects “natural persons” (individuals) rather than “legal persons,” or legal entities — so, private individuals rather than companies. Article 3 specifies that these data subjects are those who are in the EU. It doesn’t specify that they have to be EU residents or citizens, however. This means that the PI of someone visiting from another country — say, an American visiting an EU member state — would be protected so long as they’re located in the European Union.

5. CCPA Protects the Data of Californians (No Matter Where Your Company Is Located)

The CCPA, on the other hand, takes a different approach and protects the rights and “personal information” of California “consumers.”

Who’s Considered a California Consumer?

A consumer is defined as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations… however identified, including by any unique identifier.” More on the definition of “personal information” momentarily.

What Counts as Personal Information?

The CCPA protects “personal information” of California consumers, meaning “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In section 1798.140, it does, however, include a variety of specific personal identifiers and data such as:

• names and aliases,
• postal addresses,
• unique personal identifiers
• online identifiers
• IP addresses, email addresses, and account names,
• social security numbers, driver’s licenses, and passport information (or other similar identifiers),
• demographic information,
• geolocation data,
• commercial information,
• internet and electronic network activity info,
• audio/electronic, visual, thermal, olfactory, or similar information,
• professional and employment-related information
• education information

However, a recent amendment (AB-25) to the law, has made it so that PI collected “in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” would be exempt for one year until the amendment sunsets on Jan. 1, 2021. The exceptions to this change would be the civil action provision (which we’ll discuss more later) and the business’s obligation to inform consumers about the types of personal info that the business will collect.  

6. GDPR Has Additional Requirements for Companies Handling Health-Related Data

Any article talking about the differences between the CCPA vs GDPR would be remiss to not at least mention healthcare or medical-related information and data. GDPR places greater protection on personal data relating to health than its California counterpart. It separately defines “biometric data” and “genetic data” as two separate types of personal data, whereas under CCPA, such information is encompassed under the single category of “personal information.” 

CCPA, on the other hand, is less specific than the GDPR in addressing health, biometric, and medical-related information. It tends to defer to other U.S. legal frameworks concerning the processing of certain categories of personal information such as health or medical-related information that would be addressed by the Health Insurance Portability and Accountability Act or the Confidentiality of Medical Information Act.  

7. If You’re Any Sort of Business, Institution, or Organization That Handles Covered Data, GDPR Applies to You

Under the GDPR, the law is pretty generic in that it applies to any virtually business, organization, or institution that collects, processes, or operates on the data of people located in the European Union. It also applies to businesses or organizations that monitor the behaviors of individuals in the EU.

As we mentioned earlier, however, the exception to this rule is that the regulation doesn’t apply to law enforcement or data relating to national security areas. (Although the laws may still apply to any businesses that provide services to such organizations or government entities.)

8. CCPA Only Applies to For-Profit Business (And Most Small Businesses Are Exempt)

Under the CCPA, on the other hand, a “business” is considered a for-profit legal entity who deals with California customers and/or their personal data. Although the company isn’t required to have a physical presence in the state, it does need to be conducting business in it. This includes companies that:

• share the personal information of at least 50,000 consumers;
• have $25+ million in gross revenue; or
• get at least half of their annual revenue from the sale of consumers’ personal info.

9. GDPR Requires Data Protection Officers and Additional Processes and Paperwork

GDPR is more stringent in that it requires the appointment of data protection officers, maintaining a record of processing activities, and sometimes requires the use of data protection impact assessments in specific instances. The CCPA doesn’t require any such appointments or processes.

10. The CCPA Provides Greater Protection from Discrimination or Unequal Treatment — Sort of

The CCPA explicitly states in 1798.125(a)(1) that individuals who exercise the new rights afforded by the regulation are not to be discriminated against by businesses. Nothing so explicit is addressed by the GDPR. Essentially, the idea here is that no business can deny California consumers service, charge them different prices, or offer different levels of service based on whether they choose to exercise their right to data privacy.

This is all fine and good conceptually, but this is where it also gets a bit confusing and, frankly, contradictory. 1798.125(a)(2) says:

Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”

Furthermore, 1798.125(b)(1) states:

A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

So, does this mean that you as a business can or can’t discriminate or provide any form of “financial incentives” to consumers? It’s six of one, half a dozen of the other. I guess this is why lawyers and judges get paid the big bucks to argue and interpret these types of nebulous — or, at times, downright contradictory — laws. I’ll leave that to the experts.

11. CCPA vs GDPR: Violators Will be Fined Under Both Laws — But GDPR Fines Are Much Higher

As we mentioned earlier, the CCPA vs GDPR take different approaches when it comes to administering penalties and fines for noncompliance.

GDPR Civil Penalties

Unlike some other data protection laws and regulation, the GDPR has teeth when it comes to punishing violations. The penalties are among the largest the world has seen for data privacy violations. For example, Article 83 states that organizations that infringe the rights may “be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

This means that organizations that fail to comply with this data privacy law and regulation could face €20 million in noncompliance penalties. Google was one of the first to experience the woes of noncompliance with a €50 million penalty (approximately $57 million) for data privacy violations concerning France’s citizens. This marked the first reported occasion of a major tech company being penalized by the privacy law.

Although, realistically, this amount is just a drop in the bucket for a company as big as Google, it is a showstopper for organizations that are smaller in size. It would definitely close the doors of small to mid-size businesses and would put a significant dent in the coffers of some large businesses.  

CCPA Civil Penalties

Under the CCPA, businesses that fail to “cure” any alleged violation within 30 days of receiving a noncompliance notice is subject to a civil penalty of no more than $2,500 for each violation, or $7,500 for each intentional violation. Penalties recovered would be deposited into the Consumer Privacy Fund to cover costs incurred by the state courts and attorney general.

To me, it seems like nothing more than a small slap on the wrist — and, frankly, a slap to the faces of consumers whose rights to data privacy are violated. Thankfully, there’s something they can do to get some compensation for these violations under the CCPA… although, frankly, they’ll likely be disappointed with that, too.

12. CCPA vs GDPR: Consumers Can Seek Much Higher Compensation for Violations Under GDPR

The actions that individuals can take under the CCPA vs GDPR, when their rights as outlined under the regulations have been violated, are very different. And the level of compensation they may receive also varies, with GDPR holding the promise of higher payback for privacy violations.

GDPR

Under the GDPR, a data subject has the right to lodge a complaint with a supervisory authority for any perceived infractions concerning the processing of their personal data. If they disagree with the decision of that authority, or if that authority does not handle the complaint or provide them with an update on the progress or outcome of their complaint, they have a right to an “effective judicial remedy” against them. The data subject can also take the same legal approach against a controller or processor for any perceived noncompliance.

The data subject has the right to receive compensation from a controller or processor for damages that result from GDPR violations (unless the accused can prove that it wasn’t responsible for causing the damage). The bad news? This means that if your business (let’s say you’re a controller) gives customer information to a third-party service provider (processor) who uses it unlawfully or against your instructions, your business — and/or the processor — can be held liable.

Each party — the controller, processor, or both — will be held liable for the entire damage to ensure effective compensation. The good news? If you’re a controller or processor who pays full damages to the data subject, you can then get back part of the compensation regarding your responsibility if that other party acted outside or contrary to your instructions. This means that the PI you provide to a third-party service provider is used in any way other than instructed, you have a right to pursue compensation from them.

CCPA

Under the CCPA, a consumer can bring a private civil action — the civil action provision we mentioned earlier — against a business that fails in its duty to protect their “nonencrypted or nonredacted personal information” if that failure results in “unauthorized access and exfiltration, theft, or disclosure.” However, the burden falls on the consumer, who must provide the business with 30 days’ written notice identifying the specific violations of the regulation.

However, if the business fixes the violation and assures the consumer (in writing) that no further violations will occur, “no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”

Otherwise, the consumer may be eligible to pursue civil action to:

1. recover damages of $100-750 per consumer per incident or actual damages, whichever is greater.
2. receive injunctive or declaratory relief.
3. any other relief the court deems appropriate.

A Few Final Takeaways from Our Look at the CCPA vs GDPR

All that we’ve discussed about the CCPA and GDPR demonstrates why it’s so important for every business, regardless of size, to take a hard look at their existing policies, processes and procedures. In this digital era, it’s imperative that businesses take the proper steps to ensure data security — both to protect the rights and security of individuals but to protect themselves. These steps include evaluating:

• how information is collected, stored, and used by your own organization, as well as
• how it’s transmitted to or otherwise provided to and used by authorized third-party service providers.

Unfortunately, the GDPR doesn’t provide much in terms of how to approach risk mitigation in data processing aside from requiring organizations to conduct risk assessments and adopt necessary security measures. That’s why we’ve come up with a list of our own recommendations:

• Keep all private and personal information encrypted. To avoid issues concerning the exposure of nonredacted or unencrypted information, ensure that all info is transmitted using the secure, encrypted HTTPS protocol for both your website and email servers. Encrypt data at rest by using encryption solutions offered by your database vendor. Furthermore, secure your emails themselves with email encryption solutions such as S/MIME certificates.  
• Implement strong access control mechanisms, policies, and procedures. The goal here is to mitigate unauthorized access. Taking this step ensures that access to sensitive personal information is limited to only those who need it to perform their jobs. Put procedures in place that ensure access is removed once it’s no longer required for an employee to perform their job or if the employee no longer works there.
• Teach employees cyber security best practices and provide cyber awareness training. The goal here is to help your employees — everyone from the CEO and board members down to the janitorial staff — recognize potential threats such as phishing emails or malicious links. Provide them with real-world examples and run phishing simulation training as well to help them recognize threats in the wild.  

We hope this article provides clarity about the similarities and differences between the CCPA vs GDPR. Although the CCPA affords greater rights to a smaller group of individuals and affects fewer businesses than the GDPR, it’s still a powerful piece of legislation that is posed to have a major impact to businesses worldwide. And while the preparations your business may have implemented to prepare for GDPR are helpful, they won’t encompass all of the necessary updates or changes you’ll need to take care of before Jan. 1, 2020.

• #Data Privacy
• #Laws