{"id":11739,"date":"2019-11-06T12:03:28","date_gmt":"2019-11-06T17:03:28","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11739"},"modified":"2021-03-11T13:26:44","modified_gmt":"2021-03-11T18:26:44","slug":"ccpa-vs-gdpr-what-you-need-to-know-about-these-data-privacy-laws","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/ccpa-vs-gdpr-what-you-need-to-know-about-these-data-privacy-laws\/","title":{"rendered":"CCPA vs GDPR: What You Need to Know About These Data Privacy Laws"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"these-two-far-reaching-pieces-of-legislation-are-confusing-\u2014-we\u2019ll-provide-a-bit-of-clarity-about-how-they-affect-your-organization\">These two far-reaching pieces of legislation are confusing \u2014 we\u2019ll provide\na bit of clarity about how they affect your organization<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Looking at the information security and data privacy industries is much like looking at a bowl of alphabet soup: FIPS. PCI DSS. HIPAA. PIPEDA. CCPA. GDPR. Or, even more complicated \u2014 comparing two of them, like the CCPA vs GDPR. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>A, B, C, D, E, F, G\u2026<\/em> &#x1f3b5;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So many acronyms, so many audiences \u2014 so little time. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Without context or an understanding of what each of these\ndifferent acronyms means, these data privacy laws and regulations can be\nconfusing. Luckily, you have us to wade through the muck and break down the meaning\nbehind these data privacy laws and regulations.&nbsp;\n<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this article, we\u2019ll compare and contrast the GDPR and\nCCPA \u2014 what each law is, how are they similar or different, and what they mean\nfor your organization.&nbsp; <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, as we like to say around here\u2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-summary\"><p class=\"wp-block-advanced-gutenberg-blocks-summary__title\">What we&#8217;re hashing out&#8230;<\/p><div class=\"wp-block-advanced-gutenberg-blocks-summary__fold\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewbox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" class=\"feather feather-chevron-up\"><polyline points=\"18 15 12 9 6 15\"><\/polyline><\/svg><\/div><ol role=\"directory\" class=\"wp-block-advanced-gutenberg-blocks-summary__list\"><li><a href=\"#these-two-far-reaching-pieces-of-legislation-are-confusing-\u2014-we\u2019ll-provide-a-bit-of-clarity-about-how-they-affect-your-organization\">These two far-reaching pieces of legislation are confusing \u2014 we\u2019ll provide\na bit of clarity about how they affect your organization<\/a><ol><\/ol><\/li><li><a href=\"#the-battle-of-two-privacy-laws-ccpa-vs-gdpr\">The Battle of Two Privacy Laws: CCPA vs GDPR<\/a><ol><li><a href=\"#what-is-the-general-data-protection-regulation\">What is the General Data Protection Regulation?<\/a><ol><\/ol><\/li><li><a href=\"#what-is-the-california-consumer-privacy-act\">What is the California Consumer Privacy Act?<\/a><ol><\/ol><\/li><\/ol><\/li><li><a href=\"#6-major-similarities-between-the-ccpa-and-gdpr\">6 Major Similarities Between the CCPA and GDPR<\/a><ol><li><a href=\"#1-both-laws-give-individuals-the-right-to-view-and-access-the-data-companies-collect-on-them\">1. Both Laws Give Individuals the Right to View and Access the Data\nCompanies Collect on Them <\/a><ol><\/ol><\/li><li><a href=\"#2-businesses-are-required-to-delete-personal-data-upon-request-with-some-exceptions\">2. Businesses Are Required to Delete Personal Data Upon Request (With Some\nExceptions)<\/a><ol><\/ol><\/li><li><a href=\"#3-businesses-must-disclose-specific-details-on-how-they-handle-personal-data\">3. Businesses Must Disclose Specific Details on How They Handle Personal\nData <\/a><ol><\/ol><\/li><li><a href=\"#4-businesses-can-ignore-both-laws-but-only-for-specific-reasons-including-law-enforcement\">4. Businesses Can Ignore Both Laws (But Only for Specific Reasons,\nIncluding Law Enforcement)<\/a><ol><\/ol><\/li><li><a href=\"#5-ccpa-vs-gdpr-businesses-who-don\u2019t-comply-will-be-fined\">5. CCPA vs GDPR: Businesses Who Don\u2019t Comply Will Be Fined<\/a><ol><\/ol><\/li><li><a href=\"#6-both-laws-require-businesses-to-implement-cyber-security-measures\u2026-but-they\u2019re-not-very-specific\">6. Both Laws Require Businesses to Implement Cyber Security Measures\u2026 But\nThey\u2019re Not Very Specific<\/a><ol><\/ol><\/li><\/ol><\/li><li><a href=\"#ccpa-vs-gdpr-12-key-ways-that-the-two-regulations-differ\">CCPA vs GDPR: 12 Key Ways That the Two Regulations Differ<\/a><ol><li><a href=\"#1-ccpa-gives-individuals-the-right-to-stop-companies-from-selling-their-data\">1. CCPA Gives Individuals the Right to Stop Companies from Selling Their\nData <\/a><ol><\/ol><\/li><li><a href=\"#2-gdpr-requires-companies-to-have-1-of-6-legal-bases-before-processing-personal-data\">2. GDPR Requires Companies to Have 1 of 6 Legal Bases Before Processing\nPersonal Data<\/a><ol><\/ol><\/li><li><a href=\"#3-ccpa-vs-gdpr-gdpr-took-years-to-craft-\u2014-the-ccpa-was-passed-within-months\">3. CCPA vs GDPR: GDPR Took Years to Craft \u2014 The CCPA Was Passed Within Months <\/a><ol><\/ol><\/li><li><a href=\"#4-gdpr-protects-the-personal-data-of-anyone-in-the-eu-no-matter-where-your-company-is-located\">4. GDPR Protects the Personal Data of Anyone in the EU (No Matter Where\nYour Company is Located)<\/a><ol><li><a href=\"#what-counts-as-public-data\">What Counts as Public Data?<\/a><ol><\/ol><\/li><li><a href=\"#who-or-what-is-a-data-subject\">Who or What Is a Data Subject?<\/a><ol><\/ol><\/li><\/ol><\/li><li><a href=\"#5-ccpa-protects-the-data-of-californians-no-matter-where-your-company-is-located\">5. CCPA Protects the Data of Californians (No Matter Where Your Company Is\nLocated)<\/a><ol><li><a href=\"#who\u2019s-considered-a-california-consumer\">Who\u2019s Considered a California Consumer?<\/a><ol><\/ol><\/li><li><a href=\"#what-counts-as-personal-information\">What Counts as Personal Information? <\/a><ol><\/ol><\/li><\/ol><\/li><li><a href=\"#6-gdpr-has-additional-requirements-for-companies-handling-health-related-data\">6. GDPR Has Additional Requirements for Companies Handling Health-Related\nData <\/a><ol><\/ol><\/li><li><a href=\"#7-if-you\u2019re-any-sort-of-business-institution-or-organization-that-handles-covered-data-gdpr-applies-to-you\">7. If You\u2019re Any Sort of Business, Institution, or Organization That\nHandles Covered Data, GDPR Applies to You<\/a><ol><\/ol><\/li><li><a href=\"#8-ccpa-only-applies-to-for-profit-business-and-most-small-businesses-are-exempt\">8. CCPA Only Applies to For-Profit Business (And Most Small Businesses Are\nExempt)<\/a><ol><\/ol><\/li><li><a href=\"#9-gdpr-requires-data-protection-officers-and-additional-processes-and-paperwork\">9. GDPR Requires Data Protection Officers and Additional Processes and Paperwork<\/a><ol><\/ol><\/li><li><a href=\"#10-the-ccpa-provides-greater-protection-from-discrimination-or-unequal-treatment-\u2014-sort-of\">10. The CCPA Provides Greater Protection from Discrimination or Unequal\nTreatment \u2014 Sort of<\/a><ol><\/ol><\/li><li><a href=\"#11-ccpa-vs-gdpr-violators-will-be-fined-under-both-laws-\u2014-but-gdpr-fines-are-much-higher\">11. CCPA vs GDPR: Violators Will be Fined Under Both Laws \u2014 But GDPR Fines\nAre Much Higher<\/a><ol><li><a href=\"#gdpr-civil-penalties\">GDPR Civil Penalties<\/a><ol><\/ol><\/li><li><a href=\"#ccpa-civil-penalties\">CCPA Civil Penalties<\/a><ol><\/ol><\/li><\/ol><\/li><li><a href=\"#12-ccpa-vs-gdpr-consumers-can-seek-much-higher-compensation-for-violations-under-gdpr\">12. CCPA vs GDPR: Consumers Can Seek Much Higher Compensation for Violations Under GDPR<\/a><ol><li><a href=\"#gdpr\">GDPR<\/a><ol><\/ol><\/li><li><a href=\"#ccpa\">CCPA<\/a><ol><\/ol><\/li><\/ol><\/li><\/ol><\/li><li><a href=\"#a-few-final-takeaways-from-our-look-at-the-ccpa-vs-gdpr\">A Few Final Takeaways from Our Look at the CCPA vs GDPR<\/a><ol><\/ol><\/li><\/ol><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-battle-of-two-privacy-laws-ccpa-vs-gdpr\">The Battle of Two Privacy Laws: CCPA vs GDPR<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When comparing the European Union\u2019s General Data Protection Regulation (GDPR) versus the California Consumer Privacy Act (CCPA), there are some blatantly obvious similarities and differences, as well as some more nuanced differences. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first thing to note about these two regulations is that <strong>they affect two geographically different audiences<\/strong>: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>GDPR:<\/strong> It\u2019s all about protecting the private\ndata and personal information (PI) of \u201cnatural persons\u201d (individuals) who are in\nthe European Union from businesses, public bodies and institutions that are\nestablished inside and\/or outside of the union.<\/li><li><strong>CCPA:<\/strong> It aims to protect the private\ninformation of California consumers from for-profit businesses that meet\nspecific thresholds (more on that in a bit). &nbsp;<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Although they share some similar definitions, in many ways,\nthe CCPA and the GDPR are also different in their approaches. They have\ndifferent terminology concerning whose data is protected, what types or\ncategories of data are protected, and the types of organizations or businesses\nthat the laws apply to. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Comparing the CCPA vs GDPR is much like looking at apples and oranges. They have many similarities \u2014they\u2019re both roundish tree-grown fruits with stems and strong flavors (oh, and they both make juices that taste fabulous and are great additions to any sangria\u2026 but I digress.) \u2014 but when you get down to comparing CCPA vs GDPA, there are many differences between the two.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-the-general-data-protection-regulation\">What is the General Data Protection Regulation?<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Image-Of-Padlock-In-The-Circle-237583738-1024x1024.jpg\" alt=\"Graphic: CCPA vs GDPR\" class=\"wp-image-8042\" width=\"192\" height=\"192\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Image-Of-Padlock-In-The-Circle-237583738-1024x1024.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Image-Of-Padlock-In-The-Circle-237583738-300x300.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Image-Of-Padlock-In-The-Circle-237583738-768x768.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Image-Of-Padlock-In-The-Circle-237583738.jpg 1600w\" sizes=\"auto, (max-width: 192px) 100vw, 192px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The EU\u2019s <a href=\"https:\/\/gdpr-info.eu\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">General Data Protection Regulation<\/a> is a set of privacy regulations that have been in effect since May 25, 2018. The law aims to protect the fundamental rights and freedoms, particularly the right to protection of personal data, of \u201cnatural persons\u201d (which, according to the regulation, are known as \u201cdata subjects\u201d) in the European Union. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">How does it do this? By requiring data \u201ccontrollers\u201d and \u201cprocessors\u201d \u2014 organizations and businesses that collect, use, or process the personal data of these data subjects \u2014 to disclose how the information they collect is processed and used. It also gives users more control over how their data is collected and processed.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"GDPR explained: How the new data protection act could change your life\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/acijNEErf-c?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So, basically, if you want to use people\u2019s personal data,\nyou need to explain why you\u2019re collecting it, how it\u2019ll be used, and what\nrights they have concerning access and consent.&nbsp;\n<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, let\u2019s turn around attention to the west coast of the\nUnited States to briefly discuss the CCPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-the-california-consumer-privacy-act\">What is the California Consumer Privacy Act?<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-644679938-1024x672.jpg\" alt=\"Graphic: CCPA versus GDPR\" class=\"wp-image-5788\" width=\"291\" height=\"191\"\/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Sometimes called the U.S.\u2019s version of the GDPR, the <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=201720180SB1121\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">California Consumer Privacy Act<\/a> is, in some ways, the toned-down version of its European counterpart. It\u2019s the smaller, somewhat less imposing younger brother. However, it\u2019s still significant and is poised to have a global impact considering that: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The U.S. lacks a comprehensive <a href=\"https:\/\/www.thesslstore.com\/blog\/federal-data-privacy-policy\/\">federal data privacy<\/a> law;<\/li><li>California is the <a href=\"https:\/\/www.bloomberg.com\/opinion\/articles\/2019-04-24\/california-economy-soars-above-u-k-france-and-italy\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">fifth largest global economy<\/a> (ranking ahead of the U.K., France, and India); and <\/li><li>The regulation applies to businesses worldwide who meet certain criteria. <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA applies to any organization, regardless of\nlocation, that deals with California consumers and\/or their private data.\nHowever, there are certain size requirements that the organizations must meet\nto be subject to the law (which we\u2019ll address later). The regulation officially\ngoes into effect Jan. 1, 2020, although it does have certain provisions that\nrequired organizations to provide certain information to consumers for the year\nleading up to it. It also has an amendment that will go into effect Jan. 1,\n2021. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what else is there to know about the CCPA vs GDPR? A lot. We\u2019ve covered a brief overview of what these laws are. Let\u2019s see what similarities they share and how they differ. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"6-major-similarities-between-the-ccpa-and-gdpr\">6 Major Similarities Between the CCPA and GDPR<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The California Consumer Privacy Act and the General Data Protection Regulation share several similar requirements and expectations. In this section, we\u2019ll break down some of the top things that these two pieces of legislation share.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-both-laws-give-individuals-the-right-to-view-and-access-the-data-companies-collect-on-them\">1. Both Laws Give Individuals the Right to View and Access the Data\nCompanies Collect on Them <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The California Consumer Privacy Act and the General Data\nProtection Regulation are similar in that both serve to ensure that covered\nindividuals can exercise their rights to access or limit the use of their\npersonal data. When comparing the CCPA vs GDPR, both of these data privacy laws\nestablish additional protection for individuals who are age 16 and younger. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The GDPR enforces an individual\u2019s right to access their EU\npersonal data that\u2019s processed and for that information to be imported or\nexported into a user-friendly format. They can access their personal data from\nthe past 30 days (longer in some circumstances) and can request access to it an\nunlimited number of times.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA also requires that the information can be exported\nin a user-friendly format but there\u2019s no requirement for importing it. Unlike\nthe GDPR, however, the CCPA\u2019s collected data has a 12-month window. Information\nabout how their data is collected, used, or sold can only be requested up to\ntwo times in that period.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-businesses-are-required-to-delete-personal-data-upon-request-with-some-exceptions\">2. Businesses Are Required to Delete Personal Data Upon Request (With Some\nExceptions)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When comparing the CCPA vs GDPR, both regulations also provide private individuals with a way to access and delete their personal information. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Under both the CCPA and GDPR, covered individuals have the right\nto request that a business or organization delete their personal information\n(under specific circumstances). Under the CCPA, that business must direct any\nservice providers who also have that information to delete those records as\nwell. However, a business doesn\u2019t have to comply with this request if the\nconsumer\u2019s personal information is considered necessary for specific operations\nas outlined in 1798.105(a).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Under the GDPR, a covered individual\u2019s <a href=\"https:\/\/gdpr-info.eu\/art-17-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">right to erasure<\/a> (as outlined in Article 17) is also known as \u201cthe right to be forgotten.\u201d Catchy, no? This article specifies several grounds upon which an individual can obtain, without undue delay, the erasure of their information \u2014 many of which have legal bases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-businesses-must-disclose-specific-details-on-how-they-handle-personal-data\">3. Businesses Must Disclose Specific Details on How They Handle Personal\nData <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Both the CCPA and GDPR go to great lengths to require\ntransparency about how their information is collected, shared, and used. Under\nthe CCPA, for example, businesses must provide information as to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>the categories of information they collect;<\/li><li>whether the information will be sold or shared\nwith third parties; and<\/li><li>what rights the individual has concerning data\nerasure.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Under the GDPR, the \u201cright to be informed\u201d is made very clear concerning EU citizens (and people located in the EU, even just temporarily). It does, however, stipulate a difference between data obtained directly from that individual (<a href=\"https:\/\/gdpr-info.eu\/art-13-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 13<\/a>) versus data obtained from another source (<a href=\"https:\/\/gdpr-info.eu\/art-14-gdpr\/\">Article 14<\/a>). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Both the CCPA and GDPR require detailed privacy notices from organizations and businesses that collect private and personal information. Under the GDPR, the law has different requirements for information that\u2019s obtained directly from the data subject versus information obtained from another source. If the former, the person must be informed immediately (when the data is collected); if the latter, they must be informed \u201cwithin a reasonable period of time, but at the latest after a month\u201d unless the info will be used to contact them directly \u2014 then they must be informed \u201cupon being approached.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Under the CCPA, businesses that collect consumers\u2019 personal\ninformation must inform them all or before the point of collection about what\ncategories of information are being collected and how the info will be used. If\na consumer submits a verifiable consumer request for their information, that\ninfo must be disclosed and delivered to them without charge within 45 days of\ntheir request being received. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although the way that each law requires businesses to handle the\ndata they collect or receive differs, the general takeaway is essentially the\nsame: As a general rule of thumb, if you\u2019re going to collect the private or\npersonal information from individuals who fall under these protections, you should\nstate up front what types of information you\u2019re going to collect, how the\ninformation will be used, and what their rights are to opt out of the\ncollection of that information. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4-businesses-can-ignore-both-laws-but-only-for-specific-reasons-including-law-enforcement\">4. Businesses Can Ignore Both Laws (But Only for Specific Reasons,\nIncluding Law Enforcement)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Both the CCPA and GDPR have exceptions to individuals\u2019\nrights to data privacy. These exceptions often include matters concerning law\nenforcement-related investigations, judicial proceedings, or public safety\nconcerns. In Section 1798.145, the CCPA outlines that:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\u201c(a) The obligations imposed on businesses by\nthis title shall not restrict a business\u2019s ability to:<\/em><em><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(1)&nbsp;Comply with federal, state, or local\nlaws.<\/em><em><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(2)&nbsp;Comply with a civil, criminal, or\nregulatory inquiry, investigation, subpoena, or summons by federal, state, or\nlocal authorities.<\/em><em><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(3)&nbsp;Cooperate with law enforcement\nagencies concerning conduct or activity that the business, service provider, or\nthird party reasonably and in good faith believes may violate federal, state,\nor local law.\u201d<\/em><em><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The GDPR also makes similar exceptions \u2014 but on a much broader scale. <a href=\"https:\/\/gdpr-info.eu\/art-23-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 23<\/a> outlines that its obligations may be restricted when it comes to national and public security, defense, criminal investigations and prosecutions, judicial independence and proceedings, as well as multiple other considerations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"5-ccpa-vs-gdpr-businesses-who-don\u2019t-comply-will-be-fined\">5. CCPA vs GDPR: Businesses Who Don\u2019t Comply Will Be Fined<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Both the CCPA and GDPR outline civil penalties that can be\nbrought against businesses or other organizations for violations or\ninfringements of the regulations. However, the civil penalties vary drastically\nbetween the two. We\u2019ll speak more to that in the next section. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"6-both-laws-require-businesses-to-implement-cyber-security-measures\u2026-but-they\u2019re-not-very-specific\">6. Both Laws Require Businesses to Implement Cyber Security Measures\u2026 But\nThey\u2019re Not Very Specific<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When comparing the CCPA vs GDPR in terms of how well they provide strategies or guidance for mitigating risk, both regulations are lacking. In Article 32, it does mention the \u201cpseudonymisation and encryption of personal data\u201d but the law intentionally doesn\u2019t provide specific recommendations. The CCPA isn\u2019t much of a help in this area, either. It simply specifies that they must maintain \u201creasonable security procedures and practices\u201d but doesn\u2019t provide guidance as to how to accomplish this task. This is likely because lawmakers realize that technologies and processes change over time, so they thought it best to not list specific technologies or methodologies that will quickly become outdated or obsolete.<\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ccpa-vs-gdpr-12-key-ways-that-the-two-regulations-differ\">CCPA vs GDPR: 12 Key Ways That the Two Regulations Differ<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we\u2019ve looked at the similarities, let\u2019s compare the\nCCPA vs GDPR to see what some of what their most notable differences are. Some\nCCPA requirements overlap with existing GDPR requirements. However, some\nprocesses, systems, and policies will require updates or tweaking to match the\nspecific requirements of the new Golden State law.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-ccpa-gives-individuals-the-right-to-stop-companies-from-selling-their-data\">1. CCPA Gives Individuals the Right to Stop Companies from Selling Their\nData <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA and GDPR differ significantly in terms of their\ncore frameworks and their scope of personal information processing. For\nexample, the CCPA focuses primarily on transparency-related obligations and\nprovisions that inform them about your company\u2019s data sales practices and limit\nthe sale of personal information. Businesses must include a \u201cdo not sell my\npersonal information\u201d link on their website home pages to give consumers the\nright to opt out of allowing their information to be sold. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The GDPR, on the other hand, doesn\u2019t explicitly address the sale of information to third parties. This is just one of multiple ways in which the CCPA vs GDPR differ. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-gdpr-requires-companies-to-have-1-of-6-legal-bases-before-processing-personal-data\">2. GDPR Requires Companies to Have 1 of 6 Legal Bases Before Processing\nPersonal Data<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-615076890-1024x657.jpg\" alt=\"CCPA vs GDPR: GDPR requires a legal basis for data processing.\" class=\"wp-image-5660\" width=\"290\" height=\"185\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-615076890-1024x657.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-615076890-300x192.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-615076890-768x492.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/01\/iStock-615076890.jpg 1279w\" sizes=\"auto, (max-width: 290px) 100vw, 290px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The GDPR, on the other hand, focuses significantly more on\naccountability-related obligations and frequently requires having a \u201clegal\nbasis\u201d concerning the need for data processing. (The CCPA requires no such\nlegal basis as a justification for collecting and using personal info.) <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Under <a href=\"https:\/\/gdpr-info.eu\/art-6-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 6<\/a>, these legal bases include the following:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><em>\u201cthe data subject has given consent to the processing of his or her personal data for one or more specific purposes\u201d;<\/em><\/li><li><em>\u201cprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract\u201d;<\/em><\/li><li><em>\u201cprocessing is necessary for compliance with a legal obligation to which the controller is subject\u201d;<\/em><\/li><li><em>\u201cprocessing is necessary in order to protect the vital interests of the data subject or of another natural person\u201d;<\/em><\/li><li><em>\u201cprocessing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller\u201d;<\/em><\/li><li><em>\u201cprocessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.\u201d<\/em><\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-ccpa-vs-gdpr-gdpr-took-years-to-craft-\u2014-the-ccpa-was-passed-within-months\">3. CCPA vs GDPR: GDPR Took Years to Craft \u2014 The CCPA Was Passed Within Months <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The two laws took significantly different amounts of time to\nprepare and build. On one hand, the GDPR, the first of its kind, is a sweeping\npiece of legislation that took several years to create and debate before being\napproved and, eventually, put into effect. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA, in comparison, was a rush job that took only months from the time it was introduced to the time it was approved by the governor and chaptered by the Secretary of State. This is because <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.americanbar.org\/groups\/business_law\/publications\/committee_newsletters\/bcl\/2019\/201902\/fa_9\/\" target=\"_blank\">the law was passed quickly as part of a deal<\/a> to avoid a more restrictive measure, a proposed initiative (No. 17-0039) that was known as the <a href=\"https:\/\/oag.ca.gov\/system\/files\/initiatives\/pdfs\/17-0039%20%28Consumer%20Privacy%20V2%29.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Consumer Right to Privacy Act 2018<\/a>, from being placed on the ballot. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4-gdpr-protects-the-personal-data-of-anyone-in-the-eu-no-matter-where-your-company-is-located\">4. GDPR Protects the Personal Data of Anyone in the EU (No Matter Where\nYour Company is Located)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"what-counts-as-public-data\">What Counts as Public Data?<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">In a nutshell, the GDPR applies to the processing of personal data\nof \u201cdata subjects\u201d \u2014 more on what that means in just a moment. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what is considered \u201cpersonal data?\u201d <a href=\"https:\/\/gdpr-info.eu\/art-4-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 4<\/a> outlines that personal data includes a variety of direct and indirect identifying information such as: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>names, <\/li><li>location data, <\/li><li>online identifiers, <\/li><li>economic information,<\/li><li>physical, genetic, physiological or mental\nidentifiers, or<\/li><li>social or cultural identifiers.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The term \u201cprocessing\u201d refers to various types of operations,\nincluding the \u201ccollection, recording, organization, structuring, storage,\nadaption or alteration, retrieval, consultation, use, disclosure by\ntransmission, dissemination or otherwise making available, alignment or\ncombination, restriction, erasure or destruction\u201d of personal data. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To put it another way, the law applies to any organization that\naccesses, collects, uses, alters, stores, or otherwise operates on covered\nindividuals\u2019 personal data in virtually any way. It\u2019s important to note that <strong>the\nGDPR applies to publicly available data, whereas the CCPA does not<\/strong>. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"who-or-what-is-a-data-subject\">Who or What Is a Data Subject?<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">But who or what is considered a \u201cdata subject\u201d under the\nlaw? This term refers to someone: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>[\u2026] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.\u201d<\/em><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Essentially, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/gdpr-info.eu\/recitals\/no-14\/\" target=\"_blank\">Recital 14<\/a> states that it protects \u201cnatural persons\u201d (individuals) rather than \u201clegal persons,\u201d or legal entities \u2014 so, private individuals rather than companies. <a href=\"https:\/\/gdpr-info.eu\/art-3-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 3<\/a> specifies that these data subjects are those who are in the EU. It doesn\u2019t specify that they have to be EU residents or citizens, however. This means that the PI of someone visiting from another country \u2014 say, an American visiting an EU member state \u2014 would be protected so long as they\u2019re located in the European Union. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"5-ccpa-protects-the-data-of-californians-no-matter-where-your-company-is-located\">5. CCPA Protects the Data of Californians (No Matter Where Your Company Is\nLocated)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA, on the other hand, takes a different approach and\nprotects the rights and \u201cpersonal information\u201d of California \u201cconsumers.\u201d <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"who\u2019s-considered-a-california-consumer\">Who\u2019s Considered a California Consumer?<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A consumer is defined as \u201ca natural person who is a California\nresident, as defined in Section 17014 of Title 18 of the California Code of\nRegulations\u2026 however identified, including by any unique identifier.\u201d More on\nthe definition of \u201cpersonal information\u201d momentarily.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"what-counts-as-personal-information\">What Counts as Personal Information? <\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA protects \u201cpersonal information\u201d of California consumers,\nmeaning \u201cinformation that identifies, relates to, describes, is capable of\nbeing associated with, or could reasonably be linked, directly or indirectly,\nwith a particular consumer or household.\u201d In section 1798.140, it does,\nhowever, include a variety of specific personal identifiers and data such as: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>names and aliases,<\/li><li>postal addresses, <\/li><li>unique personal identifiers<\/li><li>online identifiers<\/li><li>IP addresses, email addresses, and account\nnames,<\/li><li>social security numbers, driver\u2019s licenses,\nand passport information (or other similar identifiers),<\/li><li>demographic information,<\/li><li>geolocation data,<\/li><li>commercial information,<\/li><li>internet and electronic network activity info,<\/li><li>audio\/electronic, visual, thermal, olfactory,\nor similar information,<\/li><li>professional and employment-related\ninformation<\/li><li>education information<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">However, a recent amendment (AB-25) to the law, has made it so\nthat PI collected \u201cin the course of the natural person acting as a job applicant\nto, an employee of, owner of, director of, officer of, medical staff member of,\nor contractor of that business\u201d would be exempt for one year until the\namendment sunsets on Jan. 1, 2021. The exceptions to this change would be the\ncivil action provision (which we\u2019ll discuss more later) and the business\u2019s\nobligation to inform consumers about the types of personal info that the\nbusiness will collect. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"6-gdpr-has-additional-requirements-for-companies-handling-health-related-data\">6. GDPR Has Additional Requirements for Companies Handling Health-Related\nData <\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/Healthy-Business.png\" alt=\"Steps you can take to help prevent cyber attacks at your company\" class=\"wp-image-10692\" width=\"217\" height=\"217\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/Healthy-Business.png 406w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/Healthy-Business-300x300.png 300w\" sizes=\"auto, (max-width: 217px) 100vw, 217px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Any article talking about the differences between the CCPA vs GDPR would be remiss to not at least mention healthcare or medical-related information and data. GDPR places greater protection on personal data relating to health than its California counterpart. It separately defines \u201cbiometric data\u201d and \u201cgenetic data\u201d as two separate types of personal data, whereas under CCPA, such information is encompassed under the single category of \u201cpersonal information.\u201d&nbsp; <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CCPA, on the other hand, is less specific than the GDPR in\naddressing health, biometric, and medical-related information. It tends to\ndefer to other U.S. legal frameworks concerning the processing of certain\ncategories of personal information such as health or medical-related\ninformation that would be addressed by the Health Insurance Portability and\nAccountability Act or the Confidentiality of Medical Information Act. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"7-if-you\u2019re-any-sort-of-business-institution-or-organization-that-handles-covered-data-gdpr-applies-to-you\">7. If You\u2019re Any Sort of Business, Institution, or Organization That\nHandles Covered Data, GDPR Applies to You<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Under the GDPR, the law is pretty generic in that it <strong>applies to\nany virtually business, organization, or institution that collects, processes, or\noperates on the data of people located in the European Union.<\/strong> It also\napplies to businesses or organizations that monitor the behaviors of\nindividuals in the EU.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As we mentioned earlier, however, the exception to this rule is that\nthe regulation doesn\u2019t apply to law enforcement or data relating to\nnational security areas. (Although the laws may still apply to any businesses\nthat provide services to such organizations or government entities.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"8-ccpa-only-applies-to-for-profit-business-and-most-small-businesses-are-exempt\">8. CCPA Only Applies to For-Profit Business (And Most Small Businesses Are\nExempt)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Under the CCPA, on the other hand, a \u201cbusiness\u201d is considered a\nfor-profit legal entity who deals with California customers and\/or their\npersonal data. Although the company isn\u2019t required to have a physical presence\nin the state, it does need to be conducting business in it. This includes\ncompanies that:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>share the personal information of at least\n50,000 consumers;<\/li><li>have $25+ million in gross revenue; or<\/li><li>get at least half of their annual revenue from\nthe sale of consumers\u2019 personal info.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"9-gdpr-requires-data-protection-officers-and-additional-processes-and-paperwork\">9. GDPR Requires Data Protection Officers and Additional Processes and Paperwork<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">GDPR is more stringent in that it requires the appointment\nof data protection officers, maintaining a record of processing activities, and\nsometimes requires the use of data protection impact assessments in specific\ninstances. The CCPA doesn\u2019t require any such appointments or processes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"10-the-ccpa-provides-greater-protection-from-discrimination-or-unequal-treatment-\u2014-sort-of\">10. The CCPA Provides Greater Protection from Discrimination or Unequal\nTreatment \u2014 Sort of<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The CCPA explicitly states in 1798.125(a)(1) that individuals who\nexercise the new rights afforded by the regulation are not to be discriminated\nagainst by businesses. Nothing so explicit is addressed by the GDPR. Essentially,\nthe idea here is that no business can deny California consumers service, charge\nthem different prices, or offer different levels of service based on whether\nthey choose to exercise their right to data privacy. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is all fine and good conceptually, but this is where it also\ngets a bit confusing and, frankly, contradictory. 1798.125(a)(2) says: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer\u2019s data.\u201d<\/em><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, 1798.125(b)(1)&nbsp;states: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer\u2019s data.\u201d<\/em><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">So, does this mean that you as a business can or can\u2019t\ndiscriminate or provide any form of \u201cfinancial incentives\u201d to consumers? It\u2019s\nsix of one, half a dozen of the other. I guess this is why lawyers and judges\nget paid the big bucks to argue and interpret these types of nebulous \u2014 or, at\ntimes, downright contradictory \u2014 laws. I\u2019ll leave that to the experts. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"11-ccpa-vs-gdpr-violators-will-be-fined-under-both-laws-\u2014-but-gdpr-fines-are-much-higher\">11. CCPA vs GDPR: Violators Will be Fined Under Both Laws \u2014 But GDPR Fines\nAre Much Higher<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As we mentioned earlier, the CCPA vs GDPR take different approaches when it comes to administering penalties and fines for noncompliance.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"gdpr-civil-penalties\">GDPR Civil Penalties<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike some other data protection laws and regulation, the GDPR has teeth when it comes to punishing violations. The penalties are among the largest the world has seen for data privacy violations. For example, <a href=\"https:\/\/gdpr-info.eu\/art-83-gdpr\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Article 83<\/a> states that organizations that infringe the rights may \u201cbe subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This means that organizations that fail to comply with this data privacy law and regulation could face \u20ac20 million in noncompliance penalties. Google was one of the first to experience the woes of noncompliance with a <a href=\"https:\/\/fortune.com\/2019\/01\/21\/france-fines-google-57-million-for-gdpr-violations\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">\u20ac50 million penalty<\/a> (approximately $57 million) for data privacy violations concerning France\u2019s citizens. This marked the first reported occasion of a major tech company being penalized by the privacy law.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although, realistically, this amount is just a <a href=\"https:\/\/www.thesslstore.com\/blog\/google-and-facebook-manipulate-users-to-circumvent-gdpr\/\">drop in the bucket for a company as big as Google<\/a>, it is a showstopper for organizations that are smaller in size. It would definitely close the doors of small to mid-size businesses and would put a significant dent in the coffers of some large businesses.&nbsp;&nbsp; <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"ccpa-civil-penalties\">CCPA Civil Penalties<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Under the CCPA, businesses that fail to \u201ccure\u201d any alleged\nviolation within 30 days of receiving a noncompliance notice is subject to a\ncivil penalty of no more than $2,500 for each violation, or $7,500 for each\nintentional violation. Penalties recovered would be deposited into the Consumer\nPrivacy Fund to cover costs incurred by the state courts and attorney general. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To me, it seems like nothing more than a small slap on the\nwrist \u2014 and, frankly, a slap to the faces of consumers whose rights to data privacy\nare violated. Thankfully, there\u2019s something they can do to get some\ncompensation for these violations under the CCPA\u2026 although, frankly, they\u2019ll\nlikely be disappointed with that, too. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"12-ccpa-vs-gdpr-consumers-can-seek-much-higher-compensation-for-violations-under-gdpr\">12. CCPA vs GDPR: Consumers Can Seek Much Higher Compensation for Violations Under GDPR<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The actions that individuals can take under the CCPA vs\nGDPR, when their rights as outlined under the regulations have been violated,\nare very different. And the level of compensation they may receive also varies,\nwith GDPR holding the promise of higher payback for privacy violations.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"gdpr\">GDPR<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Under the GDPR, a data subject has the right to lodge a\ncomplaint with a supervisory authority for any perceived infractions concerning\nthe processing of their personal data. If they disagree with the decision of\nthat authority, or if that authority does not handle the complaint or provide\nthem with an update on the progress or outcome of their complaint, they have a\nright to an \u201ceffective judicial remedy\u201d against them. The data subject can also\ntake the same legal approach against a controller or processor for any\nperceived noncompliance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The data subject has the right to receive compensation from\na controller or processor for damages that result from GDPR violations (unless\nthe accused can prove that it wasn\u2019t responsible for causing the damage). The\nbad news? This means that if your business (let\u2019s say you\u2019re a controller)\ngives customer information to a third-party service provider (processor) who\nuses it unlawfully or against your instructions, your business \u2014 and\/or the\nprocessor \u2014 can be held liable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Each party \u2014 the controller, processor, or both \u2014 will be\nheld liable for the entire damage to ensure effective compensation. The good\nnews? If you\u2019re a controller or processor who pays full damages to the data subject,\nyou can then get back part of the compensation regarding your responsibility if\nthat other party acted outside or contrary to your instructions. This means\nthat the PI you provide to a third-party service provider is used in any way\nother than instructed, you have a right to pursue compensation from them. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"ccpa\">CCPA<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Under the CCPA, a consumer can bring a private civil action\n\u2014 the civil action provision we mentioned earlier \u2014 against a business that\nfails in its duty to protect their \u201cnonencrypted or nonredacted personal\ninformation\u201d if that failure results in \u201cunauthorized access and exfiltration,\ntheft, or disclosure.\u201d However, the burden falls on the consumer, who must\nprovide the business with 30 days\u2019 written notice identifying the specific\nviolations of the regulation. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, if the business fixes the violation and assures the\nconsumer (in writing) that no further violations will occur, \u201cno action for\nindividual statutory damages or class-wide statutory damages may be initiated\nagainst the business.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Otherwise, the consumer may be eligible to pursue civil\naction to:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>recover damages of $100-750 per consumer per\nincident or actual damages, whichever is greater. <\/li><li>receive injunctive or declaratory relief.<\/li><li>any other relief the court deems appropriate. <\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-few-final-takeaways-from-our-look-at-the-ccpa-vs-gdpr\">A Few Final Takeaways from Our Look at the CCPA vs GDPR<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">All that we\u2019ve discussed about the CCPA and GDPR demonstrates\nwhy it\u2019s so important for every business, regardless of size, to take a hard\nlook at their existing policies, processes and procedures. In this digital era,\nit\u2019s imperative that businesses take the proper steps to ensure data security \u2014\nboth to protect the rights and security of individuals but to protect\nthemselves. These steps include evaluating: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>how information is collected, stored, and used\nby your own organization, as well as <\/li><li>how it\u2019s transmitted to or otherwise provided to\nand used by authorized third-party service providers. <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, the GDPR doesn\u2019t provide much in terms of how\nto approach risk mitigation in data processing aside from requiring\norganizations to conduct risk assessments and adopt necessary security\nmeasures. That\u2019s why we\u2019ve come up with a list of our own recommendations:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Keep all private and personal information encrypted.<\/strong> To avoid issues concerning the exposure of nonredacted or unencrypted information, ensure that all info is transmitted using the secure, encrypted HTTPS protocol for both your website and email servers. Encrypt data at rest by using encryption solutions offered by your database vendor. Furthermore, <a href=\"https:\/\/www.thesslstore.com\/blog\/what-you-need-to-know-about-s-mime\/\">secure your emails<\/a> themselves with email encryption solutions such as <a href=\"https:\/\/www.thesslstore.com\/comodo\/personal-authentication-certificate.aspx\">S\/MIME certificates<\/a>. &nbsp;<\/li><li><strong>Implement strong access control mechanisms, policies, and procedures.<\/strong> The goal here is to mitigate unauthorized access. Taking this step ensures that access to sensitive personal information is limited to only those who need it to perform their jobs. Put procedures in place that ensure access is removed once it\u2019s no longer required for an employee to perform their job or if the employee no longer works there. <\/li><li><strong>Teach employees cyber security best practices and provide cyber awareness training.<\/strong> The goal here is to help your employees \u2014 everyone from the CEO and board members down to the janitorial staff \u2014 recognize potential threats such as phishing emails or malicious links. Provide them with real-world examples and run phishing simulation training as well to help them recognize threats in the wild. &nbsp;<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">We hope this article provides clarity about the similarities and differences between the CCPA vs GDPR. Although the CCPA affords greater rights to a smaller group of individuals and affects fewer businesses than the GDPR, it\u2019s still a powerful piece of legislation that is posed to have a major impact to businesses worldwide. And while the preparations your business may have implemented to prepare for GDPR are helpful, they won\u2019t encompass all of the necessary updates or changes you\u2019ll need to take care of before Jan. 1, 2020. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>These two far-reaching pieces of legislation are confusing \u2014 we\u2019ll provide a bit of clarity about how they affect your organization Looking at the information security and data privacy industries&#8230;<\/p>\n","protected":false},"author":17,"featured_media":11742,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[8030,11309],"class_list":["post-11739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-data-privacy","tag-laws","post-with-tags"],"views":19751,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/11\/ccpa-vs-gdpr-lr.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11739"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11739\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11742"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}