With the goal of better protecting customer information, California enacted the California Consumer Privacy Act (CCPA). CCPA puts guidelines in place that govern how businesses handle customer data. Many people view CCPA as the US version of GDPR. The European Union General Data Protection Regulation (GDPR) is also aimed at protecting consumer data, but it does have important differences for businesses.
Understanding the similarities and differences between these two regulations will give you valuable insights into how businesses will be required to handle customer data moving forward.
Which companies does each law regulate?
Perhaps the biggest difference between GDPR and CCPA is in the companies that are regulated by each law. GDPR is a broader regulation that covers all entities dealing with EU citizen personal data. In fact, your business doesn’t have to be located within the EU to comply with GDPR. If you have contact with the personal data of EU citizens, you will have to comply with GDPR regulations.
GDPR covers all data controllers and processors who handle EU citizen data on a regular basis. The law covers privacy steps aimed at protecting such personal data from misuse or cybersecurity threats.
On the other hand, CCPA is more focused in its approach. The law covers for-profit companies that operate in California and fall under any of the following criteria:
- Gross earnings (revenue) of over $25 million
- Any company that, every year, will purchase, sell, or receive the personal information of more than 50,000 consumers, devices or households for commercial use
- If your company earns 50% or more of its annual revenue from the sale of personal information
CCPA also applies to any entities that are controlled or use the same branding as other companies falling under the above requirements.
As you can see, GDPR and CCPA do vary in terms of outreach. While GDPR focuses on any entity that encounters the personal data of EU citizens, CCPA is focused on California-based companies that handle personal information on a regular basis.
Understanding the protected persons
GDPR and CCPA also differ in terms of the people who they cover. GDPR covers all persons to whom personal identifiable information can be linked. This means that any piece of data that can be used to identify a specific individual in the EU falls under GDPR.
On the other hand, CCPA takes a more focused approach. CCPA covers both temporary and permanent residents who reside in California.
The extent of data that is protected
Both laws are designed to cover personal information. However, CCPA takes a more specific approach because it covers personal identifiable information, households, and devices. While GDPR covers the personal data that can be tied to a specific data subject within the EU, CCPA goes a step further. CCPA defines consumer data as follows:
CCPA defines any personal information that can identify, associate with, relate to, or describe a specific person, device, or households. By adding households and devices, CCPA protects personal data in a more specific way. Indeed, companies can use both devices and household data for many different purposes. And without proper protection of such data, specific individuals that use a particular device, or live in a particular household, stand to be affected.
GDPR spells out guidelines that limit the processing and use of information falling within its defined categories. CCPA does the same, adding the element of households and devices that include any linked apps.
Opt-in or out? A key difference between CCPA and GDPR
Opting in versus opting out has long been a subject of debate with regards to personal data. Businesses have come under fire for only having an opt-out option, rather than putting in place an opt-in option at first. This means that customers have to take additional steps to opt out of having their personal information used in data sales.
In GDPR, there is no specific framework that customers can use to opt out of having their personal data sold. However, you can opt out of having your data used in marketing purposes and various processing activities. In general, GDPR doesn’t operate on a framework of creating “opt-out” as a limitation for ensuring data privacy.
CCPA contains an entire section dedicated to opting out. More specifically, businesses are required to display a notification that allows customers to withdraw consent for having their personal data sold. And after consent is withdrawn, no additional requests can be made for the 12 months’ period following consent withdrawal. In other words, CCPA requires businesses to make opting out much easier for customers.
Some may argue that CCPA still falls short because it doesn’t stipulate an opt-in feature. However, it is a significant step in the right direction when compared to current personal information guidelines.
Data portability in relation to CCPA and GDPR
One area where these two regulations have common ground is with regards to data portability. Under GDPR, customers can receive copies of their collected personal data in a structured and easy to read format.
The same applies to CCPA, with the only difference being that businesses have 45 days to provide collected personal information in an easy to read manner. The purpose is for all protected persons to be able to access this data and share it easily.
How these laws impact data security
While both CCPA and GDPR are not exactly data security laws, they did arise from concern regarding data security. As such, these laws were designed to cover data privacy while still ensuring that the personal information of customers is protected. For example, GDPR puts in place measures that cover organizational and technical risk mitigation processes. And if a data breach results in compromised customer data, the customer can sue for any associated damages.
On the other hand, CCPA doesn’t have any specific provisions with regards to data security. But if a customer’s personal data is compromised, they can sue under the California Civil Code.
There are additional differences that apply to CCPA vs GDPR. For example, CCPA will only require parental consent for children during personal data selling. However, GDPR will require consent for all data processing activities.
GDPR also has the following requirements in place that CCPA doesn’t:
- The right to object
- The right to restrict processing of data
- The right to refuse automatic decision making
- The right to rectification
Protecting Data Moving Forward
As data security becomes a focus of governing bodies, we expect to see more legislation passed to help protect it and to give the public greater control over their information. By following best practices set by cybersecurity frameworks like NIST and implementing company polices aimed at protecting company data we can create an atmosphere that keeps sensitive information out of the hands of those with malicious intent.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.