Today it's not uncommon for a company to rely on personal data to create better user experiences and to improve online marketing efforts. Even smaller businesses analyze and leverage the customer data that they have access to. This data can come in the form of information provided via prospect forms or through the mining of data on one's website. Either way, such data can be incredibly useful in helping to drive your decision making in all facets of your business.
However, the use of personal data has resulted in a significant amount of controversy. For a long time, users had no control over who was collecting and using their personal information. For example, it was common practice for websites to mine personal data and sell it to third parties, which many argued was a violation of privacy. This growing issue eventually led to the passing of the GDPR (General Data Protection Regulation) in Europe. Not long after the GDPR passed, the CCPA (California Consumer Privacy Act) passed in the state of California.
Although both laws address user data rights, there are some major differences between the two. Understanding what both laws cover and whether their guidelines apply to you is essential to remain compliant and avoid potentially stiff financial penalties.
Law And Regulations Overview
Both the GDPR and the CCPA passed due to overwhelming concern about the control and use of personal data online. If your business falls under the scope of the GDPR or the CCPA, you will need to learn how to comply by gaining a better understanding of both laws' regulations. Here is a brief overview of both laws.
The European Union has a history of passing regulations enforcing the right to personal privacy. They had enough foresight to pass the European Data Protection Directive in 1995, which established minimum data privacy and security standards. In 2006, the European Union officially recognized that it needed to update its previous directive to provide more comprehensive personal data protection rights. The GDPR passed the European Parliament in 2016 and went into effect on May 25, 2018.
Although passed by California specifically to provide California residents with data privacy rights, many consider the CCPA the U.S. version of the GDPR. Any business collecting data from consumers in California must comply with the regulations of the CCPA, so most U.S. businesses end up having to comply even if they're not California-based companies. The CCPA is arguably the most comprehensive data privacy act in the country, especially since there is no federal law regulating personal data collection and use. Officially called AB-375, the CCPA was signed into law on June 28, 2018, and went into effect on January 1, 2020.
CCPA Versus GDPR
When taking steps to ensure that your website abides by data privacy and ownership laws, make sure that you understand that the CCPA and GDPR are different. Do not assume that if you're CCPA compliant, then you're GDPR compliant as well -- or vice versa. The following are the similarities and differences between the GDPR and the CCPA.
The CCPA was specifically passed to protect California residents. If a company collects information from any consumer in California, then the CCPA will apply to that company. For example, if the business is in New York, and they are collecting data from consumers in California, the CCPA will apply to that business. However, not all companies are required to achieve compliance, even if they are collecting data from California users. If a business collects data from California users and meets any of the following criteria outlined by the CCPA, then compliance is required:
- If the company has an annual gross revenue of over $25 million
- If the company buys or sells personal data from a minimum of 50,000 consumers or households
- If at least half of the company's annual revenue comes from selling the personal data it's collecting
The GDPR's scope works in the same way as the CCPA. Its purpose is to protect the citizens of Europe. Any data controller collecting data from individuals in Europe must comply with the GDPR. Unlike the CCPA, which focuses more on business transparency, the GDPR covers all data controllers. Data controllers include anyone that collects personal data, such as businesses, government entities, charities, website admins, and even individuals.
All European-based data controllers are required to comply with the GDPR; however, any data controller outside of Europe collecting data from Europe-based users must comply as well. Essentially, any data controller in the world that's offering goods or services to European customers or that's monitoring the behavior of European users fall under the scope of the GDPR. However, there are a few exceptions, which include the following:
- If someone is collecting data for purely personal or household activities, GDPR compliance is not required. For example, if you're collecting email addresses from co-workers to organize a picnic. In such a case, you will not need to comply with all of the GDPR's regulations.
- If you're a small or medium-sized company with fewer than 250 employees, then you are exempt from some of the record-keeping obligations outlined in the GDPR (although you won't be completely exempt from GDPR compliance).
2. Privacy Rights
Both the GDPR and the CCPA provide the users that fall under their scope with several personal data privacy rights. The primary purpose of both the GDPR and the CCPA is to give people more control over their personal information and how it's used. Both laws have forced companies to become more transparent about their data collection activities as well. The GDPR and CCPA give those under their scope these primary data privacy rights:
- The right to access personal data - Both the CCPA and the GDPR provide users with the right to request access to their personal data. Meaning, if you're collecting data on a user in California or Europe, then you will be required to provide that user with a report that details what data you've collected from them and how you're using that data.
- The right to delete personal data - Both the CCPA and the GDPR give the users under their scope the right to request that businesses or data collectors erase their data. There are a few differences when it comes to this right: the GDPR requires that the request meet one of six conditions, while the CCPA has only a few exemptions that allow businesses to refuse the request.
- The right to opt-out of the sale of personal data - Many companies that collect user data share that data or sell it to third parties. The CCPA requires organizations that fall within their criteria to allow users to opt-out of having their data shared or sold. The GDPR doesn't provide this exact right, but it does allow users to opt-out of processing data for marketing purposes or withdraw their consent for data collection.
- The right to personal data portability - Companies that have been collecting personal data on an individual for years have a significant advantage over their competition, making it difficult for those individuals to switch to another company and still receive the same personalized services. However, the right to personal data portability allows users to take all personal data collected by one company and move it to another service. This right empowers users to switch services if they desire. Both the CCPA and the GDPR grant the right to personal data portability.
- The right to data processing restriction - The GDPR gives users the right to restrict the processing of their personal data in certain situations. This right gives users the ability to limit how a data controller uses their data. The CCPA does not explicitly provide such a right.
3. Specific Regulations
In addition to data privacy rights, both the CCPA and the GDPR outline regulations that businesses or data controllers must abide by. For example, there are specific regulations regarding disclosure requirements in both laws. The CCPA requires the following:
- Businesses must disclose what personal information categories they are collecting.
- Businesses must disclose what they are intending to do with the information they are collecting.
- Businesses must provide further notice for additional information categories they are collecting and whether they are using it for unrelated purposes.
The GDPR's requirements are similar in that data controllers must disclose their personal data collection and data processing activities and whether it's being collected directly from the individual or a third party. The main difference is that the CCPA's requirements only cover the 12 months that precede the request.
The CCPA also lists several requirements for businesses for complying with data privacy rights including:
- A way to contact the business to request access to personal data (such as a phone number or web form)
- A way to verify consumer requests
- A clear, easy-to-use, opt-out option for selling or sharing personal data
- If a business collects data from four million or more consumers, households, or devices, they must monitor specific metrics and make those metrics public
- Permissions requesting consent from consumers between 13 and 16 years old. Permissions from parents if the user is under 13
- The use of data maps to ensure that businesses can access all of the data that they've collected from a user to fulfill their request.
- Staff must have the training to fulfill data privacy requests on a timely basis
Although the data privacy rights of the GDPR are very similar, data controllers have some different requirements that they must meet to maintain compliance. These requirements include:
- It must be easy for individuals to make data privacy requests, whether it's to access data, change data, transfer data, delete data, or to withdraw consent
- It must be easy for data controllers to fulfill user requests
- A Data Protection Officer must be appointed
- Data controllers must ask for consent to collect and use personal data. If the user is under 16, data controllers must request consent from the parents
- Data controllers must maintain a Personal Data Breach Register. Depending on the severity, data controllers must disclose breaches to data subjects within 72 hours
- Transfer of personal data must be protected, such as through the use of encryption
- If a data controller is no longer using the personal data they collected, they must delete it
4. Fines and Consequences
If a business is guilty of violating the CCPA, then they have 30 days to fix the violation and ensure that no further violations will occur. They also have to provide a written statement to the person whose CCPA rights they violated. If the business neglects to fix the violation, the consumer has the right to sue. Consumers can seek damages between $100 and $750 per violation. They can also seek injunctive or declaratory relief, which can amount to a substantial number depending on the severity of the violation.
The Attorney General may also take civil action. This civil action can include an injunction as well as a civil penalty of upwards of $2,500 for each violation. If the Attorney General determines that the violations were intentional, they can fine the business for upwards of $7,500 per violation. The Attorney General can apply a fine for each consumer that was affected. So if you violated the CCPA rights of 100 consumers, you could be forced to pay a civil penalty up to $750,000.
Although CCPA fines may seem minor, they can add up depending on the number of violations a business is facing. However, the GDPR has arguably much harsher consequences. Non-compliance can result in two types of administrative fines. The lower level of GDPR penalties can include fines of up to 10 million Euros or two percent of the company's annual global turnover. The higher level of GDPR penalties can include fines of up to 20 million Euros or four percent of a company's annual global turnover.
Does Compliance To GDPR Also Mean Compliance To CCPA?
When it comes to personal data rights, the GDPR and CCPA are similar in a lot of ways. Generally speaking, if you achieve GDPR compliance, odds are you'll be compliant with most of the CCPA's regulations as well. However, you must address both individually. Just because you achieve GDPR compliance does not mean that you will be completely CCPA compliant, and vice versa.
Even though you fall under the scope of the GDPR, you may not necessarily fall under the scope of the CCPA. On the other hand, if your company is exempt from the CCPA because of its criteria, don't assume that you're exempt from the GDPR as well. Remember, the CCPA's criteria for requiring compliance is based on the overall revenue of a company. In Europe, there are no such criteria. If you collect data from European users, then you fall under its scope no matter what. The major differences between the CCPA and the GDPR that you will need to keep in mind to achieve compliance follow:
- The CCPA also applies to IoT (Internet of Things) devices and households, whereas the GDPR does not.
- The GDPR regulates the activities of service providers (referred to as data processors in Europe), whereas the CCPA does not.
- The GDPR requires user consent to collect their data, while the CCPA only requires consent for minors 16 and under. Under the CCPA, companies are only required to disclose that they are collecting data from users over 16 at the point of collection; they do not have to ask for their consent.
- The GDPR requires both data controllers and data processors to ensure a level of security that's deemed appropriate to the risk of data collection. The CCPA does not contain such regulations, although it does establish the right of action for data breaches that occur from violations resulting from a lack of reasonable data security.
Inspect Your Data Handling Practices
Both the GDPR and the CCPA provide online users with extensive rights regarding their personal data. If you fall under the scope of the GDPR or CCPA, then you will need to take steps to comply. These steps may include implementing features and adopting processes that will enable users to submit data privacy requests, and that will make it easier for you to fulfill those requests.