Both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) aim to protect consumers’ privacy rights. Because both laws attempt to fundamentally change business practice to establish and protect new data privacy rights for individuals, any business – regardless of where the business operates – needs to be familiar with how these laws could require changes to operations now or in the future.
While both laws address data privacy, the laws have important differences. This post outlines some important aspects of the laws and compares and contrasts CCPA and GDPR. As always, seek appropriate legal guidance as this post is not legal advice.
What penalties are imposed by CCPA v. GDPR?
Both CCPA and GDPR provide for remedies in the case of non-compliance.
GDPR – Data Protection Authorities may impose an administrative fine “of up to €20 million or 4% of the business’s total annual worldwide turnover.”
CCPA – Violations are subject to civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation.
In addition to these penalties, companies may be missing an opportunity to gain a competitive advantage.
Who is regulated by CCPA v. GDPR?
Both CCPA and GDPR have broad definitions of entities that are subject to data privacy regulations. In general, it’s best for any business to begin implementing data privacy policies with CCPA and GDPR in mind, as both laws have a broad territorial scope (see below). Also, these laws will not be the only data privacy protections on the books. New state and national laws are anticipated, as are expansions of CCPA and GDPR.
GDPR – First, it’s important to understand the difference between “data controllers” and “data processors” according to GDPR. Controllers are typically the businesses that determine what data is captured and how it is used. An online business that collects customer data for ecommerce is an example. A processor is another entity that processes data on behalf of a controller. Google – through its online tracking services – may be a processor for the online business. The obligations are different for each type of business. It’s important to note that controllers need to be support requests from individuals to comply with data privacy rights, including managing their processors to comply with these requests.
Data controllers and data processers are subject to GDPR if: the company that processes personal data of individuals in the EU has a branch in the EU, or the company is established outside of the EU and “goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.” Your company does not need to be a European company or you may not realize that your company has any interaction with people in the EU, and yet you may still be subject to GDPR.
CCPA – This data privacy law covers any for-profit entity doing business in California that collects and directs the use of personal information and meets certain thresholds:
- Annual gross revenues greater than $25 million
- Receives, sells, or shares personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of revenues from selling consumers’ personal information
Who and what information is protected by CCPA v. GDPR?
Both laws seek to protect actual people rather than legal persons that are not natural individuals.
GDPR – Data privacy protections apply to an identified or identifiable living individuals who live in the EU, regardless of whether the individual is currently in the EU or not.
It’s important to note that the inclusion of “identified or identifiable” in the definition of “personal identifiable data” means that any encrypted, de-identified, or “pseudonymized” data that can be used to re-identify an individual is covered by GDPR. Purely anonymous data, that cannot be reversed, is not covered by the law.
Also, personal identifiable data is not restricted to names and addresses that people typically use to identify individuals. Protected data also includes data typically used by software, like an IP address or a cookie ID.
CCPA – CCPA has similar categories of personal identifiable data, but excludes data used for certain legal, medical, financial, and employment-related purposes. Also, CCPA compliance does not include de-identified or aggregated data.
What consumer rights are established or protected by CCPA v. GDPR?
Both laws define acceptable business practices involving personal identifiable data and outline specific protections for individuals.
GDPR – GDPR provides grounds for processing personal data, including individual consent and in other specific situations.
In addition, covered individuals are afforded rights to:
- information about the processing of your personal data;
- obtain access to the personal data held about you;
- ask for incorrect, inaccurate or incomplete personal data to be corrected;
- request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- request the restriction of the processing of your personal data in specific cases;
- receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.
(The bulleted list above is an excerpt from this European Union website page.)
It’s important to note that these rights include the right not to profiled or subject to a decision based solely on automated means. That means that the interest rate for a loan, for example, cannot be only determined by an algorithm if the individual does not consent to an automated decision without human review.
CCPA – CCPA has similar but different data privacy protections. CCPA compliance requires the protection of specified data privacy rights, including:
- The right to know what personal information is collected, used, shared, or sold;
- The right to delete personal information by a business including service providers;
- The right to opt-out of sale of personal information;
- The right to non-discrimination in price or service when an individual exercises her or his CCPA rights.
Note: The CCPA covers identifiable households and devices in addition to individuals; this distinction requires additional consideration to protect rights established by the CCPA.
What data privacy practices should be in place for GDPR and CCPA compliance?
Good data privacy practices – that include careful consideration of GDPR and CCPA requirements – will minimize the disruption of a rushed implementation due to a consumer request or a notice of violation. A solid data privacy regime must identify the types of personal identifiable data that you collect or process and provide means to comply with all requests within the time allotted for requests or remediation.
Syntelli Solutions can help. Contact us to discuss preparing for data privacy compliance.
“In early March, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released two sets of rules on information blocking. They made two dramatic changes: patients would be able to more...read more
As of January 1, 2020, CCPA – the California Consumer Privacy Act – is here. Of course, CCPA compliance requires that companies that do business in California or with California residents, and meet other requirements, must meet certain data privacy requirements to...read more
As we begin 2020, the 5G rollout is well underway. Carriers are deploying 5G, or the fifth generation of mobile infrastructure, with significantly higher speeds and capabilities to enable the spread of IoT, which promises connectivity for billions of devices for...read more