When the General Data Protection Regulation (GDPR) was enacted, companies and organizations (i.e., businesses) had to change the way they handled personal data or face steep fines. Recently, California enacted a similar privacy law, the California Consumer Privacy Act (CCPA). Read on for a quick guide on CCPA vs. GDPR, what it means for businesses, and CCPA & GDPR compliance.
What is the CCPA?
CCPA took effect on Jan. 1, 2020, and was developed to protect the consumer privacy of Californians. CCPA gives Californians greater control over the ways businesses can use their personal information (PI).
To give two examples, CCPA establishes a persons' right to delete the PI held by companies and establishes parental consent requirements before selling data of children under 13. CCPA also prevents businesses from penalizing persons who exercise the right to privacy set forth under the new law.
What is the GDPR?
GDPR is a European Union (EU) privacy and security law. It requires businesses to be transparent about the personal data and personally identifiable information (PII) they're collecting and using. Any business that has personal data about EU citizens must comply with GDPR, which was passed in 2018.
CCPA vs. GDPR: What Are the Differences Between These Laws?
The CCPA and the GDPR laws are both data protection laws. While the two laws are similar in many ways, there are also a lot of differences to note. This is important from a compliance perspective, as your business will want to make sure it's adhering to both laws rather than making assumptions.
The differences between GDPR and CCPA include:
- Jurisdiction: GDPR laws apply to businesses that are based in the EU or that have information about EU citizens. Thus, many businesses located in the U.S. must adhere to these laws, provided they serve the EU market. CCPA protections are limited to legal residents of California. For-profit companies that conduct business in California must comply with CCPA.
- Types of data protected: GDPR covers a broad range of personal data and PII without considerations about what the data is intended for or its processing. CCPA is more specific about the kind of data that is protected and the definition of PI.
- Consent, opt-in. and opt-out: Both laws provide the right to consent, opt-in, and opt-out of data collection. How these are handled differ across CCPA and GDPR.
- Personal access to data: Both laws grant persons the option to see what data businesses hold, find out how their data is being used, and request that businesses take specific action with data (e.g., fixing errors or erasing data in certain circumstances). However, the scope and handling of these requests differ in CCPA vs. GDPR.
- Penalties for violation: These two laws have different penalties for violating the laws.
How Are Companies Affected by GDPR and CCPA?
Both laws impact businesses by requiring them to exercise caution in the collection, sales, and handling of personal data from persons and other stakeholders — such as employees, contractors, and other third parties.
The two laws impose penalties on businesses that do not comply with the requirements of the laws — regardless of whether the violation was intentional or unintentional.
Your business must understand GDPR and CCPA to gauge compliance. Specifically, you must double-check your internal data processing, storage, and protection procedures to avoid any potential breaches.
You must understand how to handle data subject access requests (DSARs), which allow persons to see what personal data and information a business has, correct erroneous information, and make other demands in the name of privacy.
If you're not clear on the difference between CCPA and GDPR, take the time to understand the main points now. Review the steps your business needs to take to comply, then adjust your business practices to avoid fines and penalties.