Intro to CCPA vs. GDPR
On May 25, 2018, the General Data Protection Regulation (GDPR), a law regulating how businesses must handle personal data, came into effect. The impact on how online user data had to be handled was massive. Shortly thereafter, on 28 June that year, the California Consumer Privacy Act (CCPA) was passed, going into force on 1 January 2020. On August 14, 2020, the final regulations were approved and it immediately went into effect. To the relief of those companies that were already GDPR compliant, CCPA is, in many ways, a more lenient version of GDPR. However, there are important differences.
GDPR recap
GDPR legislates how companies in the EU must handle personal data. This includes names, email addresses, location data, browser data, etc. This legislation places a responsibility upon companies to be transparent in their handling of personal data and maintain records of how they process that information. The law is meant to ensure that individuals always retain control over their information. Most importantly, consent to use personal information must be explicitly given before being collected and can be revoked whenever it is requested. There is no such thing as implicit consent. For example, browsing or scrolling through a website cannot be considered consent to collect and make use of personal information.
Try VinciWorks’ GDPR training here
CCPA recap
California’s economy is the largest in the United States. If it were an independent nation it would rank as one of the largest economies in the world. CCPA protects the rights of all California residents. It applies to any business of sufficient size (see next section) that wants to collect personal data about residents of California. CCPA empowers citizens of California with the right to have a business disclose what information they have collected or request that whatever data they have already collected be deleted. It also gives them the right to opt out of third-party data sales.
How is CCPA different from GDPR?
The most basic difference between CCPA and GDPR surrounds consent. Whereas GDPR legislates prior consent, CCPA only mandates the right to withdraw consent. CCPA gives the citizens of California the right to opt out after personal data has been collected. CCPA does not require a business to obtain prior consent before collecting data. The only exception is information regarding minors. There is a mandatory opt-in before the sale of information for children under the age of 16.
Another major difference is that CCPA only applies to businesses, which are defined as for-profit entities that meet one of the following conditions:
- Gross annual revenue of over $25 million
- Processes the information of at least 50k residents of California
- Derives at least 50% of its yearly revenue from the sale of personal information
GDPR, on the other hand, is much broader in its scope. It applies to any data controller, which is defined as any entity that processes personal data.
How are CCPA and GDPR similar?
The aim of GDPR and CCPA are fundamentally the same: to protect an individual’s rights over his or her personal data in situations where a business (or any entity, according to GDPR) collects, uses or shares that data. Similarly, though the motivation for both legislations was largely in reaction to the “wild west” approach of online business, the regulations apply to information that is gathered online or offline.
Both GDPR and CCPA are fairly consistent regarding the following rights:
1. the right to erasure
2. the right to be informed
3. the right of access and
4. the right to data portability
CCPA vs GDPR – what do the laws deal with?
CCPA and GDPR are both meant to ensure the strong protection of personal data. However, the scope of the two laws is different. Whereas all personal information is included within the scope of GDPR, CCPA does not cover medical and protected health information which is already covered by the Confidentiality of Medical Information Act and the Health Insurance Portability Act.
CCPA vs GDPR – who do the laws apply to?
CCPA applies to any business that collects or sells the personal data of any resident of California as long as it meets the criteria mentioned above. GDPR applies to any organization that does business with or collects the data of any person within the EU.
Whereas CCPA protects consumers who are residents of California, GDPR protects data subjects which means any individual whose data is being processed by a company in the EU.
Who enforces and supervises CCPA and GDPR?
GDPR is enforced by national data protection authorities in the EU member states. CCPA is enforced by the Attorney General of California. Both authorities can enforce their respective laws through monetary penalties. Depending on the violation, GDPR fines can go up to 2% of global annual turnover or €10 million; or 4% of a company’s global annual turnover or €20 million–whichever is higher.
CCPA has a maximum fine of $2,500 per violation and $7,500 for intentional violations. This can scale up significantly for businesses that are processing the data of more than 50,000 individuals.
How can I make my website CCPA and GDPR Compliant?
You can automate your management of GDPR compliance requirements with Omnitrack’s GDPR workflows. They’ve been designed in collaboration with leading law firms and international businesses.
Omnitrack forms can also be customised specifically for CCPA requirements.
GDPR Checklist
Use the following checklist to help make your website GDPR compliant:
- Carry out a careful audit of what personal data you collect, how it’s stored and who has access
- Ensure that your website has sufficient layers of security
- Make sure your privacy policy is updated to reflect how you process, store and disclose personal data
- If you send marketing emails, make sure you have received explicit consent before adding someone to a mailing list
- Users must have a way to opt out of receiving emails at any time
- If your website uses non-necessary cookies (basically, cookies that are not essential to the function of your website):
- Add a cookie banner to inform visitors how the website uses those cookies and what gets stored. Customers must be given the option to refuse cookies.
- General usage of the site cannot be contingent on opting-in
- The banner must be clear in its intent and not deceptive
- Check all forms on your website. Whenever you want to collect personal data you must:
- Include a privacy statement that explains why you’re asking for their information.
- Include an option to opt-in. For example, a checkbox. The checkbox cannot be checked by default.
- Include a link to your privacy policy
- Ensure that any third-party processors of data are GDPR compliant.
- Conduct appropriate risk-assessments on the international transfer of data. If data will be processed by a company outside of the EU, you must make sure they are GDPR compliant.
- Users must have a way to access whatever personal data you have collected about them. They must be able to exercise this right without impediment.
- Maintain transparency and appropriate safeguards around data breaches. All data processing must be carefully recorded and one must be on guard for vulnerabilities. In the event of a data breach, the appropriate authorities must be informed within 72 hours and users must be notified when their rights are at risk as a result of the breach.
- Policies and procedures must be reviewed and updated regularly to ensure the appropriate safeguards have been put in place.
Omnitrack can greatly simplify your fulfilment of these requirements.
CCPA Checklist
As mentioned previously, if you are GDPR compliant you’re probably already CCPA compliant. However, it is worth looking through the following checklist to ensure compliance:
- Make sure you’ve reviewed what’s required by CCPA and have this reflected in your privacy policy
- Ensure there is an easy way for a customer to opt out of having their personal information sold
- Ensure there is an easy way for a customer to find out what personal information you have collected and be able to contact you to get more details
- Ensure there is a way to obtain prior consent from minors (under 16) and that you have a way to record that consent
- Ensure data subjects can easily verify the identity of someone requesting to access or delete their personal data.
A recap of CCPA vs GDPR
In summary, the good news is that if you’re GDPR compliant, you’re probably already CCPA compliant. However, it’s important to be aware of the differences. Since the focus of GDPR is obtaining prior consent, you might fall short of the CCPA obligation to provide customers with a simple way to opt out. Additionally, under GDPR, consent is needed from all customers prior to collecting their information. CCPA requires prior consent only from minors. So, to be CCPA compliant you need to make sure you’re checking the age of your customer. Finally, it’s important to remember that both laws might be of relevance to businesses that are based outside of the EU and California if they do business in and collect data from residents of those locations.