Consumer data privacy has become a hot topic these days with various legislations enacted to promote and strengthen the privacy rights of consumers. There is a global trend of forcing companies to be more accountable and responsible when it comes to protecting consumer data.
Consider the General Data Protection Regulation (GDPR), which was designed to protect the personal data of citizens of the European Union (EU). It was passed into law in 2016 and took effect two years later.
A couple of months after the GDPR took into effect, then California Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA) which will be implemented in 2020. The CPPA is widely considered one of the toughest consumer privacy laws in the United States.
Because of the nature of these two legislations, a comparison between the GDPR and CCPA is unavoidable. This article will discuss briefly the two data privacy acts and enumerate the differences between GDPR and CCPA.
What’s the GDPR?
The GDPR is regarded as the most important change in data privacy legislation in the past two decades. It is considered as game-changing legislation that empowers consumers, giving them the right to demand cybersecurity and accountability from various businesses. The GDPR affects not only businesses that operate in Europe but all organizations that handle the personal data of EU citizens. Steep penalties await companies that fail to comply with it.
The GDPR is one of the key laws enacted in consonance with the European Commission’s plans to undertake data protection reform in the continent and make it better-suited for the digital age. It replaced the 1995 Data Protection Directive which was implemented at a time when the World Wide Web was virtually unheard of in many parts of the world. Adopted and approved on April 14, 2016, the GDPR had a transition period of two years before the legislation was enforced. On May 25, 2018, the GDPR was finally in full effect.
At its core, this data privacy law sets rules that give citizens of the EU more control over their personal data. It simplifies the regulatory environment for business and enables both companies and citizens in the EU to fully benefit from the digital economy. It also promotes transparency for visitors about their data and how it is processed.
Below are some key points of the GDPR:
- Enhanced territorial scope. Perhaps the most notable feature of the GDPR is its extended jurisdiction. In the past, the territorial applicability of data privacy directive was vague, referring to the data process in the context of an establishment. But in the GDPR, the topic of territorial jurisdiction is now clear. The law applies to the processing of personal data by controllers and processors in the EU as well as personal data of citizens of the EU
- Penalties. Non-compliance can result in fines of up to €20 Million or 4 percent of the annual global turnover, whichever is greater.
- Consent. The GDPR also features strengthened conditions for consent. In simpler terms, companies are no longer allowed to use long and vague terms and conditions. Request for consent should be intelligible and easily accessed. It should also be in clear and plain language.
- Access. The GDPR also outlines expanded rights of data subjects including the right to get confirmation from the data controller as to whether or not personal data is being processed, and for what purpose. It also specifies that a data controller should provide an electronic copy of the personal data.
- Breach Notification. Data breach notifications are now mandatory with the implementation of the GDPR. A data breach likely to result in a risk for rights of individuals should be notified within 72 hours. Data processors are likewise required to notify data subjects and data controllers without undue delay the moment they become aware of a data breach.
- Data erasure. Also known as the right to be forgotten, this entitles data subjects to have their personal data erased by the data controller. It also gives them the right to stop the dissemination of their data and even third parties to step in and halt processing of their data.
- Data portability. This right gives the data subject the option to receive personal data regarding them and transmit this to another controller.
Scheduled to go into full effect on January 1, 2020, the CCPA is widely seen to have been influenced by the GDPR. It will limit how organizations handle, store, and use consumer data. Transparency will be required from organizations and consumers have the option to erase, download, and opt out the sale of their personal information.
The CCPA applies to businesses with annual gross revenue of more than $25 million as well as those who buy, receive, sell, and share personal information of consumers. Companies that derive half or more of its annual revenues from handling and selling consumer’s personal information are also to be affected by this new legislation.
Under the CCPA, the term consumer pertains to a California resident. Personal information is defined as information that is identified with, related to, or can be associated or linked to a particular consumer or household.
Below are the key points of the CCPA:
- Disclosure. Firms must disclose any consumer information gathered, sold, or disclosed for a business purpose. Consumer information may include identifiers such as:
- Real name
- Postal address
- Online identifier Internet Protocol address
- Social security number
- Email address
- Social security number
- Passport number
- Driver’s license number
Consumer information may also pertain to data gathered and used for commercial purposes such as:
- Records of personal property
- Goods or services availed, purchased or considered,
- Other purchasing histories or tendencies;
- Biometric information
- Geolocation data
- Internet activity information including but not limited to search history and browsing history.
- Interaction with a website, advertisement, or application
- Professional/employment-related info
- Educational information
In response to a verifiable consumer request, a business that collects and handles personal information is required to disclose categories of personal information that has been collected, categories of sources from which the personal data is collected, and commercial purpose for collecting and selling of the personal information.
The concerned business entity must also disclose categories of third parties which it shares personal information and specific details of personal data it has collected about the requesting party.
- Access. Under the CCPA, any business that collects personal information should inform the consumer about the categories of personal data collected as well as the purposes for which the data shall be used. The notification should be done at or prior to the point of collection.
- Deletion. Covered businesses are required to delete personal information of a consumer in response to the consumer’s request. This also applies to direct service providers that collect and handle personal data of consumers.
- Anti-discrimination. Any covered business should not take it against a consumer exercising his or her rights under the CPPA.
- Opt out of personal data sales. Covered businesses selling personal information of consumers to third-parties must provide a notice to their consumers and also, a choice to opt out of the sale of their personal data. More notably, a business should be implicit about this by having a “Do Not Sell My Personal Information” link on its homepage.Moreover, business is forbidden to sell personal information of consumers aged 15 years and below, provided that the former has actual knowledge of the consumer’s age. The clear exemption is when the consumer aged between 13 and 16 years old agreed or authorized to sell his/her personal information. For consumers less than 13 years of age, consent of a guardian or parent is needed before the business can sell the former’s personal data.
- Consumers’ rights rights
- Methods for submitting verifiable consumer requests
- List of categories of personal data that the company has collected about its consumers as well as information sold and disclosed for a business purpose.
Similarities between CCPA and GDPR
Since CCPA is considered an offshoot of the GDPR, it is not surprising that there are some similarities between the two data privacy laws.
One facet where the CCPA vs GDPR comparison draws similarities is the manner in which businesses must respond to consumer requests. Both laws require covered businesses to respond to consumer requests without undue delay. For CCPA, responses should be made up to 45 days upon receipt of the request. For the GDPR, the deadline can range from 1 month to 3 months as long as the requesting party is notified. Moreover, both laws require data controllers to give reasons why they cannot comply with requests.
Both laws also levy substantial fines to non-compliant parties although there is a difference in the calculation of the fines. Administrative fines under the GDPR can reach up to EUR20 million and up to 4 percent of the firm’s annual global revenue, or whichever is higher. On the other hand, the CCPA penalizes businesses up to $2,500 for every violation and a maximum fine of $7,500 for every violation, if proven intentional. While the calculation of fines is different, it cannot be argued that violations of either law can result in significant loss to guilty parties.
Differences between CCPA and GDPR
However, it should be noted that there are also numerous differences between GDPR vs. CCPA.
One of the most glaring differences is the opt-out right of consumers for selling of their personal information. Under the CCPA, covered parties must put a link that reads “Do Not Sell My Personal Information” on the homepage of their websites. Covered businesses are also prohibited from requesting re-authorization to sell a customer’s personal data for a period of 12 months.
There is no provision like this in the GDPR. But there is a provision for data subjects to opt out of the processing of their personal information for commercial purposes and to withdraw consent for data processing activities.
There are also consumer rights specified in the GDPR that are not present or used in the CCPA. For example, the GDPR gives consumers the right to rectification meaning they can correct inaccurate personal information or complete personal data. There is no consumer right like this promoted in California. The said European privacy data legislation gives consumers the right to object the processing of their personal data for purposes such as research, direct marketing, or profiling. This right is also not promoted or supported under the CCPA.
The CCPA, on the other hand, is more specific on the requirements for processing personal data of consumers aged 18 years and below. As mentioned earlier, the CCPA requires parental or guardian consent in selling personal information of children aged 13 years and below. Children between 13 and 16 years old can give authority for processing and selling of their personal data. On the other hand, default age for consent under the GDPR is 16 years meaning those who are younger need to get parental consent for the processing of their personal information.
In terms of territorial scope, it can be said that the GDPR has a broader reach. It covers data controllers and processors that are established in the EU and serving activities of EU companies, as well as those that are not physically present in EU but process data of EU subjects.
The CCPA and the GDPR are breakthrough data privacy laws seen to promote consumer rights and protect their interests especially in the collection and sale of their personal data.
Companies with business interests in the EU and California should put time and effort into understanding these new policies. Working with a reputable organization such as RSI Security would give covered parties the assistance they need in order to comply with these new data privacy laws.