While there is significant overlap between the GDPR and the CCPA, every organization should carefully assess its data privacy and security program as enforcement of the CCPA begins.
In today’s increasingly digital world, businesses are gathering and leveraging the personal data of their customers more than ever before. In response, over the past several years, governing bodies have passed stringent data privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that are designed to allow consumers to take more ownership over their data.
As enforcement of the CCPA begins, many companies that are already GDPR-compliant may be wondering how the CCPA is different from the GDPR and whether they need to reassess their approach to data privacy and security. Any company that is subject to both regulations must be sure to understand the regulations’ similarities and differences in order to protect themselves against fines and other penalties.
The Basics of GDPR and CCPA
The GDPR, which went into effect on May 25, 2018, regulates how businesses collect, use, transfer, store, or otherwise process personal data for individuals residing in the European Union (EU) and European Economic Area (EEA). Unlike the CCPA, GDPR regulations may vary, as individual countries were permitted to make certain adjustments. This slight variation notwithstanding, these regulations are some of the strongest in the world when it comes to consumer data protection.
The CCPA is a California statute that went into effect on January 1, 2020, with an enforcement start date of July 1, 2020. The CCPA is designed to dramatically improve data privacy for individuals and households in California. However, due in part to the disruption caused by the COVID-19 pandemic and in part to a lack of awareness, many businesses remain only partially or not at all in compliance with the CCPA, leaving them vulnerable to fines and other consequences.
How GDPR and CCPA Apply to Businesses
Given the economic prominence of both the EU and California, GDPR and CCPA regulations can apply to businesses worldwide. Businesses based outside the EU must comply with the GDPR if they offer goods or services to individuals within the EU or monitor these individuals’ behavior, whether directly or as a third party. The GDPR does carve out some exceptions based on the size of a business: for instance, businesses with fewer than 250 employees do not necessarily need to maintain data records if they only process consumer data occasionally.
The CCPA regulations are more specific, applying to companies that do business in California while also meeting one of the following conditions:
- Having annual gross revenues of over $25 million;
- Buying, receiving, or selling the personal data of over 50,000 customers;
- Earning over half of their annual revenue from selling consumers’ data.
Businesses whose primary operations are outside the state should check carefully whether they are subject to this statute, especially those that maintain an e-commerce presence, have branch locations in California, or engage with California businesses as a third-party vendor.
The Definition of Personal Data
Under both GDPR and CCPA, customers have a right to know how businesses are collecting and handling their personal data, and they have a right to access that data, refuse its sale, or request its deletion. If a customer requests to view the personal data a business holds about them, the business must oblige.
The GDPR reserves these rights for EU/EEA residents, whether citizens or non-citizens. The GDPR definition of personal data includes names and government ID numbers, as well as usernames, IP addresses, location information, images, and online cookies. Further, the GDPR provides additional protection for sensitive information like race and ethnicity, religion, political affiliation, trade union membership, sexuality, and health information.
The CCPA only protects California residents. In contrast to the GDPR, the CCPA applies to both individuals and households, but it does not include protections for health information and other personal data that is already protected by law. As such, companies that deal with this kind of data should continue to adhere to prevailing regulatory regimes like HIPAA.
Complying with GDPR vs. Complying with CCPA
Large and small businesses alike are tasked with following the principles laid out within the GDPR framework, including fairness and transparency, data minimization, storage limitations, integrity and confidentiality, and accountability. While each principle requires careful consideration, the accountability principle is critical, as it compels companies to prove their efforts to comply with the GDPR as a whole — typically by implementing a secure data handling protocol, documenting the process, and proactively training staff. In fact, in some cases, the GDPR requires a company to appoint a Data Protection Officer and create Data Protection Impact Assessments (which goes well beyond CCPA requirements).
The CCPA is based on transparency, accountability, and control, and requires companies to implement reasonable procedures and practices to ensure the security of customers’ personal data. Businesses should be proactive about instituting measures like the following:
- Updated and clearly displayed privacy policies;
- Notices of data collection whenever relevant, whether online or offline;
- “Do Not Sell My Personal Information” options for customers (something that is not necessary under the GDPR);
- A plan for handling consumer requests and ample training to help employees do so effectively;
- Secure records of compliance measures and consumers’ requests.
Businesses should make sure that their third-party vendors are compliant as well, as the CCPA, unlike the GDPR, includes specific provisions allowing customers to opt out of certain types of third-party data usage.
Next Steps for Companies Subject to GDPR or CCPA
Companies that had to adapt to the GDPR are likely better prepared for CCPA compliance, but many companies were still noncompliant when CCPA enforcement began earlier this month. Some companies don’t even realize that their activity qualifies as selling personal information, meaning far too many businesses are putting themselves at an unnecessary risk of fines or legal action.
If you’re unsure of whether your company is sufficiently compliant with all relevant data privacy regulations, your best course of action is to work with an outside expert like SEI who can audit your current procedures and guide your organization through the design and implementation of new measures. The stakes are high, but with an experienced partner by your side, you can be proactive about protecting your business.