CCPA vs. GDPR: data privacy laws in Europe and the USA
Data regulatory landscape is constantly changing with new laws and rules passed at a rapid rate. Hardly had the world come to terms with the GDPR, when California decided to go big on data privacy and set a new standard in the US.
California Consumer Privacy Act (CCPA) went into force on 1 January 2020. It is the first comprehensive legislation in the USA that gives people control over the use of their personal data and it is likely to become the national standard in terms of data protection and handling. With California being the world’s fifth-largest economy and home to such giants as Google, Facebook and Yahoo, the impact of this new act may turn out to be even larger than that of the GDPR. In this article, we’ll take a closer look at the new California Consumer Privacy Act and its requirements, and compare it to the GDPR.
Who does the CCPA apply to and what kind of data is protected?
The CCPA applies to any company doing business in California if it either
- buys and sells personal data of 50,000 or more consumers
- has an annual revenue of at least $25,000 or
- earns more than half of its revenue from selling personal data.
According to the CCPA, personal data is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes:
- PII (name, address, email address, phone number, etc),
- Biometric information (fingerprints, DNA, etc),
- Geolocation data,
- Internet activity information (search history, etc),
- Education- or employment-related information, etc.
In other words, the CCPA defines personal data much more broadly than the GDPR, which means that companies are now facing an even greater compliance challenge.
What are the rights and penalties under the CCPA?
The CCPA was designed to encourage greater transparency and stronger privacy and entitles Californians to a number of new rights.
- The right to know what personal data is being collected and handled. It means that businesses must notify users when they collect their personal information.
- The right to know whether their personal data is sold or disclosed and to whom. It means that users may request to be informed about the kind of third parties their personal information is disclosed to and what kind of information has been disclosed.
- The right to have their personal data deleted. It means that any user may request a company to delete all the data collected about them.
- The right to say no to the sale of their personal data. It means that users may opt out of having their personal data sold to third parties. In other words, businesses are obliged to have a “Do Not Sell My Personal Information” button on their website, and if a user clicks on it, the company will not be able to sell their personal data to any third party including advertisers.
- The right to access their personal data. Users may request a report on what personal data the company has collected, which must be provided free of charge within 45 days.
- The right not to be discriminated against, even if they have exercised their privacy rights. It means that a company cannot refuse to provide a service or impose extra charges if a user decides to exercise their rights under the CCPA.
Apart from that, the CCPA sets high requirements for data anonymization. According to the new Act and its definition of personal information, pseudonymized data may still be considered personal data as they can be traced back to a particular user.
Failure to comply with the CCPA can easily result in hefty fines – $7,500 per intentional violation, $2,500 per unintentional violation and $750 per affected user. Considering the number of users affected when a breach occurs, fines can amount to millions of dollars.
CCPA vs GDPR: what are the key similarities?
Although the CCPA and the GDPR are aimed at implementing the core principles of data protection, they shouldn’t be treated as a singular document. Both standards are characterised by the following:
- Extraterritorial reach, which means that both the CCPA and the GDPR may apply to companies outside their jurisdictions;
- Rights granted: both documents grant users the right to have their personal data deleted and the right to know when their personal information is collected, stored and shares with third parties;
- Financial penalties: failure to comply will result in steep fines;
- Companies are required to implement both organizational and technical measures to ensure compliance with the GDPR and the CCPA.
CCPA vs GDPR: what are the key similarities?
However, despite often being referred to as the American version of the GDPR, the CCPA has a number of differences that should be taken into account. First of all, personal data is defined much more broadly under the CCPA (see the definition above). When it comes to PII, the GDPR is mostly focused on an individual, whereas the CCPA also includes the information that can identify a household or someone’s behaviour as a consumer. What it means for businesses is that they should try to cover all possible types of users’ data.
Secondly, if we look at the entities that have to comply, we will see that the CCPA has a much narrower scope. While the GDPR applies to any company that collects and processes users’ personal data, the CCPA applies only to companies that operate for profit and generate much of their income through buying or selling personal information. Thus, non-profit organisations will not be affected by the new rules.
Finally, while the core rights granted by the GDPR and the CCPA are similar, they are not identical. The key requirement of the CCPA is that companies must inform users when their data are being sold to third parties and the users may opt out of this sale. This aspect is not currently regulated by the GDPR. On the other hand, unlike the GDPR, the CCPA does not grant the right to the correction of personal information, and the data minimization requirement is not imposed.
What can you do to ensure compliance?
All in all, the CCPA reflects the global trend towards ensuring greater security of personal data. For companies that process large amounts of personal information, transparency and consumer trust are becoming a vital part of the business. After a series of high-profile data breaches, governments are also taking data privacy very seriously. Europe’s GDPR, America’s CCPA and Japan’s Act on the Protection of Personal Information have already come into effect and many more are looming on the horizon. Considering all that, it seems that businesses should prepare to meet more stringent privacy requirements.
Although real enforcement of the CCPA isn’t likely until July, it’s time companies revised their policies and processes and took proper measures to comply with the new standard. The best approach to ensuring compliance with the CCPA is to establish a comprehensive data privacy strategy and think of the right tools.
If you use Jira or Confluence in your enterprise, our plugins GDPR (DSGVO) and Security for Jira and GDPR (DSGVO) and Security for Confluence may be the answer. Originally designed to meet the GDPR requirements, they boast functionality that goes beyond that and is capable of covering all your CCPA needs. With over 100 PII search patterns, finding and anonymizing personal information is as easy as a piece of cake, which is crucial if you want to be fully CCPA-compliant. Start your free trial today and let us have your back covered while you are focusing on your business.
For more information on GDPR compliance, check out more articles in this series:
- 4 easy questions to check if you are fully GDPR compliant
- Be GDPR compliant, Part 1: everything you need to know about getting consent in Jira and Confluence
- New model of calculating GDPR fines is to increase possible penalties
- Be GDPR compliant, Part 2: ensure the right to erasure, find and anonymize PII in Jira
- 7 popular myths about GDPR