Listen to: "A Comparison of GDPR and CCPA"
If you’ve spent any appreciable amount of time on the Internet over the last six months or so, you’ve likely noticed an increasing number of websites asking you to approve not only the types of data they’re collecting during your visit, but how that data is stored and who, if anyone, it can be shared with. Oftentimes these notifications are so prominent that you need to acknowledge them before you can access the content you were looking for in the first place. The same types of messages are likely filling up your email inbox on a daily basis, even for sites you signed up for years ago and quickly forgot about or never used to begin with.
These sites and services aren’t providing these notifications out of the kindness of their own hearts. They’re doing it because they have to, thanks to the European Union’s General Data Protection Regulation, otherwise known as the GDPR for short. It’s something that most experts agree is one of the most important changes to data privacy regulation in over two decades and in an era where cyber attacks are becoming increasingly common all the time, it couldn’t have come along at a better time.
The GDPR came about after four years of heavy preparation and debate before it was finally approved by EU Parliament in 2016. It started it be enforced on May 25, 2018, which is part of the reason why you’re now hearing so much about it. Absolutely any organization that stores consumer data from European Union citizens is subject to the GDPR and, when you consider that the Web essentially allows even the smallest businesses to compete on a global stage, it more or less affects every site or service you’re likely to use on a given day.
To put it simply, the GDPR was intended to reshape the way that sectors manage data – from healthcare providers to financial services businesses and beyond. It also redefines the roles for key positions within businesses, like CIOs and CMOs as well. Businesses that are not compliant with the GDPR are subject to heavy and expensive violations and, when you consider that a study recently conducted by IBM and Ponemon Institute revealed that the average cost of a single consolidated data breach hit $3.86 million in 2018, it’s easy to see why.
Efforts to fundamentally change and improve the way we create, store and regulate data online may have begun in the European Union with the GDPR, but they certainly won’t end there. Case in point: in June of 2018, Governor Jerry Brown signed the California Consumer Privacy Act (or the CCPA for short) into law. It’s more than just a geographical cousin to the GDPR – many consider it to be one of the toughest data privacy laws currently in existence in the United States. It, too, has far-reaching implications for most businesses – even those that don’t have a physical footprint in the state of California.
But at this point, the question must be asked: what elements do the GDPR and the CCPA share? How are they different? Is it possible to create one plan that guarantees compliance with both regulations at the same time? As a business owner serving customers all over the world, what do I need to do to make sure that I don’t wind up on the receiving end of the types of costly violations that could bring my business to its knees? Is this a lot of trouble for little net benefit?
To answer that last question first, no – it certainly isn’t. Another study revealed that a full 60% of companies fail within six months after suffering the already-devastating affects of a cyber attack. This is why the penalties for non-compliance are so severe – the Internet is getting more dangerous all the time and someone needed to step up and do something.
But in relation to all of those other questions, the good news is that understanding the GDPR and the CCPA, and remaining compliant with both, is a lot more straightforward than you probably think. You just need to keep a few key things in mind.
The GDPR: Breaking Things Down
On a basic level, the GDPR has three core goals. They are as follows:
- It aims to harmonize data privacy laws all across Europe.
- It aims to protect and empower all European Union citizens with regards to their data privacy.
- It aims to reshape the way organizations all across the region approach data privacy, creating the safest possible situation for everyone involved.
More Accountable than Ever Before
In other words, companies that are covered by the GDPR are now more accountable for the handling of people’s personal data than ever before. The GDPR has strict guidelines for having data protection policies, conducting data impact assessments and even requires you to have relevant documents available on how any and all data is processed.
For companies with more than 250 employees, for example, there must be documentation in place outlining why people’s information is being collected and processed, how that information is being stored, how long it will be kept for before being destroyed and detailed descriptions of all technical security measures that are currently present to help prevent it from falling into the wrong hands.
Hiring a Data Protection Officer
One of the biggest changes dictated by the GDPR is that most companies will now need to hire a dedicated Data Protection Officer, or DPO. This is required of any organization that processes a lot of personal data at any given time. This person will monitor compliance with the GDPR and will act as a point-of-contact between employees of the business and the customers they serve.
The GDPR also has some very strict requirements regarding what a company must do during and after a data breach. Any destruction, loss, alteration or unauthorized disclosure of private information must now be reported to a country’s data protection regulator within 72 hours. Likewise, all those consumers who were affected need to be told. Topics to be communicated include but are not limited to things like financial loss, confidentiality breaches, damage to reputation and more.
This must be done in addition to any efforts that are currently underway to actually recovering from the breach you just suffered from.
Subject Access Requests
Finally, all customers are now able to complete a Subject Access Request, or SAR. This lets them ask a company or organization to provide all the data currently stored pertaining to them. These used to cost $10 and were not mandatory but now, they’re totally free and they are a requirement under the GDPR.
There are many additional rules and regulations outlined by the GDPR – the full text runs nearly 100 pages – but these are among the most relevant. That is particularly true when you consider them against the context of another strict data protection and privacy law, the aforementioned CCPA.
What You Need to Know About the CCPA
One of the most important things to understand about the CCPA has to do with how it applies to businesses. If you run an organization that meets any one of the following criteria, you now have to concern yourself with what the CCPA means:
- You have annual gross revenues over $25 million.
- You deal with the personal information of 50,000 or more consumers, households or devices.
- You get at least 50% of your annual revenue from selling consumer information.
- You collect personal information.
- You process personal information.
- You do business in California.
Likewise, the CCPA grants consumers (read: residents of California) certain rights that are, in part, as follows:
- A business must disclose what personal information is being collected or sold to the consumers in question.
- You also need to outline why and how that information is being collected or sold.
- If the consumer requests a copy of their data, you need to be able to provide it with them.
- If a customer wants you to delete their data, you have to.
- You cannot discriminate against anyone who exercises any of their rights under the CCPA.
- If you sell consumer information to third parties, consumers can now opt out of this practice as individuals.
Based on those factors alone, it’s easy to see how both the GDPR and the CCPA share a lot in common – especially in terms of what they’re designed to do. A closer look at some of the language used in both documents, however, reveals a number of additional interesting similarities and differences.
The GDPR vs. the CCPA: A Comparison
The CCPA defines “personal information” as anything that identifies, relates to, describes, is capable of being associated with or could be reasonably linked to a particular person or household. This includes real names, signatures, physical characteristics, contact information, social security numbers and more.
The GDPR describes “personal data” in a very similar way, meaning any information relating to or that can be used to identify a specific person. It does not include the “household” stipulation.
The CCPA defines a “business” as a for-profit legal entity or sole proprietorship.
The GDPR, on the other hand, is much more broad in who is covered. You don’t technically need to be a “business” at all – you just need to control or process relevant information.
Under the CCPA, businesses need to inform consumers at or before the point of collection what information is being collected and why it’s necessary.
The GDPR goes beyond this, however, also requiring an entity to provide the identity and the contact details of the data controller, the recipients of that data, the legal basis and purposes for processing, the retention period, the right of access and more.
Right of Access.
Both the GDPR and the CCPA give consumers the right to not only learn what information is being collected, but to also get a complete copy of that information.
The GDPR, on the other hand, also allows people to learn how long that information is being retained. The GDPR also has an additional “right to portability” in certain cases, which allows someone to receive and/or transmit their data to another controller if they so choose.
Right to Deletion.
Both the GDPR and the CCPA allow consumers to request the deletion of any and all personal information that has been collected about them. The CCPA, however, only applies to data collected FROM the consumer.
The GDPR applies to ALL data concerning a data subject, no matter where it came from.
Right to Opt-Out.
At any moment, the CCPA allows people to opt out of a business’ ability to collect or sell their personal data. At that point, a business is prohibited from doing anything meaningful with that data in any way.
The GDPR, however, includes no such right. However, the GDPR is so strict in other areas that if a consumer didn’t want you to store and sell their data, there are other techniques they could use without calling on any one particular “nuclear option” in order to do so.
In the End
At their core, it’s clear that both the GDPR and the CCPA are significant steps in the right direction in terms of data protection and privacy for us all. They are also documents that are still very fluid – as the cyber security situation continues to evolve and change, you can expect these documents to be adjusted to account for that.
If nothing else, these help to underline how seriously we’re starting to take data privacy as a society. Yes, there are subtle differences between the two documents (many of which can be attributed to certain cultural or societal norms in their respective locations), but they were both created with the same idea in mind.
Namely, that we should be able to continue to use one of the most powerful tools ever invented by the human race without worrying about what a third party, for-profit entity or organization is doing with the personal data we’re creating every day. Another study revealed that 90% of the world’s data has been produced in just the last two years and that number is only going to increase as time goes on. Both the GDPR and the CCPA are both an excellent first step in terms of keeping us all safe, but they must only be exactly that: the beginning of something larger and far more important moving forward.