Welcome to the period of legal reformation.
We have two different laws – GDPR and CCPA, both redefining the intact landscape of how the user’s data is to be handled. The General Data Protection Regulation of Europe came into effect last year and was quite a shock for the businesses collecting data on citizens in the European Union (EU) countries.
And, now we are here witnessing another new set of regulations, the California Consumer Privacy Act (CCPA), which is about to go live on January 1, 2020, and it has already sent a wave of tremor to some businesses.
Now companies will have no free rein over our personal data. These new laws are compelling businesses to reel back their data collection practices and thereby put the individual in control of how their personal information is utilized.
That isn’t an end. There are several notable points one needs to consider to comply with these laws and thereby avoid huge penalties. But, before that, understand the key differences and the common principles between the GDPR and CCPA.
The General Data Protection Regulation is the core of Europe’s digital privacy legislation. Under the terms of GDPR, the organizations have to ensure that personal data of an individual is gathered legally and under firm conditions. Also, those who collect as well as manage it are obliged to protect it from exploitation and misuse.
GDPR is applicable to all the organizations operating within the European Union, and also the organizations outside of the EU offering goods/services to businesses or customers in the EU.
The California Consumer Privacy Act (dubbed as “California’s Mini-GDPR”) was passed in June 2018, and it implements rules for businesses operating in California regarding how they assemble, utilize, and share consumer data. It provides enhanced privacy rights and consumer protections for California residents and gives them significant rights around their data.
The CCPA is seen as a massive step since there was no federal privacy law in the US for decades. Moreover, if you are familiar with the rules and obligations of GDPR from the European Union, then the newly introduced CCPA will be elementary.
The GDPR law applies to businesses of every kind that deals with personal information from the EU, regardless of their citizenship status or residence. That is, if your company is a small and medium-sized enterprise established outside the EU, but it is offering goods/services or monitoring the behavior of individuals in the EU, then you have to comply with the GDPR.
Meanwhile, the CCPA is limited to individual data subjects that reside in California legally.
Both the CCPA and GDPR share the requirements on how the data is applied, the rights individuals are entitled to regarding their personal information, and how to contact a data protection officer when desired. The noticeable difference between them is jotted below.
The GDPR includes the processing of all personal data, no matter what it’s intended for or how it’s handled. However, this rule includes two exceptions:
The CCPA is much more specific about the kinds of data protected under diverse circumstances. For example, the GDPR requires companies to offer “opt-in” options before accessing their data. In contrast, CCPA requires entities to only supply “opt-out” when the personal data is actively shared or sold.
Under both these laws, the term “personal data” signifies any information that directly or indirectly represents any individual. However, they have variances in the prohibition of different data types.
Under GDPR, processing of personal data includes everything from the initial act of collating user’s or visitor’s data, to organizing and storing it, making it presentable for access, and to its ultimate removal or erasure.
The CCPA splits “personal data” into multiple definitions such as –
Note: Here “selling” doesn’t necessarily mean the involvement of any payment. It can be a valuable and intentional exchange of personal data.
You might have already heard of major GDPR-related penalty against internet giant Google where the company was fined 50 million euros (£44m) by the French data regulator CNIL.
So, is this a fixed penalty for all firms? NO.
Under GDPR, the penalty can range as high as €20 million (approximately $22 million), or 4% of the company’s annual global turnover—depending on whichever is higher.
On the other hand, the CCPA has separate formality for fines. Here, the non-compliance alone isn’t taken into consideration. Instead, penalties are applied only after the incidence of a data breach.
So, when it happens, the earlier violations pertinent to the current breach are considered individually for fining. The penalty details are given below:
So, no matter whether violations of these laws are unintended mistakes stemming from sloppiness, neglect, laziness, or ignorance, you need to comply with the regulation unfailingly. Otherwise, you will pay dearly for arrogance.
The GDPR has already been helping the customers, and the CCPA is coming up right around the corner. And, this blog demonstrates the things one need to consider when it comes to preserving compliance between the GDPR and CCPA. But, there are still more stipulations to come in the future, and it’s always the wisest choice to keep yourself updated with these laws.
With all that in mind, avoid costly legal repercussions and make your business life easier.