Overview of CCPA and GDPR

The California Consumer Privacy Act (CCPA), and the General Data Protection Regulations (GDPR) are both privacy acts recently passed to update outdated laws regarding how personal information is handled, stored and processed in the digital age. Since the proliferation of internet services, mobile telecommunications, and social media, campaigners have been demanding changes to how businesses handle personal information.

CCPA was passed in 2018 and came into force on January 1st, 2020. GDPR was passed into law in May 2018. Both legislations have similar recommendations and requirements. GDPR is focused on the personal information of European citizens, and CCPA relates to the personal information of California residents.

Importantly, both legislations have a shared synergy that impacts businesses on both sides of the Atlantic. Any business in the United States that processes European personal information and any business in Europe that processes US personal information must adhere to each legislation’s guidelines to be compliant with the privacy rules.

What is CCPA?

CCPA protects the private information of California residents in the United States. This includes data about the person’s identity, any sensitive health information, biometric data, mobile geolocation data, and any financial or asset information. The aim of the privacy act is to limit sensitive information disclosures or unexpected leaks caused by data breaches.

CCPA has been designed to give consumers control of their personal information and reinforce the penalties for any breaches of information, be this by negligence or as a result of a data hack.

The legislation’s purpose is to enforce consumer rights and give the consumer new rights about their data. This includes the right to know exactly what information is held on a person by a business. This is why you can now go to sites like Google and Facebook and download detailed archives of what information they hold on you.

California residents also have the right to access and view the data held on them, and importantly, the right to have the data deleted. Rights to opt-in or opt-out of data collection have been created. Other key elements include the right to equal service and price, and the right to seek damages if personal information is breached.

The new rules put a number of new requirements upon businesses that process personal data. They must be able to provide access to personal information, delete personal information on request, and evidence its destruction. They must also introduce consent management practices. This is commonly seen on websites where companies share information with third parties. The organization has a duty to disclose what data is shared.

CCPA gives the individual control over what information can or cannot be sold about them. Businesses are required to conduct data inventory exercises to learn in-scope personal data and instances of “selling” data. As a result, updating service-level agreements with third-party data processors is needed to be compliant.

Remediation of information security gaps and system vulnerabilities must be resolved promptly by implementing data governance reinforcement and data identification programs. If there is data held that is out of scope, it must be deleted.

What is GDPR?

GDPR was designed for European citizens but affects every entity processing EU data. Its main purpose was to standardize data protection laws of all EU member states.

There are seven key principles of GDPR legislation. These focus on the lawfulness of retaining personal information and ensuring it is stored in a fair and transparent manner. The data must be retained for a specific reason and serve a specific purpose. Personal data cannot be retained indefinitely and must be destroyed once it has served its purpose.

Organizations must also commit to data minimization, retaining only recent and relevant information that is accurate. They must retain data integrity and ensure the confidentiality of private information is upheld.

EU citizens have many new rights since the introduction of GDPR. These rights lay the foundation of what third parties can and cannot do with personal information. People have the right to be informed of what personal data is being held by the business, and the individual has the right to view and access this information. If necessary, they have the right to correct the data.

EU citizens can request personal information is deleted and restrict how personal information is processed. They have the right to object as well as rights in relation to automated decision making and profiling, such as credit card acceptability criteria.

CCPA vs GDPR

It is obvious to see the striking similarities between CCPA and GDPR. CCPA could be considered the US counterpart of GDPR. There are however some significant differences. GDPR affects data controllers and data processors inside and outside of the European Union, however, CCPA only regulates companies “doing business” in California.

Other rules exist such as CCPA only being applicable to companies with gross revenue above $25 million USD, and those that process the personal information of more than 50,000 California residents. The penalties given for breaching either legislation are also quite different. GDPR is up to 4% of turnover, or 20 million Euro (whichever is greater). CCPA is specifically $2500 per record for unintentional violations and $7500 for intentional violations.

There are other subtle differences,  but importantly both legislation set out with the same objective,  which is to enhance and protect personal and private information. Both laws enforce the notion that businesses cannot harvest whatever data they choose. Data has significant value and many tech giants in Silicon Valley have made huge profits selling personal information. CCPA and GDPR have identified this and have acted to protect each of us.