Marketing Automation for Ecommerce | Carts Guru Blog

The differences between GDPR and CCPA and what they mean for ecommerce

Written by Louise | Jan 13, 2020 2:16:54 PM

Since the creation of the internet in the late 1960s, the online world has managed to operate somewhat outside of the law. After decades of this “wild west of the internet”, it seems we’re entering a much-needed phase of reform.

On the 1st of January 2020, new legislation came into effect throughout the state of California that has had a huge impact on the global e-commerce industry. The California Consumer Privacy Act (CCPA) similar in many ways to the General Data Protection Regulation (GDPR), which works to protect the online privacy of citizens throughout the European Union.

So what is the CCPA? How does it compare to the GDPR? And how do you ensure that your e-commerce business is compliant with both? We’ve put together this article to give you the answers.

Background of the GDPR

First, let’s take a closer look at the set of regulations that started this global privacy movement - the GDPR.

The GDPR is essentially a regulation that protects the personal data and online privacy of all EU citizens and restricts the data collection powers of all EU based companies. This means that it’s not just EU citizens who have gained online privacy thanks to the GDPR, but every citizen in the world who interacts online with EU based companies.

The reach of the GDPR extends even further thanks to its “extra-territorial” effect, meaning that it applies not just to EU based companies, but also to all companies that process EU data, whether they’re established in the EU or not, and regardless of where the actual data processing takes place.

And the influence of the GDPR doesn’t end there. Many countries depend heavily on trade with the EU, and it’s becoming common for governments of such countries to implement a similar set of privacy laws, primarily for the sake of convenience. Since its foundation in 2018, the GDPR has inspired a positive chain reaction. Data protection policies are being implemented all around the globe, the biggest of these so far, the CCPA.

Creation of the CCPA

The California Consumer Privacy Act (CCPA) came into effect on the 1st of January 2020. While the law only applies to one US state, it’s important to note just how influential this particular state is on the global economy. In fact, it’s predicted that the newly enforced CCPA will affect over 500,000 businesses.

So, what does the CCPA actually do? In the most basic terms, it provides Californians with the right to access, delete, and opt-out of the sale of their data. It’s essentially a less strict version of the GDPR.

The CCPA applies to businesses who meet any of the following criteria:

  1. Gross annual revenue exceeds US$25 million
  2. Handles the personal information of 50,000 or more California consumers, households or devices annually
  3. Derives more than 50% of annual revenue from selling consumers’ personal information

Or, any business that controls or is controlled by any entity that meets one of the above criteria or shares common branding with that entity.

The CCPA also grants Californian consumers the right to access and delete any stored information that businesses have about them, and opt-out of sharing any personal information in the future. If a consumer suspects a business of illegally storing or selling their private information they have a “private right of action”, which allows them to enforce a fine on the guilty company themselves.

Similarities between the GDPR and CCPA

At first glance, the CCPA seems awfully similar to the GDPR. Under both legislations, businesses need to follow certain guidelines when handling the personal information of consumers and need to be transparent about the information they collect. Because of this, e-commerce businesses who have recently updated their procedures to meet the requirements of the GDPR will have a much easier time meeting the CCPA guidelines than those who haven’t.

An important similarity between the CCPA and GDPR is that e-commerce businesses will need to be wary of working with any third party companies. As Deloitte’s Richard Vestuto explained well, “In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data - not to mention fourth and fifth parties”. Because of this, it’s imperative that e-commerce businesses only operate with third party companies they can trust to meet the GDPR and CCPA regulations.

The key differences between the GDPR and CCPA

While the similarities between the CCPA and the GDPR are great, e-commerce businesses can’t be 100% sure they’re compliant with each set of regulations without first understanding the subtle differences between the two.

The primary difference between the two laws is that the GDPR is more severe than the CCPA.

Under the GDPR, companies need to gain user consent with an “opt-in” before they can access any of that consumer's data. The CCPA, on the other hand, only requires businesses to give consumers the option to “opt-out” when they plan to sell or share their information.

The other major difference between the two is that the GDPR applies to all businesses, while the CCPA only applies to businesses that meet the criteria listed earlier in the article.

The remaining differences between the GDPR and CCPA fit into 3 key categories:

1. The penalties handed to companies who breach the CCPA vs GDPR regulations

One of the biggest differences between the CCPA and the GDPR isn’t to do with the regulations themselves, but rather the punishment handed down to companies who breach them. It’s truly night and day.

Fines handed to companies in violation of the GDPR can be up to €20 million, or 4% of that company’s annual revenue, whichever number is greater.

At the polar opposite end of the scale, fines for violating the CCPA range from the measly sum of US $2,500 to a slightly scarier $7,500.

On top of this, the companies in violation of the CCPA will also have to pay between $100 - $750 per consumer, per incident after the filing of a civil action suit.

Customer compensation in the EU differs between cases, depending on the damages incurred by each individual subject.

2. What the terminology in the CCPA vs GDPR refers to

While the GDPR and the CCPA legislations use many of the same words, each law interprets these words in a different way.

For example, the GDPR understands the ‘processing of personal data’ to be any action performed on someone’s personal information. This includes everything from the initial act of collecting the data, to the storing of the data, and of course the selling or use of that data. The CCPA, conversely, splits the definition into the ‘collecting’, ‘processing’ or ‘selling’ of data.

The ‘data’ included in each regulation is also different. Under the GDPR, ‘data’ must relate to a specific person, whereas the CCPA regulations also include data linked to a specific household or device.

Another key difference in the interpretation of ‘data’ is that the CCPA only covers data stored for specific reasons (ie. to sell), while the GDPR covers the processing of any personal data regardless of its intended use. There are only two exceptions:

  • Non-automated, personally conducted, data processing efforts that are not filed
  • Any data processing that’s conducted by individuals for their own personal use

3. The information companies must provide to consumers under the CCPA vs GDPR

Under both the GDPR and CCPA regulations, e-commerce businesses must tell data subjects when their data is being processed, and the reasons for its processing. Businesses must also inform data subjects of their rights regarding that data, and how to contact a data protection officer if desired.

The CCPA is quite lenient when it comes to the enforcement of this legislation. It gives businesses a 12 month period in which they must send a report informing customers that they collected, sold, or disclosed their personal data for business purposes.

The GDPR is significantly more time-sensitive. It requires businesses to notify data subjects the moment they collect or share their information with a third party. Businesses are also obliged to remind any data subject that they are able to change their mind at any time and withdraw their consent to the sharing of any data they have previously shared.


CCPA and GDPR compliance for ecommerce

Global data privacy regulations are still in their early stages. Over the next few years, expect more states, countries, and unions to put similar or even stricter laws in place. Because of this, e-commerce store owners all over the world need to change the way they view data protection.

Ensuring that your e-commerce store complies with the growing global data protection regulations isn’t a chore, it’s an opportunity to stand out from the competition. Use your extensive data protection policy to help build your brand’s reputation and bring in new clients from anywhere in the world.

Regardless of whether you’re already compliant with the GDPR or not, e-commerce businesses need to hold a thorough and complete review of all existing contracts with third-party providers. You need to know for sure that they aren’t collecting, processing, or retaining anyone’s personal information on your company's behalf.

Making sure that your e-commerce business is compliant with the CCPA, GDPR and any future regulations is a necessary and time-consuming process. There’s no time like the present to start.