On Jan, 13 2020
Since the internet was created in the late 1960’s, it has managed to operate somewhat outside of the law. After decades of this “wild west of the internet”, it seems we’re entering a much-needed phase of reform.
On the 1st of January 2020, new legislation came into effect throughout the state of California that will have huge repercussions for the global e-commerce industry. The California Consumer Privacy Act (CCPA) is in many ways similar to the General Data Protection Regulation (GDPR) that was enforced throughout the European Union in May 2018, which works to protect the online privacy of European citizens.
So what is the CCPA? How does it compare to the GDPR? And how do you ensure that your business is compliant with both? We’ve put together this article to give you all the answers.
Background of the GDPR
First, let’s take a closer look at the set of regulations that started this global privacy movement - the GDPR.
The GDPR is essentially a regulation that protects the personal data and online privacy of all EU citizens and restricts the data collection powers of all EU based companies. This means that it’s not just EU citizens who have gained online privacy thanks to the GDPR, but every citizen in the world who interacts online with EU based companies.
The reach of the GDPR extends even further thanks to its “extra-territorial” effect, meaning that it applies not just to EU based companies, but also to all companies that process EU data, whether they’re established in the EU or not, and regardless of where the actual data processing takes place.
And the influence of the GDPR doesn’t end there. With many countries depending heavily on trade with the EU, it’s becoming common for governments to implement a set of similar privacy laws, primarily for the sake of convenience. Since its implementation in 2018, the GDPR has inspired a positive chain reaction, with data protection policies being implemented all around the globe. The biggest of these so far … the CCPA.
Creation of the CCPA
The California Consumer Privacy Act (CCPA) came into effect on the 1st of January 2020. While the law only applies to one US state, it’s important to note just how influential this particular state is on the global economy. In fact, it’s predicted that over 500,000 businesses will be affected by the newly enforced CCPA.
So, what does the CCPA actually do? In the most basic terms, it provides Californians with the right to access, delete and opt-out of the sale of their data. It’s essentially a less strict version of the GDPR.
The CCPA applies to businesses who meet any of the following criteria:
- Gross annual revenue exceeds US$25 million
- Handles the personal information of 50,000 or more California consumers, households or devices annually
- Derives more than 50% of annual revenue from selling consumers’ personal information
Or, any business that controls or is controlled by any entity that meets one of the above criteria or shares common branding with that entity.
The CCPA also grants Californian consumers the right to access and delete any stored information that businesses have about them, and opt-out of sharing any personal information in the future. If a consumer suspects a business of illegally storing or selling their private information they have a “private right of action”, which allows them to enforce a fine on the guilty company themselves.
Similarities between the GDPR and CCPA
At first glance, the CCPA seems awfully similar to the GDPR. Under both legislations, businesses need to follow certain guidelines when handling the personal information of consumers and need to be transparent about the information they collect. Because of this, businesses who have recently updated their procedures to meet the requirements of the GDPR will have a much easier time meeting the CCPA guidelines than those who haven’t.
An important similarity between the CCPA and GDPR is that businesses will need to be wary of working with any third party companies. As Deloitte’s Richard Vestuto explained well, “In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data - not to mention fourth and fifth parties”. Because of this, it’s imperative that businesses only operate with third party companies they can trust to meet the GDPR and CCPA regulations.
The key differences
While the similarities between the CCPA and the GDPR are great, businesses can’t be 100% sure they’re compliant with each set of regulations without first understanding the subtle differences between the two.
The primary difference between the two laws is that the GDPR is more severe than the CCPA.
Under the GDPR, companies need to gain user consent with an “opt-in” before they can access any of their data. The CCPA, on the other hand, only requires businesses to give consumers the option to “opt-out” when their information is going to be sold or shared.
The other major difference between the two is that the GDPR applies to all businesses, while the CCPA only applies to businesses that meet the criteria listed earlier in the article.
The remaining differences between the GDPR and CCPA can be divided into 3 key categories:
1. The penalties handed to companies who breach the regulations
One of the biggest differences between the CCPA and the GDPR isn’t to do with the regulations themselves, but rather the punishment handed down to companies who breach them. It’s truly night and day.
Fines handed to companies in violation of the GDPR can be up to €20 million, or 4% of that company’s annual revenue, whichever number is greater.
At the polar opposite end of the scale, fines for violating the CCPA range from the measly sum of US $2,500 to a slightly less measly $7,500.
On top of this, the companies in violation of the CCPA will also have to pay between $100 - $750 per consumer, per incident after a civil action suit is filed.
Customer compensation in the EU differs between cases, depending on the damages incurred by each individual subject.
2. What the terminology in each regulation refers to
While the GDPR and the CCPA legislations use many of the same words, these words are interpreted in different ways by each law.
For example, the GDPR understands the ‘processing of personal data’ to be any action that is performed on someone’s personal information. This includes everything from the initial act of collecting the data, to the storing of the data, and of course the selling or use of that data. The CCPA, on the other hand, splits the definition into the ‘collecting’, ‘processing’ or ‘selling’ of data.
The ‘data’ included in each regulation is also different. Under the GDPR, ‘data’ has to be connected to a specific person, whereas the CCPA regulations also include data that is linked to a specific household or device.
Another key difference in the interpretation of ‘data’ is that the CCPA only covers data stored for specific reasons (to be sold etc.), while the GDPR covers the processing of any personal data regardless of its intended use. There are only two exceptions:
- Non-automated, personally conducted, data processing efforts that are not going to be filed.
- Any data processing that’s conducted by individuals for their own personal use.
3. The information companies must provide to consumers
Under both the GDPR and CCPA regulations, data subjects must be told when their data is being processed, and the reasons for its processing. Data subjects must also be informed of their rights regarding that data, and how to contact a data protection officer if desired.
The CCPA is quite lenient when it comes to the enforcement of this legislation. It gives businesses a 12 month period in which they must send a report that informs customers that their personal data has been collected, sold, or disclosed for business purposes.
The GDPR is significantly more time-sensitive. It requires businesses to notify data subjects the moment their information is collected or shared with a third party. Businesses are also obliged to remind any data subject that they are able to change their mind at any time and withdraw their consent to the sharing of any data they have previously shared.
What should your next steps be?
Global data privacy regulations are still in their early stages. Over the next few years, you can expect more states, countries, and unions to put similar or even stricter laws in place. Because of this, executives all over the world need to change the way they view data protection.
Ensuring that you comply with the growing global data protection regulations shouldn’t be seen as a chore but as an opportunity to stand out from the competition. Use your extensive data protection policy to help build your brand’s reputation and bring in new clients from anywhere in the world.
Regardless of whether you’re already compliant with the GDPR or not, businesses also need to hold a thorough and complete review of all existing contracts with third-party providers. You need to know for sure that they aren’t collecting, processing or retaining anyone’s personal information on your company's behalf.
Making sure that your business is compliant with the CCPA, GDPR and any future regulations is a necessary and time-consuming process. There’s no time like the present to start!