The Main Differences Between GDPR and CCPA (Part 1)
By passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the Golden State is taking a major step in the protection of consumer data. The new law gives consumers insight into and control of their personal information collected online. This follows a growing number of privacy concerns around corporate access to and sales of personal information with leading tech companies like Facebook and Google.
The CCPA is a strong step in the right direction for the U.S. However, it does not go as far as European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018. The GDPR (Regulation (EU) 2016/679) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
Here are the four main differences between GDPR and CCPA:
The Businesses that must Comply
The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is slightly narrower in its scope: it only applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information. (The latter criterion is a nod to the Facebook/Cambridge Analytical scandal.)
The GDPR mandates penalties for non-compliance and / or a data breach, which can reach up to 4% of the company’s annual global turnover or 20 million Euros (whichever amount is greater), with the commitment that administrative levies will be applied proportionately.
CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation), are uncapped and there are apparently no sanctions for non-compliance. The violation is only considered at the point of breach (many would say too late), whereas GDPR can apply a sanction where a company is deemed to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.
Both regulations endow the consumer with specific rights such as the right to have information deleted or accessed. The GDPR is specifically focused on all data related to the EU consumer / citizen whereas the CCPA considers both the consumer and household as identifiable entities and, in some cases, only considers data provided by the consumer as opposed to data sourced or purchased from third parties. It is important that businesses test their processes to ensure they can accommodate these rights.
Enactment and Enforcement
Before the CCPA goes in effect in 2020, it may get more descriptive. In its current form, it looks like it was created in reaction to recently publicized instances of misuse of personal data. In comparison, the GDPR was adopted in April 2016 and became enforceable on May 25, 2018.
Although the California Consumer Data Privacy law is not as comprehensive as the GDPR, it’s the first step to protecting consumer data. California pioneered tech innovation is now paving the way for consumer privacy. This new law gives consumers more protection and understanding of how their data is being collected and used, which ultimately gives them control of their data. Other states are expected to follow California’s lead and it will be interesting to see which state will be next.
The Use of Encryption is Addressed in Both Laws
The good news is that both laws call for data encryption, making this an essential privacy protection component for businesses. If breached data is encrypted, companies have a level of protection against unauthorized access and some reduction in liability by default.
GDPR’s Article 32 is focused on encryption. The regulation doesn’t prescribe any specific technologies, and Article 32 is the first and only technical recommendation provided within the whole set of articles (99 in all).
Under both regulations, if a company suffers a breach but the data is encrypted (unintelligible to unauthorized users), some of the company’s obligations are reduced. For instance, in that case the organization is not required to notify everyone affected by the incident.
These four areas give you an overall idea of where to focus some of your main efforts, but these are discussed more in detail in my following blogs where I look at the major differences between GDPR and CCPA and where the focus should be.