Last Updated on September 27, 2018
With the EU’s GDPR now in force and California just enacting its Consumer Privacy Act (AB 375), the two-minute warning has sounded for US businesses that work with consumers’ personal data. You must move to implement privacy policies that align with these regulations—and the others that are sure to follow—or face fines, sanctions, lost business and even consumer lawsuits and reputational damage.
The good news is organizations that are moving to align with the GDPR, or even a comprehensive information security framework like ISO 27001, will be well on their way to compliance with the CCPA, and vice versa.
CCPA vs. GDPR
This post shares a high-level overview of some of the similarities and differences between the two bills. (Please note that this information is not intended as definitive guidance or as legal advice, which would be specific to your company.)
A fundamental idea that is driving the intent of modern privacy laws worldwide is that personal data is increasingly seen as the property of the individual, and not the firms that process and/or sell it.
This view gives rise to several key “rights” that are spelled out in different forms in both the GDPR and CCPA, including:
- A right to be informed about when one’s personal data is being collected/sold, and specifically what information a business has collected.
- A right to request that one’s data not be collected/sold (opting out).
- A right to request that one’s data be deleted (famously termed “the right to be forgotten).
- A right to get a machine-readable copy of one’s personal data.
- An ability to hold businesses accountable if they fail to adequately protect their data.
In a nutshell, the persons and data that are protected by the two laws are very similar. Many experts feel that the GDPR goes well beyond the CCPA in regards to the scope of rights for those protected.
One area where the two laws differ markedly is around accountability and enforcement. The CCPA allows California residents to individually or collectively file civil or class action lawsuits against a company for damages for violations and in the event of a data breach (as if breaches didn’t cost enough already). The CCPA also gives the California Attorney General’s office the power to pursue legal action. The GDPR goes further, affording the right to “effective judicial remedy” and to receive compensation, as well as the imposition of significant fines and sanctions by the governing body. It’s worth noting both laws require companies to report breaches in a timely manner.
The specific rights around control of personal data also differ in their particulars between the GDPR and CCPA. Again, the GDPR goes further, requiring “controllers” of data to explain their reasons and legal basis for processing personal data, specify recipients for the data, specify how long it will be stored, and much more. The CCPA more broadly requires businesses to disclose to consumers the categories and specific types of data collected, as well as recipients. Both laws offer consumers the right to demand that their data be deleted.
Rights for children under 16 also differ in at least one significant way: the CCPA states that businesses need “opt-in” consent to sell personal data for anyone they know to be under 16.
Another key and rather obvious difference between the two regulations is when they are in force. The GDPR was under development and review for about four years and has been in force since May 25, 2018. The CCPA, in contrast, was developed in just three months, with much of the work taking place in a single week. It is a much shorter document overall, and still subject to revision prior to its implementation in 2020.
Businesses subject to the GDPR and/or CCPA will need to ensure they understand exactly how they collect and use personal data, including what data they collect, where it comes from, how they use it, and who they sell or transfer it to. Many may need to put additional business processes and/or security controls in place to comply with consumer requests.
However, organizations with solid security postures that encompass access control, data anonymization, encryption and incident response should be well on their way to compliance with the GDPR, CCPA and forthcoming privacy mandates. Similarly, it’s not “too late” for businesses that are just beginning to look at their privacy and compliance posture to avoid negative impacts—provided they act quickly and effectively.
To start planning for with data privacy compliance, including a “gap analysis” around your current data privacy controls, contact Pivot Point Security.