Before the CCPA becomes law on January 1, 2020, compliance officers worldwide (not just in California or the U.S.) need to be sure their companies are compliant. Are steps taken toward GDPR compliance sufficient? Termly’s Felix Sebastian explores the differences between the regulations.
Since the General Data Protection Regulation (GDPR) took force, businesses have collectively spent billions of dollars and “hundreds of years of human time” on compliance efforts. These numbers look excessive at first glance, but with the GDPR supervisory authorities handing out multimillion-dollar fines to Google and other corporate giants this year, investing in prevention measures is cheaper than coughing up 4 percent of revenue.
Data protection officers and consumers alike are only just adjusting to this new era of data privacy laws, but another major regulation — the California Consumer Privacy Act (CCPA) — is awaiting its turn to go live on January 1, 2020.
Knowing how the CCPA and the GDPR differ (and are similar) is crucial to effectively prepare for upcoming CCPA compliance challenges. Here’s an infographic to help you get started on this research.
While the infographic compares the fundamentals of the GDPR and the CCPA, here are a few more similarities and differences worth noting:
Extraterritoriality — Who’s Covered?
Both the GDPR and the CCPA are extraterritorial in their scope. This means that while these two laws are based in the European Union (EU) and the U.S. state of California (CA), the laws still apply to businesses worldwide that target EU* and California residents, respectively.
Given the transnational nature of data and businesses in this internet age, extraterritoriality is a standard component in new privacy laws around the world, such as those in Thailand and Brazil.
Personal Data — What’s “Personal?”
At the core of both the GDPR and the CCPA lies the protection of personal data. However, the two laws differ in how they define “personal;” these distinctions in phrasing, though minor, have practical implications for businesses.
The GDPR uses the term “personal data” and defines it as “information that relates to an identified or identifiable individual.”
In contrast, the CCPA uses the term “personal information” and defines it as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA’s use of “reasonably” in its definition provides more room for interpretation. In practice, this means that, for example, hashed data might not be deemed “personal” under the CCPA. We’ll have to wait and see how the interpretations of the enforcement agencies, businesses and consumers play out in the months following the CCPA taking effect.
Rights — What’s Provided?
Both the GDPR and the CCPA entitle their subjects to know what personal information is collected from them (and whether and with whom it’s shared), to access this information and to request that it be erased.
Specifically, the GDPR gives EU* consumers eight rights over their personal data. Those include the right to:
- Restrict (processing)
- Data portability
- Object (to direct marketing)
- Object to decision-making based only on automated profiling
The CCPA, on the other hand, grants California consumers five rights, which include the right to:
- Object (to sale of their data)
- Service without discrimination
The two laws differ slightly in the meaning of “right to object.” Whereas the GDPR affords its subjects the rights to object to direct marketing and to restrict the processing of their personal data, the CCPA provides a related, yet different right: the right to object to the sale of their data.
Furthermore, the CCPA specifies the “right to nondiscrimination,” meaning consumers who choose to exercise their CCPA rights are entitled to equal prices, products and services as any other customer.
Finally, let’s review exemptions to the GDPR and the CCPA.
Although the GDPR is a law passed by the EU parliament, the GDPR does not apply in its entirety to all EU member states. Article 23 of the GDPR allows member states to reasonably modify and/or restrict certain data rights when it comes to matters of national significance, for example:
- Criminal investigations
- National and public security
- Economic and financial interests of the EU or the state
A list of GDPR exemptions available in the U.K., for instance, was recently published by the U.K. Information Commissioner’s Office.
Given that the CCPA is a law passed by a single U.S. state, it handles exemptions in a more direct manner: through the text of the law itself and through amendments. CCPA exemptions mostly pertain to personal data in business sectors that already have laws in place for regulating how data is processed. Examples include:
- Consumer reports covered by the Fair Credit Reporting Act
- Insurance-related data covered by the Gramm–Leach–Bliley Act and the California Financial Information Privacy Act
- Health data covered by the Health Insurance Portability and Accountability Act (HIPAA)
Some CCPA exemptions are currently meant to be in effect only until January 1, 2021, giving lawmakers a year to pass supplementary data privacy laws that pertain to the following:
- Job applicants
- Business-to-business transactions
What happens when those laws pass (or fail to pass) remains to be seen.
In addition to these exemptions, note that the CCPA applies to only a subset of companies that collect the personal data of California residents, as illustrated in the infographic. Furthermore, the CCPA does not apply to nonprofits. The GDPR casts a much wider net, with no revenue or volume thresholds.
GDPR-fatigued compliance officers may be dismayed by the new challenge of CCPA compliance. But, strategically speaking, those who’ve already developed systems and processes to satisfy the GDPR are in a good position due to overlap with the CCPA. Focusing on the key differences between these two regulatory behemoths can help ensure total compliance.
*More specifically, the GDPR applies to all entities that process the personal data of any resident of the European Union member states plus Iceland, Liechtenstein, Norway and Switzerland.