BY Stephen Cavey | 17 November 2020
In recent years, data privacy laws have become increasingly common as governments, consumers and third party organizations focus on businesses’ role in the collection, sharing and monetization of personal information. And while there are 132 data protection and privacy laws in existence across the globe, two of the most prominent data privacy regulations, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have key similarities and differences that global organizations must take notice of.
Taking effect on January 1, 2020, the California Consumer Privacy Act (CCPA) allows California residents to control how businesses handle and process their personal data, giving them the ability to request access to, delete, or opt out of the sharing or selling of their personal information. The CCPA currently stands as the most far reaching consumer privacy law in the United States.
While the CCPA took effect at the beginning of 2020, enforcement did not begin until July 1, 2020, and since then several lawsuits have been filed by consumers against larger organizations like Walmart, TikTok and Zoom.
On November 3, 2020, California voters approved Proposition 24, establishing the California Privacy Right Act (CPRA), which amends the CCPA and will supersede it as California’s data privacy law in 2023.
On May 25, 2018, the European Union officially implemented the General Data Protection Regulation (GDPR) after years in the making. The GDPR protects all forms of personal data and defines it as any information relating to a person as an identifier. These include names, identification numbers, location data, as well as cultural, physical, and other instances of structured and unstructured data. The GDPR also addresses data sharing of personal information outside of the European Union.
Designed to protect citizens of the EU, the GDPR is far reaching, and has been influential in the creation of other consumer data privacy regulations including Thailand’s Personal Data Protection Act and the CCPA.
At the time of implementation, many businesses were poorly prepared to adhere to these new rules for consumer data protection and privacy – and many companies have yet to make the changes necessary to ensure total compliance, with just 28% of organizations having achieved compliance one year after implementation.
For some organizations and compliance officers, the CCPA is considered the “American GDPR,” but why? Let’s explore.
While the CCPA will be replaced by the CPRA in 2023, organizations still must remain compliant with the CCPA. In fact, establishing CCPA compliance will put organizations in a better position when the transition does eventually take place.
Under the CCPA, California citizens have the right to:
If an organization is discovered to not be in compliance, the CCPA allows individuals to take action on their own accord, holding businesses liable for up to $2,500 per individual violation or data breach. Under the CPRA, this fine triples to total $7,500 for violations involving minors. For more information on CCPA compliance, review Ground Labs’ CCPA checklist.
The CCPA represents another proof point in the global trend of governments and third party actors pushing companies to be more accountable when it comes to consumers’ data, and as the law continues to progress other states and countries are likely to follow suit. For now, organizations must learn what compliance laws they are subject to and managing data accordingly. Businesses that operate in California and meet at least one of the following thresholds are subject to CCPA compliance:
However, it is important to note that the recent passage of the CPRA will broaden these criteria meaning that more organizations will need to achieve compliance. Some notable criteria changes can be found below:
Sometimes referred to as the “American GDPR” the CCPA reflects the overall global trend of pushing companies to be more accountable with consumers’ data, and as the CCPA continues to evolve, other states and countries will likely follow suit. With that being said, it is no surprise that the CCPA and GDPR have key similarities including their focus on transparency. Almost every consumer data privacy regulation requires transparency into the types of information organizations are collecting and sharing about their customers. However, differences arise when we look at the rights of consumers.
For example, when it comes to user control, the GDPR gives consumers the right to consent to or opt in to the collection of their data before it is actually collected. Meanwhile, the CCPA allows businesses to collect consumer information, without consent, and gives California citizens the right to opt-out of data collection. This represents a key difference in how compliance is monitored and ultimately enforced as the GDPR seems to take a more proactive approach by requiring organizations to receive consumer consent.
And while the CCPA does not give consumers the opportunity to opt in, both laws reflect how governments are pushing organizations to be more accountable. As compliance and consumer data privacy continues to evolve in the years to come, holding organizations more accountable will be the most effective way to promote compliance.
The ultimate goal of all consumer data privacy regulations is to make organizations more accountable for how they manage consumer data. But how can organizations begin their compliance journey and become more accountable? It starts with data discovery, which can provide solutions to vital questions including:
As more and more regulations emerge, it will become even more difficult for organizations to manage consumer data privacy while the risks to personal information continue to grow. That’s why organizations must conduct data discovery sweeps that locate all existing data within the network.
Ground Labs’ Enterprise Recon helps organizations find and remediate sensitive information across the broadest range of structured and unstructured data, whether it’s stored on your servers, your employees’ devices, or in the cloud.
The advanced data discovery tool lays the groundwork for compliance, while also contributing ongoing efforts to monitoring, storing, and securing personally identifiable information.
Ready to learn how Ground Labs can help you and your organizations begin their path to CCPA and GDPR compliance? Schedule a demo today to find out more.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.