GDPR vs. CCPA: A Breakdown
In recent years, data privacy laws have become increasingly common as governments, consumers and third party organizations focus on businesses’ role in the collection, sharing and monetization of personal information. And while there are 132 data protection and privacy laws in existence across the globe, two of the most prominent data privacy regulations, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have key similarities and differences that global organizations must take notice of.
Taking effect on January 1, 2020, the California Consumer Privacy Act (CCPA) allows California residents to control how businesses handle and process their personal data, giving them the ability to request access to, delete, or opt out of the sharing or selling of their personal information. The CCPA currently stands as the most far reaching consumer privacy law in the United States.
While the CCPA took effect at the beginning of 2020, enforcement did not begin until July 1, 2020, and since then several lawsuits have been filed by consumers against larger organizations like Walmart, TikTok and Zoom.
On November 3, 2020, California voters approved Proposition 24, establishing the California Privacy Right Act (CPRA), which amends the CCPA and will supersede it as California’s data privacy law in 2023.
On May 25, 2018, the European Union officially implemented the General Data Protection Regulation (GDPR) after years in the making. The GDPR protects all forms of personal data and defines it as any information relating to a person as an identifier. These include names, identification numbers, location data, as well as cultural, physical, and other instances of structured and unstructured data. The GDPR also addresses data sharing of personal information outside of the European Union.
Designed to protect citizens of the EU, the GDPR is far reaching, and has been influential in the creation of other consumer data privacy regulations including Thailand’s Personal Data Protection Act and the CCPA.
At the time of implementation, many businesses were poorly prepared to adhere to these new rules for consumer data protection and privacy – and many companies have yet to make the changes necessary to ensure total compliance, with just 28% of organizations having achieved compliance one year after implementation.
For some organizations and compliance officers, the CCPA is considered the “American GDPR,” but why? Let’s explore.
Data Protection Under the CCPA
While the CCPA will be replaced by the CPRA in 2023, organizations still must remain compliant with the CCPA. In fact, establishing CCPA compliance will put organizations in a better position when the transition does eventually take place.
Under the CCPA, California citizens have the right to:
- Know what personal information is being collected
- Access the personal information that is collected, and request it be deleted
- Know whether their personal information is being shared, and if so, with whom
- Opt-out of the sale of their personal information
- Have equal service and price, whether or not they choose to exercise their privacy rights
If an organization is discovered to not be in compliance, the CCPA allows individuals to take action on their own accord, holding businesses liable for up to $2,500 per individual violation or data breach. Under the CPRA, this fine triples to total $7,500 for violations involving minors. For more information on CCPA compliance, review Ground Labs’ CCPA checklist.
Who Does the CCPA Apply to?
The CCPA represents another proof point in the global trend of governments and third party actors pushing companies to be more accountable when it comes to consumers’ data, and as the law continues to progress other states and countries are likely to follow suit. For now, organizations must learn what compliance laws they are subject to and managing data accordingly. Businesses that operate in California and meet at least one of the following thresholds are subject to CCPA compliance:
- Earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Businesses that derive 50% or more of its annual revenue from selling consumer personal information.
However, it is important to note that the recent passage of the CPRA will broaden these criteria meaning that more organizations will need to achieve compliance. Some notable criteria changes can be found below:
- The CPRA clarifies the organization must have satisfied the $25 million annual gross revenue threshold in the previous calendar year to be a subject business
- It changes the “50,000 consumers, households, or devices” threshold to 100,000 or more consumers or households
- Businesses can qualify if they derive 50 percent or more of its revenue from selling or sharing consumers’ personal information
CCPA vs. GDPR: Key Similarities and Differences
Sometimes referred to as the “American GDPR” the CCPA reflects the overall global trend of pushing companies to be more accountable with consumers’ data, and as the CCPA continues to evolve, other states and countries will likely follow suit. With that being said, it is no surprise that the CCPA and GDPR have key similarities including their focus on transparency. Almost every consumer data privacy regulation requires transparency into the types of information organizations are collecting and sharing about their customers. However, differences arise when we look at the rights of consumers.
For example, when it comes to user control, the GDPR gives consumers the right to consent to or opt in to the collection of their data before it is actually collected. Meanwhile, the CCPA allows businesses to collect consumer information, without consent, and gives California citizens the right to opt-out of data collection. This represents a key difference in how compliance is monitored and ultimately enforced as the GDPR seems to take a more proactive approach by requiring organizations to receive consumer consent.
And while the CCPA does not give consumers the opportunity to opt in, both laws reflect how governments are pushing organizations to be more accountable. As compliance and consumer data privacy continues to evolve in the years to come, holding organizations more accountable will be the most effective way to promote compliance.
Complying with CCPA and GDPR: Enter Ground Labs
The ultimate goal of all consumer data privacy regulations is to make organizations more accountable for how they manage consumer data. But how can organizations begin their compliance journey and become more accountable? It starts with data discovery, which can provide solutions to vital questions including:
- What sensitive data does my company possess?
- Where is the data stored?
- Why was the data collected?
- How is the data being used?
As more and more regulations emerge, it will become even more difficult for organizations to manage consumer data privacy while the risks to personal information continue to grow. That’s why organizations must conduct data discovery sweeps that locate all existing data within the network.
Ground Labs’ Enterprise Recon helps organizations find and remediate sensitive information across the broadest range of structured and unstructured data, whether it’s stored on your servers, your employees’ devices, or in the cloud.
The advanced data discovery tool lays the groundwork for compliance, while also contributing ongoing efforts to monitoring, storing, and securing personally identifiable information.
Ready to learn how Ground Labs can help you and your organizations begin their path to CCPA and GDPR compliance? Schedule a demo today to find out more.
Want to keep up with all our blog posts? Subscribe to our newsletter!Subscribe