CCPA – California Consumer Privacy Act and GDPR
Your Data Privacy is Your Right: Get to Know GDPR and CCPA
In 2018, the European Union released an update to its General Data Protection Regulation (GDPR). This update unified data privacy laws across Europe while empowering and protecting all EU citizens’ private, personal data.
This law impacted all companies who process or control any EU citizen’s data, regardless of their location. This makes GDPR a legally binding for U.S businesses with global operations, international sites, or even remote workers.
Fast forward two years, and as of January 2020, California State (U.S.) will release the California Consumer Privacy Act (CCPA). The CCPA will give consumers insight into and control of any online personal information collected about them. This falls on the heels of growing privacy concerns around corporate access to private data and sales of that data with Big Tech (Facebook and Google, for example).
On the surface, it appears that the CCPA and GDPR are the same; they are far from that. Though the aim to protect ordinary citizens’ rights to control of their personal data, the compliance, penalties, enforcement, and consumer rights are vital areas of differentiation.
Let’s look at four key takeaways below:
This law impacted all companies who process or control any EU citizen’s data, regardless of their location. This makes GDPR a legally binding for U.S businesses with global operations, international sites, or even remote workers.
Compliance
GDPR applies to all businesses that process EU citizens’ data, irrespective of location, and size. CCPA only applies to California-based companies earning over USD 25M, or whose core business function is in the sale of personal data information.
Penalties
GDPR penalties for non-compliance and/or breach of data, can reach up to 4% of the company’s annual global turnover or 20M Euro (whichever is greater). CCPA, on the other hand, applies fines on a per violation condition (up to a maximum of USD 7.5K per violation). This is uncapped, and there are apparently no sanctions for non-compliance. This violation, though, is only at the point of breach, where GDPR can apply sanctions if a company is reasonably seen to be at risk of a breach for not behaving responsibly.
Consumer rights
Both will allow consumers the right to have their information deleted or accessed. The difference here is that the GDPR focuses on all data related to the EU citizen, while the CCPA considers both the consumer and the household as identifiable entities. In some cases, CCPA only recognizes data provided by the consumer as opposed to data that is sourced or purchased from third parties.
Enforcement
While CCPA is not nearly as comprehensive as the GDPR (see compliance above), it is a first step in the process of protecting private consumer data. Other states are expected to follow.
Final thoughts
The good news here is that both laws call for data encryption, further underscoring the importance of privacy protection as an expected component for businesses. If the breached data is encrypted, this would result in a level of protection against unauthorized access used and will result in a reduction in liability by default.