You’ve heard of GDPR and the rules and regulations that surround it, likely ensuring your business is compliant by now. However, CCPA, California’s equivalent to the European Union’s GDPR, comes into effect on the 1st of January 2020 and businesses need to ensure they’re ready for it. Being compliant with GDPR, whilst it may be similar in aims and scope, doesn’t mean you’re already compliant with the rules of CCPA. Below we will take a look at what the differences are between the two legislations, to help assist you in becoming both GDPR and CCPA compliant.
Who will be Regulated?
When it comes to data protection and who is regulated by these tougher user data laws, GDPR is much broader and has a wider territorial scope when it comes to the subjects of the regulation. GDPR regulates anyone who controls and processes the data of others within the EU, either for activities relating to the European Union establishment or for data handlers offering goods/services within the EU or monitoring the activities of customers. GDPR applies to all businesses controlling the data of EU citizens – it doesn’t matter if the data is handled outside of the EU, meaning any business offering services within the EU must be compliant.
With CCPA, those regulated are for-profit businesses that meet certain criteria (such as handling the data of more than 50,000 consumers, households or devices) or are owned by/shares the branding of a business that is covered by the regulation. GDPR and CCPA are very different in terms of who is regulated by them. As mentioned previously, GDPR has a much wider scope than CCPA and covers many more people.
Who is Protected by the Laws?
Generally speaking, CCPA and GDPR both aim to protect individual people’s identifiable data and are both broad in approach – with room being given for extraterritorial effect. However, the definitions differ pretty greatly, with CCPA also including in its definition the data of the household and device level and not just the data of individual people. People normally resident in California shall be protected by the CCPA law and are defined as consumers. GDPR protects any person’s personal data and removes the consumer definition – instead focusing on people more generally and broadly. Under both laws, the data must be of an identifiable and natural person.
What Information is Protected by CCPA and GDPR?
Information that can be used to identify or relate to individual people is protected by both CCPA and GDPR. In terms of what is protected, both legislations are pretty similar in their aims and scope and are both pretty broad. CCPA excludes some publicly available information from government records and also adds the definition for data relating to a household or specific device – something which is lacking from GDPR. GDPR also prohibits the processing of certain special category data types unless it is being used for legally justifiable reasons. The statutory definition for CCPA includes a list of specific categories of information that it covers, so if you need to be compliant then make sure you know exactly what the law covers.
What Should you Include in your Privacy Notice?
Both GDRP and CCPA have pretty similar disclosure requirements. However, differences are apparent in terms of the information that is required and how the disclosure is delivered to the consumer. CCPA specifies that consumers be notified about things such as the personal information that will be collected and how it will be used. You must also detail an explicit notice if you are selling information gathered from another business and must give consumers the opportunity to opt out of this.
GDPR is similar in that data handlers/controllers must notify consumers of any information gathered from a third-party. CCPA notices only apply to the third party data handlers for 12 months preceding the request for information from another business. As we discussed above, you need to ensure you are compliant with this legislation if you handle the data of those in California. Like with GDPR, you should always ensure your privacy notice is compliant and up to scratch.
Security Requirements of the Laws
The CCPA legislation doesn’t directly impose security requirements upon those it regulates. However, it does allow for a right of action against businesses who suffer from certain data breaches – that results from the violation of a business’ duty to impose reasonable security measures in accordance to the level of risk that arises from the existing laws in California.
The security requirements of GDPR are that the level of security must be appropriate in accordance with the level of risk of the data being held, and data controllers and processors must establish secure and appropriate measures and procedures when it comes to handling the data of covered people.
Both of these legislations are pretty similar in approach, however the level of security required under them will vary depending on the particular organisation and their circumstances, as well as the interpretation of the regulators. In general, you can’t go far wrong with implementing the most secure protocols and systems possible if you don’t wish to fall foul of these two data protection laws.
The Handling of Data of Children
Other than the ages being involved (those below the age of 16), GDPR and CCPA have very different requirements when it comes to the processing and handling of the data of children. With CCPA, those aged 13-16 can provide direct consent, whereas those below 13 must get parental consent for their data to be processed and sold. Under CCPA you cannot sell the data of someone under 16 without either the direct or parental consent, and the protections provided by the Federal Children’s Online Privacy Protection Act still apply on top.
Under GDPR, direct consent cannot be given until 16, however individual member states may lower this to no younger than 13. A parental guardian must give consent for someone below the consenting age before their data can be sold and processed, data must be held with higher security requirements and a child appropriate privacy policy must be available for display. As you can see, when it comes to children, both pieces of legislation have tougher requirements compared to adults.
How Should I Respond to Rights Requests?
Responding to a rights request from consumers you hold data about is substantially similar when it comes to GDPR and CCPA. Under both pieces of legislation, the data controller must verify the identity of the person making the request and respond accordingly. Requests must be responded to without undue delay and this is set to 45 days with CCPA and no longer than a month with GDPR – but can be extended to 2 months if necessary after data subject notice. Under CCPA, the time to respond can be extended once by a further 45 or 90 days from customer notification. If action is not to be taken, then the customer must be informed of the reasons why, and under CCPA, the request must be fulfilled for free unless it’s hugely unfounded or is deemed to be an excessive request. Under GDPR, data requests do not have to be free of charge.
As you can see from this post – GDPR and CCPA have fundamentally similar aims of protecting the data of consumers, however they approach the issue of data protection in numerous different ways. The regulations are different with both pieces of legislation and in some areas, you will find that CCPA goes a lot further. Because of the differences listed above, and others, you need to ensure that you are compliant with CCPA when it comes into effect at the start of 2020. Being compliant with GDPR does not mean you’ll be ready for CCPA, so do some preparation!