Sorting out the two biggest privacy regulations to hit privacy professionals in decades
The California Consumer Privacy Act (CCPA) was introduced just a month after the European Union instituted the General Data Protection Regulation (GDPR), earning the CCPA the nickname of “California’s GDPR.”
While the GDPR has been in effect since May of 2018, the CCPA took effect on January 1, 2020.
With the CCPA set to affect more than 500,000 companies, it’s more important than ever to get educated on the regulations and to make sure your company is compliant, which means preparing your employees.
Both the GPDR and the CCPA reference privacy training. But because the regulations are vague on how to best inform employees about the requirements and other privacy best practices, your training plan matters (more work to inform employees on the CCPA appears to be needed, as our Eye on Privacy Report earlier this year found that 46% of U.S. employees have never heard of the regulation).
While the CCPA does incorporate several aspects of the GDPR, many key components are different.
To better understand each regulation and what they mean for your business, we’ve rounded up the top six components to break down their similarities and differences.
Who Is Regulated? What Businesses Are Affected?
Let’s first handle the biggest difference between the two. The GDPR affects all of the European Union (EU) residents, while the purview of the CCPA—true to its name—is California residents.
The CCPA affects any for-profit entity doing business in California meeting any one of three requirements:
- A gross revenue greater than $25 million
- Annually buys, receives, sells, shares personal info with a minimum of 50,000 customers
- Gets 50% or more of revenue from selling consumer’s personal information
The GDPR regulates how organizations may collect, use, and disclose the personal data of EU citizens, whether or not the data processing takes place in the EU.
Social networking sites, for example, are all subject to the GDPR’s rules even though they were founded and are primarily run in the U.S.
Facebook recently came under fire after the revelation that they were storing passwords in plain text and are facing astronomical fines under the GDPR. Google, Netflix, and many other Silicon Valley giants have also been hit with fines.
Who Is Protected?
The protections offered between the two are similar in scope.
The GDPR protects all EU data subjects, which is why you’ve probably noticed so many notifications on websites notifying you about updated privacy policies in the last year (and probably got quite a few emails about it too!). This is an attempt for websites around the globe to cover their bases by updating their overall privacy policies to cover the GDPR requirements, regardless of what country their users are based in.
Under the CCPA, only residents of California (including those who may be temporarily living outside of the state) are protected. Though organizations meeting the CCPA criteria (listed earlier in this post) based outside of California that handle the data of California residents must still comply.
Additionally, many industry experts expect that California’s move here to resonate across the U.S. in the form of national privacy legislation or, at the very least, similar laws passed in other states.
What Information Is Protected?
Both the GDPR and CCPA are focused on ensuring that personal data is used ethically and kept secure. (In essence, personal data refers to any information that relates to an identifiable subject.)
The GDPR focuses on giving consumers the right to be forgotten and the ability to have a say in how their data is used and retained, and even what that data looks like. For example, the GDPR gives EU consumers the right to correct any errors in their personal data that has been processed. The CCPA, however, does not.
The CCPA focuses more on informing the consumer of when and where their data is being collected, requiring an easily accessible “Do Not Sell My Personal Information” link on websites and privacy notices (conversely, the GDPR does not).
Ultimately, both protect countless types of information that you probably disclose each day without knowing it.
What Information Isn’t Included?
Anonymous data, which is any information that does not relate to an identifiable person, is excluded from the GDPR.
Similarly, the CCPA also excludes anonymous data—but it does set the bar high for claiming data is unidentifiable. The CCPA also specifically excludes these categories of personal data:
- Medical information and other protected health information
- Publicly available personal information
- Information collected in a clinical trial
- Publicly available government records
Are There Specific Security Requirements?
Neither the GDPR nor the CCPA outline specific data security requirements, but rather leave it open for interpretation. Terms like “appropriate measures” when it comes to taking security precautions mean different things to different companies, but that doesn’t mean that you can skirt the requirement: under both bills, you’re subject to review at any time.
The GDPR requires that data controllers and processors implement technical measures to ensure an appropriate level of security, and to be able to demonstrate that all processing is done in accordance with the GDPR.
The CCPA, conversely, outlines a specific legal course of action for consumers whose data has been breached due to insufficient security from a business violating this provision and not providing reasonable security practices.
What Happens If My Company Violates These Laws?
Fines—and big ones. The GDPR can ask up to 4% of global annual turnover or €20 million (approximately $22 million in U.S. dollars), whichever is higher. Facebook’s aforementioned password revelation is amounting to a multi-billion dollar fine under the GDPR.
The CCPA has two tiers, depending on whether the violation is intentional. For unintentional violations, it can be up to $2,500. For intentional ones, $7,500. But don’t be fooled: these numbers can add up quickly as multiple infractions can be stacked with no clear ceiling.
The CCPA handles each case in a civil action brought by the Attorney General, whereas the GDPR simply issues fines through a data protection authority.
One thing is clear: The world is demanding better privacy laws when it comes to personal data. The GDPR was the first big worldwide push, and the CCPA is the first major stateside bill to tackle the issue.
While it’s likely that each state’s own soon-to-come offerings will be tailored with their own individual requirements, it’s important to look at both bills as a basis for all future legislation.
Both require that companies take strong measures to protect the personal information of consumers. If a data breach were to occur due to a lack of proper security and training, companies are subject to high fines and possibly other actions against them.
Rather than trying to get employees to memorize complex legal jargon, it’s both easier and more efficient to build a privacy-aware culture by using awareness training for employees who handle sensitive data.