The General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are both important privacy regulation legislations that provide added protection to consumers regarding their personal information.
The GDPR became enforceable in May, 2018 and the CCPA in July, 2020.
While there are many similarities between the two, there are also some differences worth noting. These regulations may apply differently to your business depending on how and where you are operating.
It is of the utmost importance that your company is positioned in such a way that you comply with all regulations present in the jurisdictions in which you are conducting business.
To ensure you are meeting all the requirements and not taking any risks that could leave your company with penalties for non-compliance, I provide services as a legal expert to help implement privacy programs for your business.
Overview of GDPR
The GDPR covers personal data that is collected about residents and citizens of the European Union (EU) and European Economic Area (EEA), as well as the sale or transfer of personal information outside of these areas.
The primary goal of the GDPR is to allow individuals to control their personal data and create an easy-to-navigate regulatory system for international businesses operating within the EU and EEA.
GDPR requires that all personal data collected by companies from EU and EEA residents and citizens be gathered only with the consent of the individual to whom it pertains. This must be done through legal means and adhere to the strict guidelines set forth.
A notable difference from the CCPA is the onus placed on the collectors of the information by the GDPR to ensure they take the necessary steps to protect the data from any misuse, security breach, or exploitation.
The specific types of information that are covered by these regulations are broadly defined as being “anything that may uniquely identify an individual.” Here are some common examples:
- IP addresses
- Genetic and biometric data (like fingerprints, DNA, or medically sensitive identifiers)
Overview of CCPA
The CCPA specifically covers data belonging to natural persons who are residents of California. This coverage extends to use outside of California if the information collected belongs to said residents.
The premise of the CCPA is that consumers “own” their personal information and data and under the Act are given five rights to control its collection and use:
- The right to know what personal info is being collected: This is accomplished through a company’s use of privacy policies and notices of use. They will explain what is being collected and how, as well as how it may be used.
- The option to opt-out of the sale or disclosure of their personal information: This is in contrast to the GDPR where consumers are offered the opportunity to opt-in rather than out.
- The right to access any personal information that has been collected: Certain parameters must be met by businesses when any consumer is requesting copies of the data held by the company, as well as how it has been used. Under CCPA, they have 45 days to provide this information at no cost to the consumer.
- The right to request that a business delete or remove their personal information from its systems or servers: Some exemptions apply to this regulation in terms of legal requirements to maintain records or for ongoing proceedings. In the case of legal holds, the data can be deleted upon the adjudication.
- Finally, consumers have a right to exercise their CCPA rights free from any discrimination. There shall be no change in their access to equal services and no increase in the price they pay companies for services based on their requests under the CCPA.
CCPA has some additional restrictions in place for children under the age of 17. Primarily, the restrictions state there can be no sale or use of the information without consent; parental consent is required for anyone under the age of 13.
The types of information that are protected by the CCPA are similar to that of the GDPR. There is one distinction that is noteworthy: CCPA also covers household and device information that is collected.
An overview of the other types of information that are considered to be personal data reads nearly the same as the GDPR:
- Phone numbers
- Email addresses
- Social security numbers
- Drivers license numbers
- Biometric and genetic data
- Internet and online data (browsing history, search history, IP addresses, geolocation information)
- Employment data
- Non-public education identifiers
Despite the differences between the two privacy programs, they share a common goal and execution. There are penalties and consequences for any business that fails to comply with the regulations.
Protecting consumer privacy rights has become even more important in recent years as we have moved into a predominantly digital era. Making sure your company is following the regulations is more important than ever. Fortunately, with the help of a trusted legal advisor, you’ll be able to safely navigate the intricacies of privacy law. Contact me to book a consultation today and ensure that your company remains compliant!