If your company has customers in California or the European Union (EU), two consumer privacy policies will likely impact your operations:
- The EU’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
These are among the most visible privacy regulations enacted around the globe. Both regulations include heightened requirements around safeguarding customers’ personal information, which means your company may need to take additional precautions to remain compliant.
Below, we’ll explore the requirements of the CCPA and the GDPR, what these requirements mean for your organization, and crucial compliance steps to prevent penalties and fines.
General Data Protection Regulation
In April 2016, the European Parliament adopted the GDPR, which replaced an outdated data protection directive from 1995. The primary objectives of the regulation are to:
- Give control back to individuals over their personal data
- Simplify the regulatory environment for international business
- Unify privacy regulations within countries part of the European Union
As of May 25, 2018, organizations must prove they’re compliant with these regulations.
The GDPR carries provisions that require businesses to protect the personal data and privacy of anyone who happens to be in the EU at the time of collection or processing. It focuses on not only EU citizens, but also any individual whose data is collected and processed. Anyone based in or visiting an EU country is safeguarded by GDPR.
For example, if a US citizen travelled to Germany, made a purchase in a store, and was required to supply their name and address for an invoice, their personal data would be secured in line with GDPR obligations, and they’d be given the same rights and freedoms as all EU citizens under GDPR.
Personal Data
The GDPR only applies to EU data subjects, so understanding the definition of data is critical for compliance. Information that doesn’t fall within the definition of personal data isn’t subject to the law.
Personal data is any information that can be used to identify an individual, directly or indirectly, such as:
- Full name, birth date, and physical address
- Email address, IP address, and web browser history files—known as cookies
- National identification number and passport number
Sensitive Personal Data
This information is also protected under the GDPR. Sensitive personal data is a special category of personal data that is subject to additional protections. This data includes:
- Racial or ethnic origins
- Political opinions
- Religious or philosophical beliefs
- Health care-related information
- Genetic or biometric data
Pseudonymous Data
The GDPR introduces a new concept of pseudonymous data. This data is subjected to technological measures—like hashing or encryption—so it doesn’t directly identify an individual without using additional information.
Pseudonymous data is still considered personal data and is subject to GDPR requirements. However, organizations that encrypt data will benefit from relaxations of certain GDPR provisions, in particular those related to data-breach-notification requirements. This is because loss of pseudonymized data isn’t likely to create risk of harm.
California Consumer Protection Act
The CCPA was signed into law by Governor Jerry Brown on June 28, 2018, and entered into force January 1, 2020. CCPA enforcement took effect July 1, 2020.
This law regulates how organizations can collect, use, or share California residents’ personal information and gives California consumers certain rights, including the right to:
- Know what personal information the business possesses
- Request the business delete that information
- Opt out of their personal information being sold or shared
The CCPA impacts any organization that:
- Does business in California—regardless of location
- Collects personal information of California residents
- Determines the uses of the information
Key Differences Between GDPR and CCPA
Both laws apply to businesses that determine the “purposes and means of the processing” of data. However, there are several differences between GDPR and CCPA with regard to personal scope, material scope, personal data, controllers, and processors.
Personal Scope
The CCPA sets thresholds that determine the businesses covered by the law, while the GDPR doesn’t.
CCPA Inclusion Criteria
Only a few types of companies are exempt from CCPA, such as businesses with fewer than 20 employees and financial institutions subject to the California Financial Information Privacy Act.
Companies subject to CCPA requirements include those that:
- Have an annual gross revenue of at least $25 million
- Annually receive, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households
- Derive 50% or more of their annual revenue from selling personal information about California residents
It’s important to note that personal information and sale are given expansive definitions under the CCPA, which greatly increases the scope of business subject to CCPA requirements.
Material Scope
The material scope is fairly consistent between both laws.
The GDPR applies to the processing of personal data by automated means or nonautomated means if the data is part of a filing system. The CCPA doesn’t specifically delineate a material scope, but its obligations cover collecting, selling, or sharing personal information.
The CCPA definition of personal information presents some overlaps with the GDPR definition of personal data. However, the CCPA provides several specific carve-outs from its scope of application that aren’t in the GDPR, such as medical and protected health information.
Both the CCPA and the GDPR aren’t applicable to law enforcement and national security, although they may apply to businesses providing services to law enforcement or national security agencies.
Personal Data
The two laws are fairly consistent when it comes to personal data. However, personal data under the GDPR and personal information under the CCPA are both broadly defined.
Any Information
The CCPA defines the term any information and clarifies that households and individuals are counted as identified or identifiable persons.
The definition of personal data in the GDPR only explicitly refers to individuals, but discussions and enforcement actions across Europe have shown that personal data, as defined in the law, may also cover households.
Inferences
Although the GDPR doesn’t explicitly address inferences—while the CCPA does—EU companies may be subject to inference requirements if they relate to identified or identifiable individuals, according to the definition of personal data.
Sensitive Data
Unlike the CCPA, the GDPR defines sensitive data, also known as special categories of data. Companies are prohibited from processing this data unless a specific exemption applies.
The CCPA provides a definition for biometric data. This definition includes elements of the GDPR’s definition of special categories of data, such as DNA, fingerprints, and iris scans.
However, the CCPA doesn’t create a more protective regime for this category of data. While the GDPR provides a higher level of protection for health-related data, the CCPA excludes medical information from its protection categories.
Controllers and Processors
These categories are fairly consistent between the two laws. Controllers under the GDPR have similarities with businesses under the CCPA; both are responsible for complying with obligations under the respective laws.
Some GDPR obligations, however, also apply to processors. These are entities that process personal data on behalf, and under the direction, of controllers. Although processors under the GDPR bear similarities to service providers under the CCPA, the GDPR places more detailed obligations on processors.
For example, the GDPR requires a detailed contract be put in place between controllers and processors, laying out the terms of the controller-processor relationship. Similarly, the CCPA requires that personal information is disclosed to service providers pursuant to a written contract.
Rights Under the Laws
Rights dictated in the CCPA and GDPR include the following:
- Right to be informed
- Right of access
- Right to data portability
- Right to deletion—right to erasure for GDPR
- Right to object—right to opt-out for GDPR
- Right not to be discriminated against—right not to be subject to discrimination for the exercise of rights
Right to be Informed
Both the GDPR and the CCPA include prescriptive provisions addressing information organizations must provide to individuals when collecting and processing personal information.
In particular, both pieces of legislation prescribe when and what kind of information must be given to individuals.
Unlike the GDPR, the CCPA doesn’t distinguish between the notice for collecting information directly from individuals and the notice when information is obtained from other sources.
Under the CCPA, there’s a specific requirement that consumers receive explicit notice when a third party intends to sell their personal information. Also, the CCPA specifies that a company’s privacy policy and notice must be updated every 12 months.
Right to Access
Both the GDPR and the CCPA establish a right to access, which allows individuals full visibility of the data an organization holds about them.
The two laws present some differences, such as procedures organizations should follow to comply with an individual’s request. Under GDPR, data subjects’ requests must be complied without “undue delay within one month from the receipt of the request.” While the CCPA states that a response is required within 45 days.
These responses follow the same requirements as those noted under the right to erasure.
Right to Data Portability
The right to data portability is fairly consistent between the two laws. The CCPA considers data portability part of the right to access, while the GDPR provides a separate and distinctive right. This states that data subjects have the right to receive their data in a “structured, commonly used, and machine-readable format.”
The CCPA provides that whenever access is electronically granted to consumers, the information must be in a portable and readily useable format that allows the consumer to transmit the information to another entity.
The same response times noted under the right to erasure and the right to access are also applicable.
Right to Erasure
The right to erasure is similar in both pieces of legislation, but with variations in scope, applicability, and exemptions.
Both the GDPR and the CCPA allow individuals to request deletion of their personal information, unless exceptions apply. Exceptions include freedom of speech, research data that would impair the objectives of the research, or exercising legal claims.
Both laws have a deadline for responding to a request for erasure. Responses must occur within one month for GDPR erasure requests and within 45 days for CCPA requests.
Right to Object
Both the GDPR and the CCPA guarantee a right for individuals to ask organizations to stop processing and selling their data.
Under the CCPA, consumers can only opt out of personal data sales—not collection or other uses that don’t fall under the definition of selling. By contrast, individuals can object to any type of processing of personal data under the GDPR—either by simply withdrawing consent, or by objecting to processing based on legitimate interest or necessity for a task in the public interest.
The CCPA’s right to opt out of personal information is absolute, while the GDPR’s general right to object has a specific exception where the controller demonstrates legitimate grounds for data processing that override the rights and interests of the data subject.
Right Not to Be Discriminated Against
The CCPA introduces the right not to be subject to discrimination for the exercise of rights. This means consumers must not be charged differently or denied services.
This right isn’t explicitly included in the GDPR, but some provisions are based on the same principle that individuals must be protected from discriminatory consequences.
Enforcement
The GDPR has data-protection authorities and supervisory authorities in each country, while the California Attorney General assesses violations with CCPA.
In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act (CPRA), which aims to strengthen consumer privacy protections and enhance the CCPA. One significant change under the CPRA is the creation of the California Privacy Protection Agency, which will become a privacy regulator that enforces and implements consumer privacy laws and imposes administrative fines.
Both the GDPR and the CCPA allow monetary penalties in cases of noncompliance. However, penalty amounts, natures, and procedures differ significantly.
Compliance
Your company can determine its compliance requirements by following these steps.
- Locate business activities where personal data collection or processing occurs.
- Evaluate the type of data collected.
- Determine how the data is collected, disseminated, processed, and retained as well as how it can be removed from the systems.
- Figure out if data is shared with a data processor or service provider, evaluate contracts, and make sure protections are present to cover GDPR or CCPA.
- Evaluate your breach notification requirements—there are differences between GDPR and CCPA, and each has its own breach-notification requirements.
Steps for Compliance
After determining your key compliance requirements, your company can take the following steps:
- Compliance responsibilities. Delegate CCPA or GDPR compliance responsibilities to a knowledgeable employee or team.
- Privacy policies. Maintain and regularly update a business-wide privacy policy
- Security. Implement and maintain information-security best practices.
- Consumer requests. Create and maintain procedures for responding to requests to access to personal data, delete personal information, opt out of sale of personal information.
- Vendor contracts. Update vendor contracts to comply with GDPR or CCPA
- Information of minors. Maintain procedures for collection and use of personal information of minors, as applicable
- Privacy training. Conduct appropriate privacy training for personnel depending on their job function
- Organization-wide compliance. Assess affiliates’ need to comply with GDPR or CCPA and implement organization-wide compliance requirements
Privacy Policies
Your organization’s privacy policy should be reviewed annually, written in clear language, and include the following:
- Third-party information. The names of third-party organizations receiving personal information
- Consumer rights. A list of the consumer rights noted above.
- Opt-out link. State that personal information may be sold and provide a link that enables consumers to opt out.
- Request resources. Provide methods for consumers to submit requests, such as a website, toll-free number, or email address
We’re Here to Help
While clarifications on the CCPA are still being issued, fines are being levied for noncompliant organizations. Similarly, data-protection authorities have levied fines for GDPR failures, and these fines are expected to continue.
If your organization isn’t addressing these requirements, now is the time to start. For assistance reviewing your business processes and determining where personal information is managed, stored, or transmitted, contact your Moss Adams professional.