What does CCPA compliance refer to? Is CCPA different from GDPR, and which of the two is stricter?
Your personal information is private and should not be collected, used, or shared with a third party without your consent. CCPA and GDPR are regulations that govern how businesses and their websites deal with personal data. The laws apply to businesses of all kinds, including e-commerce sites and sites of non-profit organizations.
Here, we'll have a look at the similarities and differences between CCPA and GDPR.
What Is The California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a data privacy law. The law protects California residents by regulating how websites and businesses worldwide should handle residents' personal information.
The CCPA was the first law to try to protect the personal information of California state residents from how it is used. The law came into effect on January 1, 2020.
What Is the CCPA Threshold?
The CCPA law applies to all for-profit businesses and websites that sell the personal information of over 50,000 residents of California every year. Or the company gets more than 50% of its revenue every year from selling the personal information of the residents of California. It also applies to businesses that have a gross revenue that goes beyond $25 million each year.
The CCPA defines the selling of personal information by any business as selling, renting, disclosing, making available, disseminating, releasing, communicating orally, electronically, or in writing the personal information to a third party for money or valued consideration.
If your business shares common branding with another business, i.e. a shared name, trademark, or service mark, it is also subject to CCPA compliance (see also 'CCPA Compliance Checklist'). The CCPA law gives California residents the right to opt-out of having their personal information sold to any third parties. They also have the right to ask for disclosure of all personal data already collected and the right to request the deletion of the personal data.
Residents also enjoy the right to equal services and prices, which means you can not discriminate against a California resident if they choose to exercise their right. They also have the right to be notified.
What happens if you don't comply with the regulations?
If you don't comply with the CCPA regulations, your business is liable for a fine of $7,500 per violation. You also pay a fine of $750 in civil damages per affected user. The office of the Attorney General of California has the power and responsibility of enforcing the CCPA data privacy laws.
What Does Personal Data Protection Mean For Your Business?
If your business has an annual revenue stated above or meets the other thresholds, you'll have to make certain changes to your website.
For instance, you should inform your users before or during data collection of the categories of personal information you wish to collect and the data's purpose.
If you have minors under 16 years of age on your site, you should get their consent before selling their personal data to a third party.
If the minor is under 13 years of age, you'll have to obtain consent from a parent or guardian. Additionally, the site should have a Do Not Sell My Personal Information link. This will help users to opt out of personal data sales.
If a consumer sends a verifiable request asking for disclosure of the personal data collected, you should provide the record for free. The record of the collected personal information should include data for the last 12 months, including commercial purposes, sources, and the categories of third parties you have shared the information with.
Note, your business shouldn't discriminate against a consumer based on their choice to request disclosure or exercise their right to opt-out.
What Is GDPR?
The General Data Protection Regulation (GDPR) refers to the European Union regulation that guides how businesses handle personal data. The regulations have implications for all businesses and organizations worldwide dealing with people from the European Union.
GDPR seeks to protect natural people's fundamental rights and freedoms and give individuals control over how their personal information will be used. The registration comes with strict regulations that guide data collection, transparency, handling procedures, user consent, and documentation.
Every business or organization is regarded as a data controller. As such, it should have a record of personal data and monitor all data processing activities. The control should include personal information handled in the organization and data dealt with by data processors (third parties).
The data controllers and processors should have the ability to account for the personal data being processed, the reason for processing, and the third parties and countries where the data is transmitted. If the organization wishes to share data with destinations beyond the GDPR jurisdiction, the user should be notified of all the risks.
The European Data Protection Board (EDPB) is the highest authority responsible for the application of GDPR across the EU. The supervisory authority is made up of representatives from the data protection authorities in the European Union member states. On May 4, 2020, the supervisory authority came up with guidelines regarding valid consent under the regulations.
The guidelines outline that browsing or scrolling a website continuously doesn't constitute valid consent. Additionally, the cookie banners shouldn't come with pre-ticked checkboxes. The authorities also consider cookie walls as forced consent, and they are considered non-compliant.
Differences Between GDPR and CCPA
Who the Regulations Affect
The GDPR laws apply to all kinds of businesses and their websites. These include web pages of non-profit organizations, e-commerce websites, and public institution websites. Any organization or entity from the EU dealing with personal data must comply with GDPR laws or attract legal repercussions.
Unlike GDPR, which covers all data subjects, CCPA protection is limited to residents of California. Additionally, the CCPA protection applies only to for-profit entities. To be CCPA compliant, a business should deal with the personal data of legal residents of California. The entity must also operate in California.
The Actions that Constitute Data Collecting, Selling, and Data Processing
Under the two laws, personal information refers to any data that can directly or indirectly identify a person. This can include the data of your external contractors and visitors. Anonymous data can not be used to identify a person and is not covered by the two regulations.
According to the CCPA, collecting refers to the use of any method to gather an individual's personal information. Unlike GDPR, collecting personal data alone can not be considered data processing.
Processing is when the gathered data is acted upon, and selling refers to disclosure, transfer, and other kinds of communication regarding the data.
According to GDPR's definition, data processing refers to actions performed on a subject's data.
The Type of Data They Protect
GDPR deals with the processing of all personal data, irrespective of how the data is processed. An exception is data processing done by a person for their personal purposes. On the other hand, the CCPA is more specific about the type of data it protects.
While GDPR provides 'opt-in' options before you can access any data, CCPA only provides an 'opt-out' option when the personal data is about to be shared or sold.
Information to Be Availed to Data Subjects
Both GDPR and CCPA should include the following information to ensure transparency. These include:
- The methods of sharing data
- The requirement that data subjects should be notified every time their data is to be processed
- The rights of each data subject and how they can contact a data protection officer
According to CCPA requirements, businesses should send reports regularly to inform subjects of when their personal information is collected, disclosed, or sold for business purposes. The reports should be sent after 12 months.
Additionally, data subjects should be explicitly informed if any third party that has their personal information wants to sell it to another party.
According to GDPR requirements, data subjects should be notified when their personal data is collected and shared with a third party. The subjects should also be informed of how long the personal data can be retained after being used for profiling. They should also be informed of the purpose of profiling and remind them that they reserve the right to withdraw their consent.
The financial penalties for non-compliance with GDPR can be as high as $24 million or 4% of the company's turnover, depending on the option with the higher value.
On the other hand, for the CCPA, non-compliance alone is not reason enough to get a fine. Companies will be penalized if there is a data breach.
If there is a data breach, the fines for the violations can be $2,500 for violations, $7,500 for intentional violations, and up to $750 in damages in civil court.
While GDPR and CCPA operate in different geographies, they both strive to ensure the privacy of data subjects. Businesses should ensure compliance with the regulations to avoid penalties.