Even before the dust could settle after the entry force of European Union’s GDPR- General Data Protection Regulation, the California Consumer Privacy Act (CCPA) set in overseas, as much as both give individuals certain powers to data collection and usage of their personal info, one needs to be aware of the several significant contrasts to uphold compliance.
GDPR vs. CCPA
Who is regulated?
One striking difference that differentiates GDPR from CCPA lies in the bodies they regulate. General Data Protection Regulation is a directive in EU law which serves to safeguard data and privacy for all individuals residing within the European Economic Area and the European Union. On the other hand, the California Consumer Privacy Act is mainly focused on for-profit entities carrying out business in California and meeting one of the three thresholds:
- Has a gross revenue beyond $25 million
- Receives over 50% of its annual revenue from trading consumer’s private info
- Has personal information of over 50,000 consumers, devices, or households
The CCPA law also applies to bodies that share or are subject to common branding with a company that coincides with the above requirements. As you can see, the two privacy laws vary substantially with their measure of regulated bodies, with CCPA seeming more defined.
Who is protected?
As much as both laws concentrate on data privacy relating to a native person’s info, they certainly vary in their approach and characterization. While the CCPA focuses on consumers, GDPR concentrates on data subjects. The CCPA considers all people either living in California temporarily or whose house is within the state but residing away from the territory transitorily. The law also covers business-to-business transactions as well as employees.
GDPR considers the data subjects which it prescribes as personally identifiable or identified people to whom the personal data gets connected. Keep note that you must review how the laws impact you if you are operating a business outside the original jurisdiction.
What Information is protected?
Both protect the same type of information, but CCPA drills down a little further than the GDPR to cover devices and households. The GDPR concentrates on personal data on verifiable or recognizable data subjects and forbids alterations to that information under a determined set of divisions.
The CCPA explicitly comprises of information that can be reasonably connected with a household. So, not only the consumer’s IP address makes up personal info below the CCPA, but also utility statements of a family within the state. Thus, one can attest that the GDPR essentially incorporates this household-related data as it links with the members of the household as well.
What are the Opt-Out Rights?
A significant difference starts to emerge at this point between the two regulations. While the CCPA has set up an entire section of law built around giving customers easiness during withdrawal, GDPR doesn’t offer a specific rule to govern individuals into the opt-out of personal info sales.
GDPR instead incorporates rights such as withdrawal of consent for processing enterprises or opt-out for data alteration concerning marketing activities. Thus, GDPR is more committed to creating a channel for data dependents to pull out of information sharing and less on setting a specific withdrawal option in the data privacy act.
Meanwhile, on the other side, CCPA ensures that all consumers are aware of their pullout rights. Now, businesses need to follow the rule of creating a homepage link that states “Do Not Sell My Personal Information” so that opt-out options are clear and visible. To add to that, business owners have no right to request a customer to approve of 12-month sales following the withdrawal notification.
The whole contradiction is lying on the fact that GDPR gives provisions that give rise to the withdrawal of data collection for sales, while CCPA requires all business bodies to provide customers with straightforward access to pull out services.
What are the Rights of Data Portability?
In terms of data portability rights, the CCPA and GDPR show a noticeable similarity. Both GDPR and CCPA concentrate on giving users transparent copies of data collected to enable protected parties to distribute info efficiently. The GDPR recently initiated a new right that lets through personal copies of data to come in a machine-readable, structured, and commonly-used format as well as transference of info to other data controllers.
Under the CCPA, customers have the right to request for disclosure of which businesses have no choice but to provide within 45 days, in a useable format that will allow the consumer to transfer it from one body to another easily.
What do the Regulations Say about Security?
The reason that arose both the regulations was the arising concern that hovered around data security. That is why both privacy laws center their attention on giving customers control over the entire data collection and usage process. At present, companies are under the obligation to ensure that they possess a certain level of security risk mitigation. Otherwise, people can charge them for damages that may spring from a data breach, whether it causes non-material or material damage.
Even though CCPA hasn’t yet set data security terms, they have enacted private rights of action in case a data breach event happens. As constituted in the California Civil Code, CCPA permits indwellers to sue companies when either of their security controls prompts a data invasion that distorts consumer information. Furthermore, courts have the power to dictate both declaratory and injunctive relief to redress the problem. Although both privacy laws call for the need for appropriate security controls and approve of private lawsuits, there is still a significant difference in the sort of countermeasures available.
What Other Significant Differences Exist Between GDPR and CCPA?
With regards to children, the CCPA only calls for parental consent when it comes to personal data sales, whereas GDPR concentrates on all data processing. Unlike the GDPR, the CCPA doesn’t demand rights to object, rights to remission, right to refuse automated decision making or rights to restrain processing (other than withdrawal).
How ZenGRC Enables CCPA Compliance
As a business enterprise, you certainly know that CCPA compliance will need you to conduct document storage, collection, and retrieval. To add to that, as people continue to interact with vendors who are also networking with consumer’s data, CCPA compliance will need a better connection between external and internal stakeholders.
With the ZenGRC workflow style, your organization can hand over tasks and follow through with the process to ensure successful completion. Particularly in regard to the CCPA 45-day timeline rule, your business can track consumer requests fulfillment activities to uphold compliance. The specific task prioritization in use, allows your business to review workflow to mitigate cyber risks and to evaluate the organization’s controls necessary for supporting opt-out and opt-in info.
Regardless of the preexisting GDPR specifications, companies will also have to expend their efforts towards achieving the rights stipulated under the California Consumer Privacy Act. Companies will implicitly have to revisit their info monetization business designs, adopt privacy policies, advance their internal processes and systems to support consumer rights and finally to stock lots of records of the private data they process.