European and Californian laws offer similar principles with key differences
It wasn’t so long ago that companies had free rein over our personal data.
Security breaches, caused by unpatched software or misconfigured data storage, would leak sensitive information on a daily basis, allowing the digital identities of consumers to be abused with little reparation from business.
And while all that still happens, the normalization of cyber-attacks and risk of online fraud is now forcing companies to reel back their data collection practices and put the individual in control of what happens to their personal information.
That’s thanks, in part, to the General Data Protection Regulation (GDPR) – the EU-wide legislation that sent shockwaves through Big Data business models with penalties that spelled catastrophe for any company failing to comply with its rules.
Since its passing on May 25 of this year, GDPR has certainly set the stage as one of the most comprehensive privacy policies to date. And its effects have been felt globally.
Although not devoid of criticism, it still may be too soon to tell if GDPR has had a positive impact on consumer rights, or whether the law has only created problems for anti-spam efforts and simply turned privacy into a checkbox exercise.
But what is certain is that GDPR has put data protection on the map and further paved the way for the next generation of privacy first legislation, including the recently announced California Consumer Privacy Act (CCPA).
Expected to come into effect on January 1, 2020, CCPA has been hailed as one of the first US bills that gives individuals appropriate safeguards for the digital age.
In a webinar held recently, two organizations, the Future of Privacy Forum and DataGuidance, broke down the differences between the GDPR and CCPA.
What’s the CCPA?
The CCPA was passed in June 2018 and implements rules for businesses operating in California concerning the way in which they collect, use, and share consumer data.
As there is currently no federal privacy law in the US, the CCPA has been seen as a huge step forward in creating safeguards for an individual engaged in a transaction with a business, whether by the sale of personal information or the exchange of data for a particular service.
Additional amendments are expected before the CCPA becomes law, the last having been in October 2018.
Who does it cover?
Unlike GDPR, which applies to nearly anyone collecting information on citizens within the European Union (EU), only for-profit entities are required to comply with regulation under the CCPA.
This applies to businesses with an annual gross revenue above $25 million, or those that derive at least 50% of their income from selling consumer data.
In terms of protection, the CCPA guarantees all residents of California some form of data security, whereas GDPR grants safeguards to any person within the EU.
Neither the GDPR or the CCPA are applicable to law enforcement or national security agencies.
What does ‘personal data’ mean?
The scope of protected information generally runs parallel through both pieces of legislation, broadly defined ‘personal data’ as ‘data that identifies an individual’.
CCPA does, however, carry a more detailed breakdown of what condones a personal identifier, such as biometric and geolocation data.
What does the CCPA exclude?
Publicly available government records, medical data, and personal information collected for clinical trials and processed by credit reporting agencies.
Opt-in or opt-out?
GDPR and CCPA each provide an individual with the means to ask an organization to stop selling or sharing their personal information.
Differences, however, see GDPR requiring consumer consent to collect data, with no such restrictions applying under the CCPA.
In other words, the US legislation allows businesses to freely collect personally identifiable data, and consumers are then given a choice of whether the organization can sell what it’s gathered.
CCPA does this explicitly by requiring companies to have a ‘do not sell my personal information’ link on the homepage of their website.
Although CCPA allows businesses to collect information without a consumer’s say, like GDPR it gives individuals a right to request all data be deleted.
What are the penalties?
Penalties under the CCPA can fall anywhere between $2,500 and $7,500, depending on what sort of violation occurred. There is no maximum for the amount of violations, and thus fines, that can be issued.
GDPR directs fines through an assigned data protection authority, like the Information Commissioner’s Office in the UK, and CCPA does so through action brought by the Attorney General of California.
But aren’t most companies in Silicon Valley already in compliant with GDPR?
The Future of Privacy Forum’s Gabriela Zanfir-Fortuna, who co-authored a comparative report of the GDPR to CCPA, told The Daily Swig: “I think that the companies that put a real effort into complying with the GDPR will have no problems complying with the CCPA. It will be a much easier task for them.
“The challenge, that I see, is that the CCPA has a very targeted provision which requires a link, a button, on a company’s home page that says, ‘do not sell my data’. This provision is quite prescriptive and there is no room for interpretation.”