In May 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. All businesses handling data from residents of the European Union must now comply with the EU’s new privacy standards.
This was a big shift for companies accustomed to viewing consumer data as a lightly regulated but valuable commodity. GDPR marked a shift. Businesses are now required to be more transparent with consumers about how they collect personal data and what they do with it.
A month after the GDPR took effect in Europe, the California Consumer Privacy Act (CCPA) was passed into law. As of January 1, 2020, all companies with customers located in California must comply with the CCPA.
Though the GDPR pioneered consumer data protection law, it isn’t helpful to view the CCPA as California’s GDPR when charting your compliance strategy. There are many similarities between the two but also significant differences. A GDPR-compliant business will be well prepared to comply with CCPA, but will probably still have work to do to uphold all the provisions of the CCPA moving forward.
An overview of the GDPR
The purpose of the GDPR was to modernize laws that protect individuals’ personal information. The previous laws in the European Union, established by individual countries in the 1990s, failed to keep up with rapid technological advancements.
With the GDPR, a single law governed how businesses and public-sector organizations handle consumer information. Customers now have more control over their information and more rights to their data than ever before.
According to a Wired article, the GDPR contains 99 separate articles detailing the rights of individuals and the obligations for organizations covered by the regulation. There are eight rights for individuals under the GDPR:
- The right to be informed. All organizations must be transparent about how they use personal data.
- The right of access. Individuals have the right to know exactly what personal information is being held and how it’s processed.
- The right of rectification. Consumers can demand to have incorrect or incomplete personal information rectified.
- The right to erasure. Also known as the “right to be forgotten,” individuals don’t need a specific reason to request that their information to be removed from search engines (however, their information won’t be deleted from public records).
- The right to restrict processing. Individuals retain the right to restrict processing of their personal data.
- The right to data portability. This allows individuals to retain and reuse their personal data for their own purposes. In effect, a person owns their data.
- The right to object. In certain circumstances, individuals can object to the use of their personal data.
- Rights of automated decision-making and polling. Individuals can choose not to be the subject of a decision if the consequence has a legal bearing on them or is based on automated processing. These safeguards protect individuals against potentially damaging decisions made without human intervention.
The Department for Culture, Media and Sport is responsible for ensuring that U.K. law complies with the GDPR. The Information Commissioner’s Office (ICO) is responsible for enforcing the GDPR and providing organizations with guidance on how to comply.
A brief overview of compliance for the GDPR includes
- Security breaches. “Destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to the ICO within 72 hours of the organization discovering it. The people impacted must also be informed.
- Obligations for large companies. Companies with more than 250 employees are required to document why they collect and hold users’ information. The documentation must include descriptions of all technical security measures in place.
- Data protection officers. Companies that regularly monitor or process sensitive data, or do so on a large scale, may need to hire a data protection officer to serve as a point of contact for employees and customers. The data protection officer is responsible for ensuring GDPR compliance.
How the CCPA compares to the GDPR
It makes sense that the CCPA is frequently compared to the GDPR: They share similar goals, and the CCPA is viewed as the first measure of data privacy taken in the United States.
Both of these laws give individuals the right to access and delete their personal information, and they require businesses to be transparent about information use. Generally speaking, the CCPA is seen as a less strict version of the GDPR.
These are the key differences between the two laws:
- Who they affect: The GDPR’s laws apply to businesses and websites of all kinds. This includes anything from e-commerce firms to nonprofits; if they’re dealing with personal data, they must comply with the GDPR. In contrast, the CCPA only affects for-profit entities that have an annual gross revenue of over $25 million, buy or sell data from over 50,000 consumers, or generate 50 percent or more of their annual revenue from selling data.
- The penalties: The financial penalties for noncompliance or data breaches of the GDPR can be as high as $22 million or 4 percent of the violating company’s annual global income from the previous year. The maximum fine for the CCPA is $2,500 per incident.
- Privacy notices: Both the CCPA and GDPR require privacy notices, but the content required for each is different. In this case, the CCPA is actually more strict. Instead of a privacy notice, the CCPA requires that businesses provide specific information to consumers and establish delivery requirements.
- Information provided to individuals: Both the GDPR and CCPA detail what data-sharing methods individuals need to be informed of and when. They both require that individuals be notified of what their data is being used for and their rights regarding their data.
CCPA requirements state that companies must send reports that inform individuals when their personal information was collected, sold, or disclosed for business purposes for a 12-month span.
GDPR requirements are more thorough. Individuals must be informed when their data is collected or shared, regardless of intention. They must also be told how long their data can be retained, as well as the reasoning behind the profiling process. Last, they must be reminded that they have the right to withdraw their consent to the data they’ve previously shared.
Even if your company is GDPR compliant, CCPA compliance will likely require further adjustments. Read more about the CCPA in our CCPA Compliance Guide. Find out about JotForm’s CCPA compliance efforts.
Do you have users in California? You can use this CCPA opt-out form template for legally mandated opt-out requests. If your users don’t want you to sell or share their data, all they have to do is fill out the form.