After having the last two years the effect of GDPR on European union businesses, now comes CCPA which talks all about California. In less than three months, “California’s GDPR”, the California Consumer Privacy Act (CCPA), will become into effect. GDPR vs CCPA, how can we compare them?
Let us look today in the difference between those two data-privacy regulations, CCPA and the GDPR (European Union’s General Data Protection Regulation). How are they different? First of all let us acknowledge, from 1. January 2020 the CCPA is going to get into effect.
Who needs to comply with CCPA, who to GDPR?
In today’s infographic you can find the answer in a simple none academic jargon. Any company conducting business with California citizens that; has annual revenue above $25 million, or a company that collects, shares, buys or sells the data of more than 50,000 Californian citizens need to comply. It also applies to companies that make at least 50% revenue with the sale of California consumer data.
GDPR is relevant to any organization that collects or processes data of EU citizens or residents.
What are the penalties for Noncompliance?
Here California has a simplified process that fines $750 per person, per violation, while GDRP foresees up to 4% of the company’s annual gross revenue or 20 million Euros.
In the infographic, we can read in detail about the difference, what are the new rights afforded to users. While GDPR is focusing on personal data, CCPA focuses on relevant sales information of consumers.
As of October 2019 over 109 cases have been tracked of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO).
An up to date list can be found on Nathan Trust.
Both laws require businesses, upon request to give users access to the following information.
- What information is collected about them
- What information is shared or sold
- Who that information was shared with or sold
When do you need to get user consent?
Following the CCPA regulation, you need to get explicit consent to sell the data of users under 16. For all others a simple consent denies can be captured by a link saying “Do not sell my personal information”. Also, they need to give the option to OPT OUT at any given time.
To comply with GDPR you need to receive the user’s consent when you collect data based on or more of the 6 legal bases of data processing.
What about Data Protection and Security?
Under GDPR it is straight forward to keep data encrypted, confidential, and accessible. Notify users when a data breach occurs avoids penalties after this event. Performing a data protection impact assessment (DPIA) before processing personal data can help.
CCPA gives the option to bring a lawsuit to the Attorney General’s Office for breach of privacy if a company’s data is mishandled or infiltrated. Given these new consequences, the business should be extra cautious in their data-handling and take time to map and audit their data stores.
Conclusion: What Now?
CCPA vs GDPR, both of these laws are no laughing matter. With the range they cover, and the penalties they threaten, it’s time for you to develop a compliance strategy for the GDPR and the CCPA.
The infographic by Termly, a provider of GDPR compliance software for websites and online businesses explains all in detail.