CCPA vs GDPR: Understanding the Different Privacy Laws in 2020

Have you heard of GDPR or CCPA? Does your business ever request personal information from customers? Do you store customer’s personal data?

If these conditions apply to your organization, you must follow data privacy regulations. Thus, it’s vital to fully understand CCPA vs GDPR. All companies with business interests in locations covered by these rules must comply.

Continue reading to learn more about these data privacy regulations and if they apply to you.

What Is GDPR?

The European Parliament adopted the General Data Protection Regulation (GDPR) in April 2016. This provision applies to all 28 EU member states. This regulation protects EU citizen’s personal data during transactions in EU states.

The GDPR states that organizations must provide a “reasonable” level of protection for personal data. If companies fail to comply, the GDPR governing body can assess fines.

What Is CCPA?

The California Consumer Protection Act (CCPA) will go into effect on January 1, 2020. Companies have until July 1, 2020, to meet compliance standards. The goal is to increase California consumer privacy and protection rights.

The CCPA provides the following rights:

  • Businesses must tell customers what data they collect, sell, or disclose for business purposes
  • Businesses must tell the customer what categories of personal data they collect and how it’s used
  • Businesses may not discriminate against customers who invoke their CCPA rights
  • Businesses must provide customers with access to their personal data
  • Customers have the right to request the deletion of all personal data
  • Customer’s data that’s shared with a third party must also be deleted at their request
  • Consumers must have a way to opt-out of the sale of their personal data

It’s important that companies have policies in place to protect customer data. You must also have a data breach response plan. This prepares you to manage the improper or unauthorized collection, use, or sharing of personal data.

How Do CCPA vs GDPR Compare to Each Other?

When trying to understand the details of the CCPA and GDPR rules, many questions arise. The following are some common questions about these two sets of regulations.

What Qualifies as Personal Data?

The GDPR defines protected privacy data as:

  • Identifying information including name, address, and ID numbers
  • Internet data such as location, IP address, cookie data, and RFID tags
  • Heath and genetic data
  • Racial or ethnic data
  • Sexual orientation

The CCPE defines personal information as anything that can reasonably identify, relate to, or describe, a consumer or household. This identification may be direct or indirect.

The list of protected information includes:

  • Online identifiers
  • IP addresses
  • Email addresses
  • Browsing history
  • Search history
  • Geolocation data
  • Visual, audio, thermal, and olfactory information
  • Consumer interaction with websites, applications, or advertisements

The CCPA also protects information that can create a customer profile. This may include consumer preferences, characteristics, psychological trends, and predispositions. It also extends to observing behavior, attitudes, intelligence, abilities, and aptitudes.

Does My Business Have to Be Located in the EU or California?

The simple answer is no. If your company tracks EU citizen data, you must comply with GDPR rules. The location of your company is not a factor.

Companies with more than 250 employees must comply with GDPR. If the business’s data-processing affects the data subject’s rights and freedoms, they must comply. This is true even if the company has fewer than 250 employees.

The CCPA applies to companies that meet any of the following three conditions: 1) your company receives more than $25 million per year from global revenues, 2) you maintain data about more than 50,000 citizens of California, or 3) more than half of your annual revenue comes from selling customer data.

How Are Qualifying Customers Defined?

The GDPR does not specifically define the qualifications for a “data subject.” The regulation states that the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Thus, GDPR data protection applies to customers of businesses “established” in the EU. The customer can be from anywhere in the world.

The CCPA applies to all customers residing in California. This law does not apply to temporary or transitory customers. Yet, CCPA does apply to consumers domiciled in California but outside of the state on an impermanent basis.

Can Customers Request Deletion of Their Data?

Under the GDPR, consumers have the “Right to be Forgotten”. Customers may wish to invoke this right if the company no longer needs their data or if it’s been used unlawfully. Information collected when the customer was a child is also eligible for deletion.

Consumers have the right to request the deletion of personal data available online. Except for certain circumstances, the company has to comply. Businesses must take “reasonable steps” to inform other companies that process this data.

While customer rights are the focus, requests to be forgotten aren’t an absolute right. The GDPR also protects freedom of expression and scientific research.

According to the CCPA, consumers have the “Right to Erasure”. This mirrors the GDPR rule. Organizations must disclose this right to consumers in a “form that is reasonably accessible”.

The business may deny the request if the information is:

  • Needed to complete a transaction in order to provide goods or services
  • Currently needed for the business relationship
  • Needed in order to complete a contract
  • Needed to identify security incidents
  • Needed to protect against illegal, malicious, or fraudulent activity
  • Needed to conduct scientific, historical, or statistical research that benefits the public
  • Needed to adhere to legal obligations or other laws
  • Only used for internal purposes that align with customer expectations

Both laws serve to protect the organization as well as the customer.

Is Your Company Meeting Data Privacy Regulations?

Does your business retrieve and/or store customer information? If so, you must understand the regulations of CCPA vs GDPR. Contact a data security professional if you are unfamiliar with these regulations.

Truyo provides software solutions that meet GDPR and CCPA data privacy rights. Our services clearly show your staff and customers that you’re protecting personal data.

This decreases your compliance risk. Our products offer a scalable solution that integrates into your system with minimal disruption. We allow you to meet immediate privacy rights requests.

Truyo’s products position your business to meet long-term data privacy compliance. Contact us today to learn more about our services.

Author

Dan Clarke
Dan Clarke
President, Truyo
May 1, 2019