Since May 2018. businesses had more or less successfully adapted their websites to comply with the European General Data Protection Regulation. But if you thought the process of implementing privacy regulations on your business’ website is over, thing again. The California Consumer Privacy Act is set to take effect on January 1st, 2020. Find out how CCPA differs from GDPR and which businesses will have to adjust how they handle website visitors’ personal data by reading on.
Who do the laws apply to?
The GDPR’s laws apply to businesses (and their websites) of every kind.
From eCommerce businesses to the webpages of non-profit organizations, to the websites of public institutions; any entity that deals with personal data from the EU must comply with the GDPR or invite costly legal repercussions. This includes implications for GDPR and visitor management.
Meanwhile, the CCPA’s protections are limited to individual data subjects that legally reside in California, whereas the GDPR protects all “data subjects” (the identifiable people to which personal data belongs) regardless of their residency or citizenship status.
On the flip side, CCPA only affects for-profit entities whose business meets at least one of the following characteristics:
- Has an annual gross revenue >$25 million
- collects, buys, sells or shares the data of >50,000 consumers, devices, or households in California (this includes your company’s visitors)
- At least 50% percent of their annual revenue from selling this data
Furthermore, the business must also meet both of the criteria below:
- Collects personal information from consumers in California and determines the purposes and means of processing the information, and
- Operates in California
What actions are presumed as data collecting, selling, and processing
Under both the GDPR and CCPA, the term “personal data” means any information that can directly, or indirectly, represent an identifiable person. This includes the data pertaining to your external visitors and contractors.
Anonymous data, on the other hand, is information that can’t be traced to a singular identity – and therefore isn’t covered by either’s laws.
But that’s about where the similarities in terminology end.
GDPR considers the “processing” of personal data to be any action that’s performed on a data subject’s information. This includes everything from the initial act of collecting user or visitor data, to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.
CCPA splits its data-relevant terminology into multiple separate definitions.
“Collecting” refers to the gathering of personal information through any method, but unlike the GDPR, this alone isn’t considered “processing”.
“Processing” only occurs once data that has already been collected is acted upon further.
“Selling” is referred to as another separate event that includes any transference, disclosure, or other kinds of communication regarding the contents of a data subject’s personal data.
Most notably, “selling” here doesn’t necessarily mean any payment is ever involved, only that the valuable and intentional exchange of personal user information has occurred.
Scope and differences
One of the main differences is the following: while the GDPR requires entities to clearly gain user consent with “opt-in” options before accessing any of their data, the CCPA only requires businesses to supply the option to “opt-out” when user information is going to be actively sold or shared. To go through the entire scope of both regulations, please study the table below.
|Applies to businesses, headquartered inside or outside of California, that collect personal information of California State Residents and that satisfy at least one of three conditions:Annual Gross revenue more than $25 million.Handling (buying, selling, etc.) personal information of more than 50,000 CA consumers, households, or devices annually.Gets at least 50 percent of annual revenue from selling CA consumers’ personal information.||Has extra-territorial effect: it might cover all companies that process EU data whether they’re established in the EU or not, and regardless of where the actual data processing takes place.|
|Protects California residents (whether they’re currently in the state or not)||Protects EU residents and data subjects whose data are collected by covered companies|
|Refers to ‘personal information’ that identifies, relates to, describes, and is linked to or associated with a consumer or household||Refers to ‘personal data’ that is related to an identified or identifiable data subject|
|May not apply to job candidates and employees (according to amendment Assembly Bill 25)||Applies to job candidates and employees|
|The right to disclosure / access||The right to disclosure / access|
|Right to deletion||Right to erasure (‘to be forgotten’)|
|Requirements for sale of personal information of children:Minors under 16 years of age must authorize the sale of their personal information.For children under 13, the opt-in must be collected from a parent or guardian.||Where the child is below the age of 16 years, processing of their personal data shall be lawful only if and to the extent that consent is given or authorized by the legal guardian.Member states can set a lower age provided that the lower age isn’t below 13 years.|
|Right to object only to the sale of personal information||Right to restrict processing|
|The right of data portability||The right of data portability|
|–||Right to rectification|
|Direct right of action||Compensation claims and right to lodge a complaint with a supervisory authority|
|Right to recover damages ($100 to $750)||Right to receive compensation for material or non-material damages|
|Puts disclosure requirements for collection, selling and sharing of personal information||Puts disclosure requirements and restricts collection and processing of personal data|
|Doesn’t impose a lawful basis as a requirement for the purposes of handling personal information||Requires companies to have a lawful basis to handle personal data|
|Obliges businesses to comply with a verifiable consumer request within 45 days||Obliges data controllers to comply with a verifiable data subject request within a month|
Fines & consequences
|Fine for violation is $2,500 to $7,500||Fine for violation is up to 20 million euros or 4% of annual revenue/turnover, whichever is greater|
|$100 to $750 per consumer per incident after civil action||Compensation for material or non-material damages to the data subject|
|Businesses have 30 days to cure violations and inform consumers that they have done so||No grace period|
Terminology & descriptions
|Refers to “businesses” in general||Distinguishes between “data collectors” and “data processors”|
|Refers to “consumers”||Refers to “data subjects”|
|Addresses “personal information”||Addresses “personal data”|
|Applies to devices and households as well as consumers||Applies to natural people only|
Is GDPR compliance enough?
Unfortunately, no. Businesses that have undertaken GDPR compliance will have an advantage in addressing CCPA, but those efforts alone won’t suffice. The GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is about creating transparency in California’s huge data economy and rights to its consumers.
Where the GDPR creates a door for the EU user to lock prior to any data processing, the CCPA creates a window for the Californian consumer to open, in order to find out what of their data has already been obtained by a business or sold to a third party.
To comply with both may be an extensive amount of work, but it leads to a website and a business safe from potential financial penalties, and a trusting relationship with website users and clients.