CCPA and GDPR: The Future of Personal Data Security
Published: July 13, 2020
Author: Lori Gorcyca
Personal data security has received much scrutiny in the last few years from a number of high-profile security breaches. With enforcement of the California Consumer Privacy Act (CCPA) having commenced on July 1st, personal data security will continue to be a focus for consumers, legislators, and companies. While the General Data Protection Regulation (GDPR) rollout in the EU set the stage for large-scale protection for “data subjects,” CCPA offers some unique security measures and coverage for California residents. The overarching theme for both GDPR and CCPA is transparency when it comes to personal data security, but these pieces of legislation differ in their approaches to regulations and protections.
CCPA vs. GDPR: Who Is Protected?
To begin with, CCPA and GDPR differ when it comes to the kind of entities subjected to regulation and who exactly is protected. GDPR offers a broad approach to regulation, targeting any companies that are established in the EU that process personal data (regardless of whether the data processing actually happens in the EU) and companies, whether or not established in the EU, that process EU data subjects’ personal data in offering goods or services or monitoring their behavior (for example, to provide more targeting advertising). On the other hand, CCPA seeks to target for-profit entities that conduct business in California and meet certain criteria. As far as who or what is protected, both laws focus on an “identifiable natural person.” However, GDPR broadly protects “data subjects” inside and outside of the EU, while CCPA seeks to protect consumers who meet California residency requirements.
CCPA vs. GDPR: What Is Protected?
Next, we need to consider what exactly constitutes personal information and the rights granted to individuals with regard to their personal data under these pieces of legislation. GDPR defines personal data as any information relating to an identified or identifiable data subject. While CCPA uses a similar definition, the California legislation goes further and classifies information linked or reasonably capable of being linked to a household or device level as personal information. As for the rights granted to the “data subject,” CCPA gives the consumer 5 basic assurances:
- the right to know what personal data is being collected
- the right to access and request deletion of personal data
- the right to opt out of data collection
- the right to receive disclosures concerning the distribution of personal data
- the right to gain protection from penalties or discrimination.
GDPR provides similar rights to give consumers control and security for their personal data. What happens when a consumer wishes to opt out of personal data sales? GDPR doesn’t require that companies offer a specific right to opt out but requires establishment of other options that essentially have a similar effect. CCPA very clearly gives the consumer the right to opt out with a number of additional options to enable the exclusion of personal data (e.g. requiring a “Do Not Sell My Personal Information” link on the homepage where data is being collected). The California legislation mandates that such exclusion requests are honored without any contact for reauthorization for at least 12 months.
CCPA vs. GDPR: What Are the Fines for Violations?
Finally, while both the CCPA and GDPR allow consumers to bring an individual lawsuit against a company for a violation, these pieces of legislation take different approaches to civil fines penalizing those entities found in violation of the regulations. These financial penalties for noncompliance can become very costly, very easily. Organizations in breach of GDPR can be fined 4% of annual global turnover from the previous fiscal year or EUR 20 million, whichever is higher. For CCPA, fines can be up to $2500 per negligent violation and up to $7,500 for intentional transgressions once a data breach has occurred. For example, if a company has data on just 20,000 California consumers collected or maintained outside the rules of the CCPA, in addition to private lawsuits from the consumers, the company could be facing a civil penalty of up to $50,000,000 for negligent violation of the CCPA, and up to $150,000,000 for an intentional violation.
We find ourselves in an ever-changing world, overflowing with technology and information, but all this access comes at a price. GDPR and CCPA aim to provide individuals greater access to and control over personal information and the ability to hold companies accountable for negligent or intentional violations of their rights. Globally, we have reached a tipping point in consumer expectations and demand for privacy, and we encourage organizations to keep a close eye on developing regulations that will affect the way they collect, store, and use data.