Introduction
When the EU adopted the General Data Protection Regulation (GDPR) in May 2018, it marked a significant shift toward data privacy. Specifically, that was the reason for Californiaβs first privacy protection law known as the California Consumer Privacy Act (CCPA) and effective from January 1, 2023, the California Privacy Rights Act (CPRA). These protection laws have a few essential differences, but the basic principle remains unchanged.
Who is protected by data privacy laws?
GDPR is designed to protect identifiable and living natural persons who are not required to reside within the EU. CCPA and CPRA are data protection laws specifically created to preserve Californian citizens and their data collection who have lived within the state for more than 30 days and those whose residence is in another state.
The new Privacy Protection Regulations will significantly challenge organizations with limited compliance experience. No worries, we will explain key differences within each of these policies so that a company can keep up with the regulations.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) came into effect 25 years after the European Unionβs first GDPR law was passed. To protect users in the EUβs 27 Member States, GDPR enforces sweeping rules regarding how sites collect information about users. GDPR reflects the data controllersβ responsibilities and data processing, such as identifying the location and the data source for each. This process involved sorting documents, finding contract records, classifying information, and manually recording information.
Can California change its data protection laws to comply with GDPR? The EUβs GDPR is the worldβs strictest privacy law. In May 2018, California adopted its privacy legislation β the California Consumer Privacy Act. As part of its mission of protecting consumer privacy, CCPA has been called Californiaβs βGDPRβ.
California Consumer Privacy Act (CCPA)
The 2018 CCPA was a significant step toward data protection laws. CCPA is the first valid privacy law for California residents that guarantees the right to confidentiality. There was plenty of room for improvement, particularly after the approval of CPRA just a year later.
CCPA has been introduced to protect customer data privacy and add consumer rights in California. Some rights include transparency, the ability to stop receiving personal information from third parties, the correctness of false information, and the right to restrict access to consumersβ personal information. Another privilege is that consumers can request the deletion of information collected.
CCPA to California Privacy Rights Act (CPRA)
Is the California Privacy Rights Act (CPRA) an updated version of the CCPA? It covers various vital aspects of the provisions of the CCPA. This law was approved in 2020 by the state legislature and modified the CCPAβs provisions. One major difference is with law enforcement. California Attorney General enforces CCPA, and Californiaβs Privacy Protection Authority enforces CPRA. The law also increases one of its eligibility criteria to the extent that Californiaβs consumer information is processed from 50,000 to 100,000.
GDPR vs. CCPA and the CPRA
The GDPR, introduced by the European Union, increases awareness about how a business handles consumer personal information and data rights. The GDPR provided the basis for introducing global data privacy regulations. Californiaβs consumer privacy laws were signed into law shortly after GDPR. CCPA is the first law in the USA and often equates GDPR with it.
GDPR and CCPA/CPRA are a combination of laws shaping the privacy environment of todayβs modern world. Each privacy regulation provides the right for consumers who cannot control the private information they collect. GDPR is the worldβs largest data protection regulation and is used by several European Union member States as its inspiration. California privacy laws are one of the most desirable and rigorous privacy laws in the world.
Under GDPR, you will need legal grounds to collect personal data. The CCPA requires that users opt out of your privacy protection practices. The GDPR protects consumers in the EU, while the CCPA is for Californians. The amendment to the CCPA provides new obligations and enforcement mechanisms for organizations. The CPRA is expected to replace the CCPA when it comes in. Until then, the CCPA requirement will remain in effect for covered businesses.
Key differences
DSAR
One of the critical differences is found in DSAR. A Data Subject Access Request (DSAR) is a request initiated by an individual and addressed to an organization that exercises the right to request access to any personal data. The request could be written or electronic. The organization has a legal obligation to respond to this request within a limited period. This is called the βRight to Accessβ.
Data Subject Access Requests are primarily defined in the GDPR and are related to a particular set of rights and responsibilities but have taken on a more general meaning.
DSAR under GDPR
It protects citizens in the European Union. It applies outside of the UK to businesses that offer products to citizens outside of Europe. It covers βprocessingβ personal data, defined as the operations that take place on personal data, including collecting and storing it.
DSAR under CCPA/CPRA
It focuses on information directly connected to consumers or a household. Unlike identifying data, it does not apply to aggregate data which isnβt reasonably associated with consumers or households or to identifying aggregate data.
Who they concern
The GDPRβs laws apply to businesses of all types. From eCommerce companies to nonprofit websites to public agency websites, any business dealing with EU personal data must comply with the GDPR or face costly legal consequences. This includes implications for GDPR and visitor management.
While the GDPR protects all βdata subjectsβ (the identifiable individuals to whom personal data belongs), regardless of their residence or citizenship status, the CCPAβs protections are limited to individuals whoβre lawfully present in California.
In addition, the CCPA only affects for-profit businesses that have either:
- annual gross revenue of more than $25 million,
- collect, buy, sell, or share data from at least 50,000 (100,000 by CPRA) consumers, devices, or households in California or
- at least 50 percent of its annual revenue is derived from the sale of Californiaβs residentsβ data.
To be covered by the CCPA/CPRA, the business must also meet the following two criteria: it collects personal data from consumers in California and determines the purpose and means of processing that data, and it also operates in California.
Types of protected data
The GDPR broadly covers processing all personal data, regardless of what that data is for or how itβs processed. The only exceptions to this rule are the non-automated, personally performed data processing thatβs not on file and the data processing that consumers perform for their purposes. However, the CCPA/CPRA is a bit more specific about what data types are protected in different circumstances.
For example, while the GDPR regulations require businesses to obtain usersβ consent with opt-in options before accessing their data, the CCPA regulations only require companies to offer an opt-out option if user data is to be actively sold or shared.
In addition, California regulations only protect a narrow range of user data types. Such types are any data already legally available to the public, medical information protected by the California Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPAA), personal information covered by the California Driver Privacy Protection Act, and other similar records.
While this area may be a bit more difficult for a California service provider business to navigate, it is likely already prepared when following the stricter regulations of the GDPR.
Collection, sale, and process of data
Under the GDPR and the CCPA/CPRA, βpersonal dataβ refers to any information that may directly or indirectly constitute an identifiable individual. This includes data about your external visitors and contractors. On the other hand, anonymous data is information that cannot be traced to a single identity and therefore doesnβt fall under either law.
GDPR UNDER collection, sale, and process of data
βProcessingβ of personal data is any action taken on a data subjectβs information. This includes everything from the initial collection of the user or visitor data to the structuring and storage of that information, its provision to others, and its ultimate removal and deletion.
CCPA/CPRA UNDER collection, sale, and process of data
βCollectingβ refers to the gathering of personal data by any method, but unlike the GDPR, this alone isnβt considered βprocessingβ and a βprocessingβ doesnβt take place until the already collected data is further processed. Also, βsellingβ is referred to as another separate operation, which includes any transfer, disclosure, or other types of communication relating to the content of a data subjectβs personal data. At last, βsaleβ here doesnβt necessarily mean that a payment is ever involved, but only that a valuable and intentional exchange of personal user data has taken place.
Information provided to data subjects
The GDPR and the CCPA/CPRA provide data-sharing methods to ensure greater data management transparency. Data subjects must be informed about and when the requirement is that they are informed about the purposes for which their data is being processed, the rights that consumers have to their data, and how they can contact a competent data protection officer if they choose.
CCPA/CPRA under the information provided
Companies must send periodic reports informing data subjects when their personal information has been collected, sold, or disclosed for business purposes after 12 months.
Data subjects must also be notified explicitly by third parties who have received their data if they intend to sell the data to another third party.
GDPR under the information provided
Data subjects must be notified when information is collected directly from them and when their data is shared with another entity, regardless of affiliation or intent.
They must be informed of how long their data may be retained if their data is used in automated systems for profiling.
They must also be informed of the reasons for these profiling processes and reminded that they have the right to withdraw their consent to the data they have previously shared. Finally, data subjects must be notified within one month at the latest if a third party processes their data under the GDPR, and they must be informed precisely from which source this third party obtained their data.
Fines
Administrative fines for failure to comply with the GDPR and/or for data breaches can be up to β¬20 million (approximately $24 million) or 4% of the breaching companyβs annual global turnover from the previous fiscal year, whichever is greater.
In the event of such a payout, administrative fines will be applied proportionately to the total financial assets of the violating business. A visitor management system can help you avoid GDPR penalties regarding your visitor data.
The CCPA differs significantly from the GDPR in this regard, as non-compliance alone is not grounds for a fine. Instead, penalties are only imposed when a data breach occurs. All pre-existing breaches relevant to the violation are considered and fined individually when such a breach occurs. The maximum fines are $2,500 for violations, $7,500 for willful violations, and $100 to $750 in damages in civil court.
Although the costs of violations of the GDPR and the CCPA/CPRA should not be taken lightly, there is a big difference in their approach. GDPR is preventative and designed to punish an irresponsible business, and CCPA/CPRA is entirely reactionary.
How do you ensure the security of private data and personal information?
While GDPR requires thorough measures to comply, it shifts the requirements into consumer protection. The CCPA/CPRA regulations allow consumers and companies who violate their privacy to take action against businesses if they cannot comply.
Although it is hard for a business to keep up with all the differences in regulations and stay compliant, the Pandectes GDPR Compliance app by Pandectes offers a reliable solution for an eCommerce business to remain compliant and up-to-date with data privacy regulations.
