When the EU adopted the General Data Protection Regulation (GDPR) in May 2018, it marked a significant shift toward data privacy. Specifically, that was the reason for California’s first privacy protection law known as the California Consumer Privacy Act (CCPA) and effective from January 1, 2023, the California Privacy Rights Act (CPRA). These protection laws have a few essential differences, but the basic principle remains unchanged.
Who is protected by data privacy laws?
GDPR is designed to protect identifiable and living natural persons who are not required to reside within the EU. CCPA and CPRA are data protection laws specifically created to preserve Californian citizens and their data collection who have lived within the state for more than 30 days and those whose residence is in another state.
The new Privacy Protection Regulations will significantly challenge organizations with limited compliance experience. No worries, we will explain key differences within each of these policies so that a company can keep up with the regulations.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) came into effect 25 years after the European Union’s first GDPR law was passed. To protect users in the EU’s 27 Member States, GDPR enforces sweeping rules regarding how sites collect information about users. GDPR reflects the data controllers’ responsibilities and data processing, such as identifying the location and the data source for each. This process involved sorting documents, finding contract records, classifying information, and manually recording information.
Can California change its data protection laws to comply with GDPR? The EU’s GDPR is the world’s strictest privacy law. In May 2018, California adopted its privacy legislation – California Consumer Privacy Act. As part of its mission of protecting consumer privacy, CCPA has been called California’s “GDPR”.
California Consumer Privacy Act (CCPA)
The 2018 CCPA was a significant step toward data protection laws. CCPA is the first valid privacy law for California residents that guarantees the right to confidentiality. There was plenty of room for improvement, particularly after the approval of CPRA just a year later.
CCPA has been introduced to protect customer data privacy and add consumer rights in California. Some rights include transparency, the ability to stop receiving personal information from third parties, the correctness of false information, and the right to restrict access to consumers’ personal information. Another privilege is that consumers can request the deletion of information collected.
CCPA to California Privacy Rights Act (CPRA)
Is California Privacy Rights Act (CPRA) an updated version of the CCPA? It covers various vital aspects of the provisions of the CCPA. This law was approved in 2020 by the state legislature and modified the CCPA’s provisions. One major difference is with law enforcement. California Attorney General enforces CCPA, and California’s Privacy Protection Authority enforces CPRA. The law also increases one of its eligibility criteria to the extent that California’s consumer information is processed from 50,000 to 100,000.
GDPR vs. CCPA and the CPRA
The GDPR, introduced by the European Union, increases awareness about how a business handles consumer personal information and data rights. The GDPR provided the basis for introducing global data privacy regulations. California’s consumer privacy laws were signed into law shortly after GDPR. CCPA is the first law in the USA and often equates GDPR with it.
GDPR and CCPA/CPRA are a combination of laws shaping the privacy environment of today’s modern world. Each privacy regulation provides the right for consumers who cannot control the private information they collect. GDPR is the world’s largest data protection regulation and is used by several European Union member States as its inspiration. California privacy laws are one of the most desirable and rigorous privacy laws in the world.
Under GDPR, you will need legal grounds to collect personal data. The CCPA requires that users opt out of your privacy protection practices. The GDPR protects consumers in the EU, while the CCPA is for Californians. The amendment to the CCPA provides new obligations and enforcement mechanisms for organizations. The CPRA is expected to replace the CCPA when it comes in. Until then, the CCPA requirement will remain in effect for covered businesses.
One of the critical differences is found in DSAR. A Data Subject Access Request (DSAR) is a request initiated by an individual and addressed to an organization that exercises the right to request access to any personal data. The request could be written or electronic. The organization has a legal obligation to respond to this request within a limited period. This is called the “Right to Access”.
Data Subject Access Requests are primarily defined in the GDPR and are related to a particular set of rights and responsibilities but have taken on a more general meaning.
DSAR under GDPR
It protects citizens in the European Union. It applies outside of the UK to businesses that offer products to citizens outside of Europe. It covers “processing” personal data, defined as the operations that take place on personal data, including collecting and storing it.
DSAR under CCPA/CPRA
It focuses on information directly connected to consumers or a household. Unlike identifying data, it does not apply to aggregate data which isn’t reasonably associated with consumers or households or to identifying aggregate data.
Who they concern
The GDPR’s laws apply to businesses of all types. From eCommerce companies to nonprofit websites to public agency websites, any business dealing with EU personal data must comply with the GDPR or face costly legal consequences. This includes implications for GDPR and visitor management.
While the GDPR protects all “data subjects” (the identifiable individuals to whom personal data belongs), regardless of their residence or citizenship status, the CCPA’s protections are limited to individuals who’re lawfully present in California.
In addition, the CCPA only affects for-profit businesses that have either:
annual gross revenue of more than $25 million,
collect, buy, sell, or share data from at least 50,000 (100,000 by CPRA) consumers, devices, or households in California or
at least 50 percent of its annual revenue is derived from the sale of California’s residents’ data.
To be covered by the CCPA/CPRA, the business must also meet the following two criteria: it collects personal data from consumers in California and determines the purpose and means of processing that data, and it also operates in California.
Types of protected data
The GDPR broadly covers processing all personal data, regardless of what that data is for or how it’s processed. The only exceptions to this rule are the non-automated, personally performed data processing that’s not on file and the data processing that consumers perform for their purposes. However, the CCPA/CPRA is a bit more specific about what data types are protected in different circumstances.
For example, while the GDPR regulations require businesses to obtain users’ consent with opt-in options before accessing their data, the CCPA regulations only require companies to offer an opt-out option if user data is to be actively sold or shared.
In addition, California regulations only protect a narrow range of user data types. Such types are any data already legally available to the public, medical information protected by the California Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPAA), personal information covered by the California Driver Privacy Protection Act, and other similar records.
While this area may be a bit more difficult for a California service provider business to navigate, it is likely already prepared when following the stricter regulations of the GDPR.
Collection, sale, and process of data
Under the GDPR and the CCPA/CPRA, “personal data” refers to any information that may directly or indirectly constitute an identifiable individual. This includes data about your external visitors and contractors. On the other hand, anonymous data is information that cannot be traced to a single identity and therefore doesn’t fall under either law.
GDPR UNDER collection, sale, and process of data
“Processing” of personal data is any action taken on a data subject’s information. This includes everything from the initial collection of the user or visitor data to the structuring and storage of that information, its provision to others, and its ultimate removal and deletion.
CCPA/CPRA UNDER collection, sale, and process of data
“Collecting” refers to the gathering of personal data by any method, but unlike the GDPR, this alone isn’t considered “processing” and a “processing” doesn’t take place until the already collected data is further processed. Also, “selling” is referred to as another separate operation, which includes any transfer, disclosure, or other types of communication relating to the content of a data subject’s personal data. At last, “sale” here doesn’t necessarily mean that a payment is ever involved, but only that a valuable and intentional exchange of personal user data has taken place.
Information provided to data subjects
The GDPR and the CCPA/CPRA provide data-sharing methods to ensure greater data management transparency. Data subjects must be informed about and when the requirement is that they are informed about the purposes for which their data is being processed, the rights that consumers have to their data, and how they can contact a competent data protection officer if they choose.
CCPA/CPRA under the information provided
Companies must send periodic reports informing data subjects when their personal information has been collected, sold, or disclosed for business purposes after 12 months.
Data subjects must also be notified explicitly by third parties who have received their data if they intend to sell the data to another third party.
GDPR under the information provided
Data subjects must be notified when information is collected directly from them and when their data is shared with another entity, regardless of affiliation or intent.
They must be informed of how long their data may be retained if their data is used in automated systems for profiling.
They must also be informed of the reasons for these profiling processes and reminded that they have the right to withdraw their consent to the data they have previously shared. Finally, data subjects must be notified within one month at the latest if a third party processes their data under the GDPR, and they must be informed precisely from which source this third party obtained their data.
Administrative fines for failure to comply with the GDPR and/or for data breaches can be up to €20 million (approximately $24 million) or 4% of the breaching company’s annual global turnover from the previous fiscal year, whichever is greater.
In the event of such a payout, administrative fines will be applied proportionately to the total financial assets of the violating business. A visitor management system can help you avoid GDPR penalties regarding your visitor data.
The CCPA differs significantly from the GDPR in this regard, as non-compliance alone is not grounds for a fine. Instead, penalties are only imposed when a data breach occurs. All pre-existing breaches relevant to the violation are considered and fined individually when such a breach occurs. The maximum fines are $2,500 for violations, $7,500 for willful violations, and $100 to $750 in damages in civil court.
Although the costs of violations of the GDPR and the CCPA/CPRA should not be taken lightly, there is a big difference in their approach. GDPR is preventative and designed to punish an irresponsible business, and CCPA/CPRA is entirely reactionary.
How do you ensure security of privacy data and personal information?
While GDPR requires thorough measures to comply, it shifts the requirements into consumer protection. The CCPA/CPRA regulations allow consumers and companies who violate their privacy to take action against businesses if they cannot comply.
Although it is hard for a business to keep up with all the differences in regulations and stay compliant, the GDPR Compliance Center app by Pandectes offers a reliable solution for an eCommerce business to remain compliant and up-to-date with data privacy regulations.