GDPR and CCPA compliance: The 5 differences you should know
If you would have told me 20 years ago that I'd be writing about data privacy laws inside a tech company, then I never would have believed it. But then again, most of us didn't see all this coming.
After decades of the relatively lawless “Wild West” of the internet, we’ve finally entered a welcome period of legal reformation. We've even arrived at this point where we're comparing two different data privacy laws: GDPR and CCPA.
The Global Data Protection Regulation (GDPR) went into action on May 25, 2018, effectively redefining the entire landscape of how online user data is to be handled. Then, at the beginning of last year, a new set of regulations, the California Consumer Privacy Act (CCPA), went live, causing some businesses to begin to worry.
While that’s to be expected, we’ll start with the good news first.
The good news about CCPA compliance
If you've already finished the careful process of adapting to the stringent data privacy regulations set out by the European Union (EU), then you might be wondering how the CCPA is different from the GDPR. Will this new policy require you to shift your data privacy practices all over again?
Although the GDPR and CCPA are different from one another in some notable ways, the CCPA is essentially a less strict version of the GDPR. (Kinda like how my mother was the strict one growing up, and my dad was the CCPA to her GDPR).
Meaning, if your business is already aligned with the GDPR, then maintaining CCPA compliance shouldn’t be too much of a hassle.
Still, to ensure no violations occur, it’s essential for businesses prioritizing regulatory compliance to understand the practical differences that exist between them.
Some background on the current shift in data privacy laws
The GDPR protects every EU citizen from having their personal information collected and used without their consent—regardless of whether it's online or in-person.
Thus, companies from around the world have been forced to alter their data privacy practices accordingly.
As some predicted, this has also inspired somewhat of a positive chain reaction across international data policies. As other countries continue depending on business with the EU (who accounted for 16.3% of U.S. exports in 2019), many governments are finding it best to simply adopt their own GDPR-style set of data privacy laws.
That’s how California followed suit in 2020 with the CCPA, which was officially enforced on July 1 by the California Attorney General. This moment marked a great milestone in the state data privacy legislation and possibly the first step towards a comprehensive federal law in the U.S.
Now that we’ve introduced two leading players - GDPR and CCPA - in the data privacy arena, let’s discuss what we know so far in terms of these five differences:
- Who they affect
- The types of data protected
- What actions constitute data collecting, selling, and processing
- The information that must be provided to data subjects
- The penalties involved
The 5 key differences between the GDPR and CCPA
1. Who they affect
The GDPR’s laws apply to businesses (and their websites) of every kind.
From eCommerce businesses to the webpages of non-profit organizations, to the websites of public institutions - any entity that deals with personal data from the EU must comply with the GDPR or invite costly legal repercussions. This also includes implications for GDPR and visitor management.
While the GDPR protects all “data subjects” (the identifiable people to which personal data belongs) regardless of their residence or citizenship status, the CCPA’s protections are limited to individual data subjects that legally reside in California.
Moreover, CCPA only affects for-profit entities whose business meets at least one of the following characteristics:
- has an annual gross revenue >$25 million
- collects, buys, sells, or shares the data of >50,000 consumers, devices, or households in California (this includes your company's visitors)
- at least 50% percent of their annual revenue comes from selling this data
To fall under CCPA compliance, the business must also meet both of the criteria below:
- collects personal information from consumers in California and determines the purposes and means of processing that information, and
- operates in California
There are still some grey areas to this "operates in California" label, as we mentioned in "What is CCPA and why should it matter to you?".
We promise to keep an eye and ear out for final judgments.
2. The types of data protected
The GDPR broadly covers the processing of all personal data, no matter what that data is intended for or how it’s processed.
The only two exceptions to this rule include:
- non-automated, personally conducted, data processing efforts that are not going to be filed, and
- any data processing that’s undertaken by individuals for their own personal purposes.
The CCPA, however, is a bit more particular about what kinds of data are protected under different circumstances.
For instance, while the GDPR requires entities to clearly gain user consent with “opt-in” options before accessing any of their data, the CCPA only requires businesses to supply the option to “opt-out” when user information is going to be actively sold or shared.
Furthermore, the CCPA doesn’t provide protection to a wider range of user data types than the GDPR, such as:
- any data that is already legally available to the public
- medical information that’s protected under California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPAA)
- personal information covered by California’s Driver’s Privacy Protection Act, and
- other similar data sets.
Although this is an area that’s a little trickier for California servicing companies to navigate, if they follow the stricter regulations of the GDPR, they are likely already set.
Still, a business’s safest bet is to double-check and ensure that its processes accommodate the CCPA’s specific regulations.
3. What actions constitute data collecting, selling, and processing
Under both the GDPR and CCPA, the term “personal data” means any information that can directly or indirectly represent an identifiable person. This includes the data of your external visitors and contractors.
On the other hand, anonymous data is information that can’t be traced to a singular identity—and therefore isn’t covered by either’s laws.
But that’s about where the similarities in terminology end.
Considers the “processing” of personal data to be any action performed on a data subject's information. This includes everything from the initial act of collecting user or visitor data to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.
Splits its data-relevant terminology into multiple separate definitions.
- “Collecting” refers to the gathering of personal information through any method, but unlike the GDPR, this alone isn’t considered “processing”.
- "Processing" only occurs once data that has already been collected is acted upon further.
- "Selling” is referred to as another separate event that includes any transference, disclosure, or other kinds of communication regarding the contents of a data subject's personal information.
- Most notably, “selling” here doesn’t necessarily mean any payment is ever involved, only that the valuable and intentional exchange of personal user information has occurred.
4. The information that must be provided to data subjects
To ensure greater transparency on how the data is managed, both the GDPR and CCPA include the following:
- the data sharing methods that data subjects need to be informed of and when
- the requirement that they must be notified of the purposes their data is being processed for
- the rights individuals are entitled to regarding their data and how they can contact a relevant data protection officer if desired
As to the differences:
Companies must regularly send reports that inform data subjects when their personal information was collected, sold, or disclosed for business purposes after a 12-month time-span.
Data subjects must also be explicitly notified by any third-parties who have obtained their information when they intend on selling it to yet another separate third-party entity.
They're significantly more thorough.
- Data subjects must be notified when information is collected directly from them and whenever their information is shared with another entity, regardless of its affiliation or intention.
- They must be told how long their data can be retained whenever their data is applied to automated systems for profiling.
- They must also be informed of the reasoning behind those profiling processes and be supplied reminders that they always have the right to withdraw their consent to the data they’ve previously shared.
Lastly, when their data is processed by a third-party under the GDPR, data subjects must be notified no later than one month and told exactly from what source that third-party managed to acquire their data.
5. The penalties involved
GDPR financial penalties for non-compliance and/or data breaches can range as high as €20 million (roughly $24 million), or 4% of the violating company’s annual global turnover from the previous fiscal year—depending on whichever amount is higher.
In the instance of such payouts, administrative levies are to be applied proportionately across the offending entity’s total financial assets. Believe it or not, having a visitor management system can help you avoid GDPR fines when it comes to your visitor data.
The CCPA differs from the GDPR noticeably here, in that non-compliance alone isn’t considered enough cause for fining. Instead, penalties are only applied after a data breach occurs.
When one does happen, all pre-existing violations relevant to the breach are taken into consideration and individually fined. The maximum fines are as follows:
- $2,500 for violations
- $7,500 for intentional violations
- $100 to $750 in damages in civil court (The CCPA provides consumers affected by a breach the opportunity to independently sue the responsible party as well.)
So while the costs for violations under both the GDPR and CCPA should not be taken lightly, there is a major difference in their approach:
- GDPR is preemptive in reprimanding an irresponsible company
- CCPA is entirely reactionary
Ensuring your data privacy compliance for the GDPR and CCPA
The GDPR has been prompting analyses of EU-dealing businesses (and fining offenders as needed) for two years now, and a challenging 2020 hasn’t slowed down the enforcement of CCPA.
As this overview plainly demonstrates, there’s a lot to consider when maintaining compliance between the GDPR and CCPA. And there are still more specifications to come now that the California Privacy Rights Act (CPRA) was passed into law and Brexit is official.
With all that in mind, having a digital visitor management system in place, like Proxyclick, can make your life easier in managing the data of your visitors.
How Proxyclick helps you maintain data privacy
Having a cloud-based visitor management system allows you to better anticipate, manage and store your visitor data. Your organization can automate certain processes that eliminate much of the room for human error and create consistently memorable visitor experiences.
The right visitor management system will also allow you to manage multiple buildings and productions from one dashboard through an all-in-one interface that streamlines the handling of visitor data.
To maintain GDPR and CCPA compliance, we provide several capabilities including, but not limited to:
- customizable data collection methods that help ensure you only acquire the minimum amount of personal information needed to operate.
- the ability to set automated retention periods as desired (That way, the information you gather is never held onto longer than necessary.)
To stay secure in case of an audit, Proxyclick is designed to collect proof of visitor agreements. You can integrate with your file storage providers to keep track of your crucial consent documentation.
If your company's reach spans across borders, we also provide the option for location-specific settings to adhere to the unique regulations of different regions more easily.
For important insights on the increasing importance of data privacy in the pandemic era, check out our conversation with experts from Crowell & Moring during our Return Ready Virtual Summit in 2020.
Learn more about how we handle security at Proxyclick or book a demo with one of our experts, anytime.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.