GDPR and CCPA compliance: The 5 differences you should know
If you would have told me 20 years ago that I'd be writing about data privacy laws inside a tech company in 2019, then I never would have believed it. But then again, most of us didn't see all this coming. After decades of the relatively lawless “Wild West” of the internet, we’re finally entering a welcome period of legal reformation. We've even arrived to this point where we're comparing two different data privacy laws: GDPR and CCPA!
The Global Data Protection Regulation (GDPR) went into action last year, effectively redefining the entire landscape of how online user data is to be handled. Now, a new set of regulations, the California Consumer Privacy Act (CCPA), is about to go live in 2020, and it’s causing some businesses to begin to worry.
But that’s to be expected. So let's start with the good news first...
The good news about CCPA compliance
If you've recently finished the careful process of adapting to the new guidelines set out by the European Union (EU), then you might be wondering how the CCPA is different from the GDPR. Will the arrival of this new policy require them to shift your data privacy practices all over again?
While the GDPR and CCPA are different from one another in some notable ways, the CCPA is essentially a less strict version of the GDPR (kinda like how my mother was the strict one growing and my dad was the CCPA to her GDPR).
Meaning, if your business is already aligned with the GDPR, then maintaining CCPA compliance shouldn’t be too much of a hassle.
Still, to ensure no violations occur, it’s important for businesses to understand the practical differences that exist between them.
Some background on the current shift in data privacy laws
The GDPR protects every EU citizen from having their personal information collected and used without their consent—regardless of whether it's online or in-person as a visitor.
So companies from around the world have been forced to alter their data privacy practices accordingly.
As some predicted would happen, this is also inspiring somewhat of a positive chain reaction across international data policies. Because other countries will continue depending on business with the EU (who accounted for 19.1% of U.S. exports last year), many governments are finding it best to simply adopt their own GDPR-style set of data privacy laws.
California is slated to be the next to follow suit, with the CCPA, though the act won’t be finalized until October this year and won’t actually go into effect until January 2020.
So let's be clear about how unclear the California Consumer Privacy Act still is at this juncture, and discuss what we know so far in terms of these five differences:
- Who they affect
- The penalties involved
- What actions constitute data collecting, selling, and processing
- The types of data protected
- The information that must be provided to data subjects
1. Who they affect
The GDPR’s laws apply to businesses (and their websites) of every kind.
From eCommerce businesses, to the webpages of non-profit organizations, to the websites of public institutions; any entity that deals with personal data from the EU must comply with the GDPR or invite costly legal repercussions. This includes implications for GDPR and visitor management.
Meanwhile, the CCPA’s protections are limited to individual data subjects that legally reside in California, whereas the GDPR protects all “data subjects” (the identifiable people to which personal data belongs) regardless of their residence or citizenship status.
Sounds easy enough, right? Keep reading...
On the flip side, CCPA only affects for-profit entities whose business meets at least one of the following characteristics:
- Has an annual gross revenue >$25 million
- collects, buys, sells or shares the data of >50,000 consumers, devices, or households in California (this includes your company's visitors)
- At least 50% percent of their annual revenue from selling this data
Furthermore, the business must also meet both of the criteria below:
- Collects personal information from consumers in California and determines the purposes and means of processing the information, and
- Operates in California
There are still some grey areas to this "operates in California" label, as we mentioned in "What is CCPA and why should it matter to you?"
2. The penalties involved
GDPR financial penalties, for non-compliance and/or data breaches, can range as high as €20 million (roughly $22 million), or 4% of the violating company’s annual global turnover from the previous fiscal year—depending on whichever amount is higher.
In the instance of such payouts, administrative levies are to be applied proportionately across the offending entity’s total financial assets. Believe it or not, having a visitor management system can help you avoid GDPR fines when it comes to your visitor data.
The CCPA differs from the GDPR noticeably here, in that non-compliance alone isn’t considered enough cause for fining. Rather, penalties are only applied after a data breach occurs.
When one does happen, all pre-existing violations relevant to the breach are taken into consideration and individually fined. The maximum fines are as follows:
- $2,500 for violations
- $7,500 for intentional violations
- $100 to $750 in damages in civil court (The CCPA provides consumers affected by a breach, the opportunity to independently sue the responsible party as well.)
So while the costs for violations under both the GDPR and CCPA should not be taken lightly, there is a major difference in the approach:
3. What actions constitute data collecting, selling, and processing
Under both the GDPR and CCPA, the term “personal data” means any information that can directly, or indirectly, represent an identifiable person. This includes the data pertaining to your external visitors and contractors.
Anonymous data, on the other hand, is information that can’t be traced to a singular identity—and therefore isn’t covered by either’s laws.
But that’s about where the similarities in terminology end.
Considers the “processing” of personal data to be any action that’s performed on a data subject's information. This includes everything from the initial act of collecting user or visitor data, to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.
Splits its data-relevant terminology into multiple separate definitions.
- “Collecting” refers to the gathering of personal information through any method, but unlike the GDPR, this alone isn’t considered “processing”.
- "Processing" only occurs once data that has already been collected is acted upon further.
- "Selling” is referred to as another separate event which includes any transference, disclosure, or other kinds of communication regarding the contents of a data subject's personal data.
- Most notably, “selling” here doesn’t necessarily mean any payment is ever involved, only that the valuable and intentional exchange of personal user information has occurred.
I know we said that CCPA is less strict than GDPR, but it turns out that it's got way more variances in what kinds of data use is prohibited and allowed. And you wouldn't want your business to be susceptible to CCPA pitfalls by not having a similarly GDPR visitor sign-in in place.
Which brings us to our next major difference between the GDPR and CCPA...
4. The types of data protected
The GDPR broadly covers the processing of any and all personal data, no matter what that data is intended for or how it’s processed.
The only two exceptions to this rule include:
- non-automated, personally conducted, data processing efforts that are not going to be filed, and
- any data processing that’s conducted by individuals for their own personal purposes.
The CCPA, however, is a bit more particular about what kinds of data are protected under different circumstances.
For instance, while the GDPR requires entities to clearly gain user consent with “opt-in” options before accessing any of their data, the CCPA only requires businesses to supply the option to “opt-out” when user information is going to be actively sold or shared.
Furthermore, the CCPA does not provide protection to a wider range of user data types than the GDPR, such as:
- any data that is already legally available to the public
- medical information that’s protected under California’s Confidentially of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA)
- personal information covered by California’s Driver’s Privacy Protection Act, and
- other similar data sets.
Still, a business’ safest best is to double-check and ensure that their processes accommodate the CCPA’s specific regulations.
5. The information that must be provided to data subjects
Finally, to ensure greater transparency on how the data is applied, both the GDPR and CCPA detail exactly what data sharing methods that data subjects need to be informed of, and when.
They both also share the requirements that data subjects be notified of what purposes their data is being processed for, the rights they are entitled to regarding their data, and how to contact a relevant data protection officer if desired.
As to the differences:
Companies must regularly send reports that inform data subjects when their personal information was collected, sold, or disclosed for business purposes after a 12-month time-span. Data subjects must also be explicitly notified by any third-parties who have obtained their information when they intend on selling it to yet another separate third-party entity.
They're significantly more thorough.
- data subjects must be notified when information is collected directly from them and whenever their information is shared to another entity, regardless of its affiliation or intention.
- they must also be told how long their data can be retained whenever their data is applied to automated systems for profiling
- they must be informed of the reasoning behind those profiling processes, and
- be supplied reminders that they always have the right to withdraw their consent to the data they’ve previously shared
Lastly, when their data is processed by a third-party under the GDPR, they must be notified in no later than one month’s time, and told exactly from what source that third-party managed to acquire their data from.
Ensuring your Data Privacy Compliance for the GDPR and CCPA
The CCPA is coming up right around the corner, and the GDPR has been prompting analyses of EU-dealing businesses (and fining offenders as needed).
As this overview plainly demonstrates, there’s a lot to consider when it comes to maintaining compliance between the GDPR and CCPA—and there are still more specifications to come.
With all that in mind, having a digital visitor management system in place, like Proxyclick, can make your life easier in managing the data of your visitors.
How Proxyclick helps you maintain data privacy
Having a cloud-based visitor management system allows you to better anticipate, manage and store your visitor data. Your organization can automate certain processes that eliminate much of the room for human error; and create consistently memorable visitor experiences.
The right visitor management systems will also allow you to manage multiple buildings and productions from one Dashboard, through an all-in-one interface that streamlines the handling of visitor data.
To maintain GDPR and CCPA compliance, we provide a number of capabilites including, but not limited to:
- customizable data collection methods that help ensure you only acquire the minimum amount of personal information needed to operate.
- the ability to set automated retention periods as desired (That way, the information you gather is never held onto longer than necessary.)
For staying secure in the case of an audit, Proxyclick is designed to collect proof of visitor agreements. You can integrate with your file storage providers to keep track of your crucial consent documentation.
If your company's reach spans across borders, we also provide the option for location-specific settings to more easily adhere to the unique regulations of different regions.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.