If you would have told me 20 years ago that I'd be writing about data privacy laws inside a tech company, then I never would have believed it. But then again, most of us didn't see all this coming.
After decades of the relatively lawless “Wild West” of the internet, we’ve finally entered a welcome period of legal reformation. We've even arrived at this point where we're comparing two different data privacy laws: GDPR and CCPA.
The Global Data Protection Regulation (GDPR) went into action on May 25, 2018, effectively redefining the entire landscape of how online user data is to be handled. Then, at the beginning of last year, a new set of regulations, the California Consumer Privacy Act (CCPA), went live, causing some businesses to begin to worry.
While that’s to be expected, we’ll start with the good news first.
If you've already finished the careful process of adapting to the stringent data privacy regulations set out by the European Union (EU), then you might be wondering how the CCPA is different from the GDPR. Will this new policy require you to shift your data privacy practices all over again?
Although the GDPR and CCPA are different from one another in some notable ways, the CCPA is essentially a less strict version of the GDPR. (Kinda like how my mother was the strict one growing up, and my dad was the CCPA to her GDPR).
Meaning, if your business is already aligned with the GDPR, then maintaining CCPA compliance shouldn’t be too much of a hassle.
Still, to ensure no violations occur, it’s essential for businesses prioritizing regulatory compliance to understand the practical differences that exist between them.
The GDPR protects every EU citizen from having their personal information collected and used without their consent—regardless of whether it's online or in-person.
Thus, companies from around the world have been forced to alter their data privacy practices accordingly.
As some predicted, this has also inspired somewhat of a positive chain reaction across international data policies. As other countries continue depending on business with the EU (who accounted for 16.3% of U.S. exports in 2019), many governments are finding it best to simply adopt their own GDPR-style set of data privacy laws.
That’s how California followed suit in 2020 with the CCPA, which was officially enforced on July 1 by the California Attorney General. This moment marked a great milestone in the state data privacy legislation and possibly the first step towards a comprehensive federal law in the U.S.
Now that we’ve introduced two leading players - GDPR and CCPA - in the data privacy arena, let’s discuss what we know so far in terms of these five differences:
The GDPR’s laws apply to businesses (and their websites) of every kind.
From eCommerce businesses to the webpages of non-profit organizations, to the websites of public institutions - any entity that deals with personal data from the EU must comply with the GDPR or invite costly legal repercussions. This also includes implications for GDPR and visitor management.
While the GDPR protects all “data subjects” (the identifiable people to which personal data belongs) regardless of their residence or citizenship status, the CCPA’s protections are limited to individual data subjects that legally reside in California.
Moreover, CCPA only affects for-profit entities whose business meets at least one of the following characteristics:
To fall under CCPA compliance, the business must also meet both of the criteria below:
There are still some grey areas to this "operates in California" label, as we mentioned in "What is CCPA and why should it matter to you?".
We promise to keep an eye and ear out for final judgments.
2. The types of data protected
The GDPR broadly covers the processing of all personal data, no matter what that data is intended for or how it’s processed.
The only two exceptions to this rule include:
The CCPA, however, is a bit more particular about what kinds of data are protected under different circumstances.
For instance, while the GDPR requires entities to clearly gain user consent with “opt-in” options before accessing any of their data, the CCPA only requires businesses to supply the option to “opt-out” when user information is going to be actively sold or shared.
Furthermore, the CCPA doesn’t provide protection to a wider range of user data types than the GDPR, such as:
Although this is an area that’s a little trickier for California servicing companies to navigate, if they follow the stricter regulations of the GDPR, they are likely already set.
Still, a business’s safest bet is to double-check and ensure that its processes accommodate the CCPA’s specific regulations.
Under both the GDPR and CCPA, the term “personal data” means any information that can directly or indirectly represent an identifiable person. This includes the data of your external visitors and contractors.
On the other hand, anonymous data is information that can’t be traced to a singular identity—and therefore isn’t covered by either’s laws.
But that’s about where the similarities in terminology end.
Considers the “processing” of personal data to be any action performed on a data subject's information. This includes everything from the initial act of collecting user or visitor data to structuring and storing that information, making it available for others to access, and to its eventual removal and erasure.
Splits its data-relevant terminology into multiple separate definitions.
To ensure greater transparency on how the data is managed, both the GDPR and CCPA include the following:
As to the differences:
Companies must regularly send reports that inform data subjects when their personal information was collected, sold, or disclosed for business purposes after a 12-month time-span.
Data subjects must also be explicitly notified by any third-parties who have obtained their information when they intend on selling it to yet another separate third-party entity.
They're significantly more thorough.
Lastly, when their data is processed by a third-party under the GDPR, data subjects must be notified no later than one month and told exactly from what source that third-party managed to acquire their data.
GDPR financial penalties for non-compliance and/or data breaches can range as high as €20 million (roughly $24 million), or 4% of the violating company’s annual global turnover from the previous fiscal year—depending on whichever amount is higher.
In the instance of such payouts, administrative levies are to be applied proportionately across the offending entity’s total financial assets. Believe it or not, having a visitor management system can help you avoid GDPR fines when it comes to your visitor data.
The CCPA differs from the GDPR noticeably here, in that non-compliance alone isn’t considered enough cause for fining. Instead, penalties are only applied after a data breach occurs.
When one does happen, all pre-existing violations relevant to the breach are taken into consideration and individually fined. The maximum fines are as follows:
So while the costs for violations under both the GDPR and CCPA should not be taken lightly, there is a major difference in their approach:
The GDPR has been prompting analyses of EU-dealing businesses (and fining offenders as needed) for two years now, and a challenging 2020 hasn’t slowed down the enforcement of CCPA.
As this overview plainly demonstrates, there’s a lot to consider when maintaining compliance between the GDPR and CCPA. And there are still more specifications to come now that the California Privacy Rights Act (CPRA) was passed into law and Brexit is official.
With all that in mind, having a digital visitor management system in place, like Proxyclick, can make your life easier in managing the data of your visitors.
Having a cloud-based visitor management system allows you to better anticipate, manage and store your visitor data. Your organization can automate certain processes that eliminate much of the room for human error and create consistently memorable visitor experiences.
The right visitor management system will also allow you to manage multiple buildings and productions from one dashboard through an all-in-one interface that streamlines the handling of visitor data.
To maintain GDPR and CCPA compliance, we provide several capabilities including, but not limited to:
To stay secure in case of an audit, Proxyclick is designed to collect proof of visitor agreements. You can integrate with your file storage providers to keep track of your crucial consent documentation.
If your company's reach spans across borders, we also provide the option for location-specific settings to adhere to the unique regulations of different regions more easily.
For important insights on the increasing importance of data privacy in the pandemic era, check out our conversation with experts from Crowell & Moring during our Return Ready Virtual Summit in 2020.
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.