Two recent laws that are affecting many businesses are the General Data Protection Regulation law, or GDPR, and the California Consumer Privacy Act law, or CCPA. Both of these are similar in that they provide more protections and power for consumers over their personal information. There are some key differences you’ll need to know about to ensure you’re compliant with both.
What is CCPA?
This is an American law that gives consumers more control over the personal information that businesses collect on them. Every business collects information to better target consumers, but until now it’s been hard for consumers to know exactly what was being collected.
The CCPA allows consumers to request their data whenever they want. Not only that, but they have access to the information collected, who it was shared or sold with, the ability to opt out of collection and the ability to request the information be deleted.CCPA compliance is more about knowing how information is sold and shared and giving consumers an easily digestible report.
What are the Principles of CCPA?
CCPA has three major principles. There is transparency, accountability and control. CCPA is expected to make businesses more transparent as they must disclose what information they have on a consumer, how they got it and who it was shared with.
Businesses are accountable for sharing this information when requested. This also provides consumers with control because they can request the information when they want. Not only that, but they can opt out or request data deletion and the business must comply.
What is GDPR?
This is a law from the European Union and it’s very similar to the CCPA. It gives consumers the right to access any collected data and to opt out or request deletion. Much like the CCPA, consumers can request an easily digestible report and they must be told who the information has been shared with.
Any business that operates in the EU, whether it’s their primary area or an international satellite, must adhere to GDPR guidelines.
What are the Principles of GDPR?
GDPR outlines seven principles that any business operating in the EU must comply with. Failing to comply with these principles can lead to penalties. The principles are: accuracy, data minimization, accountability, lawfulness, purpose, storage and security.
This is about reducing how much information a business collects, making them accountable for upholding the law along with storage and security requirements and maintaining accurate reports.
What are the Differences?
While both laws provide protections to consumers and make it easier for them to access any collected information, there are some differences between them. The CCPA is more about transparency and understanding who the information is sold and shared with. Along with displaying this, CCPA reports must also show how the information was collected.
The GDPR laws are more about security and accountability. According to GDPR laws, there must be at least one person in the company assigned to protecting all collected information. Not only that, but the information must be secured properly. Data breaches happen. GDPR requires that a business immediately disclose that a breach happened. If it’s shown that the business didn’t properly protect data, then they can face penalties.
Another major difference is that the GDPR has fewer gray areas about collected information. It specifies that any information that can be individually identifiable is under these protections. While this obviously includes images and demographic information, it has also been expanded to biometric data and anything else that can be used to identify an individual.
What do They Do?
In a very broad sense, these two laws govern how information collected from consumers is treated. There is now an easy way for consumers to request this information. It also makes it easier for businesses too because there is an easy way for them to report the information.
On top of that, these laws give consumers power over their information. They can see the information and they can request that it be deleted or that nothing else be collected on them.
Which Businesses Does this Apply To?
Almost every business. The CCPA demands that all businesses that collect data on California residents must be compliant. The GDPR demands that any business operating in the EU must be compliant. Any business operating in these areas must follow the laws to avoid penalties.
While the CCPA and GDPR laws are very similar, there are some key differences in terms of territory and how to treat collected information. Being compliant isn’t difficult, but it’s best to have a lawyer on your side to help ensure compliance.