In the last few years cybersecurity has evolved massively on a global basis as greater efforts are invested in protecting individuals, businesses and organizations from the threat of hacking.
New legislation has been introduced in relation to the way that personal private data is managed, stored and collected. The two most significant legislative acts seen, to date, are the European Union’s General Data Protection Act (GDPR) and the, soon-to-become-enforceable, California Consumer Privacy Act (CCPA).
Since the introduction of GDPR, new standards of privacy for European Union citizens and residents have been established. Already massive GDPR fines have been sanctioned against Google, Facebook and smaller companies by the local data protection authorities in European Union Member States. In the United States, the CCPA has been formulated using GDPR as a reference point and is due to become enforceable on January 1, 2020. Currently there are some last-minute amendments being discussed for CCPA as those companies affected do their best to achieve compliance before the go-live date.
What are the differences and similarities between these two pieces of data protection legislation? We outline the main differences between these legislative acts in order to make it clear what you must do to ensure you do not fall foul of either and end up incurring a large financial penalty.
What are the go-live dates for GDPR and GDPR?
GDPR became enforceable on May 25 2018, following a two-year period after the Act was initially passed. This was to allow companies a period of grace to prepare themselves for the challenge of complying with the new legislations and avoiding the payment of stringent financial penalties.
CCPA will become enforceable from January 1 2020. The bill was initially passed by the California State Legislature on June 28 2018 and final amendments were signed off on September 13 2018.
Who must Comply with GDPR and CCPA?
As of May 25 2018 any business that gathers, stores or processes the data of EU citizens was obliged to comply with GDPR or else face being sanctioned with a penalty at the behest of the data protection authority in the EU Member States where their EU office is located.
From January 1 2020. Companies that report the following must comply with the CCPA:
- Annual revenue greater than €25m
- Managing the private data of more than 50,000 California-based consumers
- California consumer data accounts for a minimum of 50% of revenue reported
GDPR Penalties vs CCPA Penalties
The highest possible GDPR fine is €20m or 4% of annual global revenue for the previous year. There is also a lower end of €10m or 2% of annual global revenue for the previous year for controllers and processors, certification bodies or monitoring bodies. Other lower-end breaches can result in sanctions such as the issuing of warnings and reprimands, a temporary or permanent ban on data processing, erasure of data and suspension of data transfers to third countries.
Under CCPA the standard fine will be $750 per violation per person, with a maximum fine of $2,500 for a standard violation and $7,500 for an intentional violation for companies that fall under the auspices of the criteria listed above.
Rights Under CCPA & GDPR
GDPR enshrines the right to access, rectification, to be ‘forgotten’, restriction of processing, object, being informed and not to be the subject of a decision based on automated processes.
CCPA allocates consumers based in California the right to access, knowledge of sale of private data, objection to sale of data and the right to equal price and service.
Both CCPA and GDPR require that individuals must, upon request, be given access to the what information is collected about them, what information is shared or sold regarding them and who that information is shared with or sold to.
User Opt-Out vs User Opt-In
Under GDPR users must explicitly opt-in to sharing information with third party partners. It is not enough to include a ticked box on a website and ask that user deselect this in order to opt out of sharing their information for other purposes. CCPA does not have this requirement and users are requested to express their wish to opt out from sharing. Due to this, businesses preparing for CCPA should be aware that if they comply with GDPR then they comply with the CCPA.
CCPA states that you must get the explicit consent to sell or share the date of any user who are under the age of 16. For users that are over the age of 16 a link titled “Do not sell My Personal Information” must be clearly displayed on a homepage, alongside a privacy policy, so that users can withdraw consent for sale at any time they wish to do so.
GDPR stipulates that any company or group that has consent from the user – with clear, affirmative permissions – is permitted gather their data for reasons that are provided to the user.
Data Security Requirements Under GDPR & CCPA
CCPA allows for legal actions to be taken by the California Attorney General’s Office if a breach occurs. A breach is when a company or group’s data is mishandled or illegally accessed. It is important for entities to ensure that every possible effort has been implemented in order to prevent this from occurring.
Under GDPR data should kept confidential and accessible. Users must be alerted when a data breach occurs and a Data Protection Impact Assessment must be completed before the processing of data begins.
Conclusion
While there are many similarities between GDPR and the CCPA it is not enough for companies to think that if they comply with one they will comply with both. In order to avoid financial penalties and stringent sanctions groups and organizations must ensure that they are compliant with the new legislation prior to the January 1 2020 introduction date. You should arrange a consultation to assess your level of preparedness as soon as possible.