The EU introduced the General Data Protection Regulation (GDPR) in May 2018. Since its implementation, GDPR has changed the way that businesses handle, collect, and process consumer data. It is a landmark piece of legislation and has affected the attitudes of organisations across the world when it comes to data privacy.
Many experts predicted that other countries would soon follow in the EU’s footsteps and create similar GDPR-style data protection laws. While the US has laws protecting specific types of data, such as the Health Insurance Portability and Accountability Act, there exist no federal laws protecting a consumer’s general data. Until such a law is created, it is up to individual states to implement their legislation to protect consumer information.
California became the first state to implement such a law. Governor Jerry Brown signed the Californian Consumer Privacy Act (CCPA) into law in June 2018, amending Part 4 of Division 3 of The Civil Code of the State of California. It will come into effect on January 1, 2020.
Drawing comparisons between CCPA and GDPR are easy. For example, they both have vast reaches, and organisations across the globe are required to comply with their rules, not just businesses within their jurisdiction.
While ostensibly similar, there are some critical differences. These include:
1) The rights granted to consumers
Both GDPR and CCPA offer consumers new rights over their data. Both GDPR and CCPA grant consumers rights such as:
• Right to information and access • Right to portability
• Right to erasure
• Right to opt-out
However, the specific details of the rights offered differ between the two pieces of legislation. For example, CCPA’s right to erasure stipulates that a business must delete once it receives a request from the consumer unless data deals with an assortment of conditions such as data security, repair errors, and compliance. GDPR’s right to erasure is much more narrow; businesses are allowed to reject requests to delete data unless certain conditions are met, such as PI no longer being necessary for its original purpose.
CCPA grants consumers an additional right to equal service; consumers must not be discriminated against by the business if they exercise their rights, such as refusing to grant permission for the sale of their data. GDPR does not include an equivalent to this right.
The financial penalties for a GDPR violation are substantial; either €20 million, or 4% of the company’s global annual turnover, whichever is higher. The fine varies depending on the nature of the breach and the organisation’s response. GDPR allows data subjects to seek compensation for a data breach, and prosecute the organisation responsible for the breach in the court of law. Furthermore, individual member states may apply the aforementioned administrative fines and states may choose to impose additional punishments, including jail time.
CCPA fines are applied per violation, with a maximum of $7,500 for an intentional violation. There is no cap to the total amount an organisation may be fined. CCPA does not include sanctions for non- compliance, and fines are only applied if a breach occurs. This point is significantly more lenient than GDPR; a company may be fined under GDPR if they are deemed at risk of a breach or willfully ignoring GDPR’s laws.
CCPA also allows individuals to pursue legal action against companies regarding obtained data that was accessed by an unauthorised individual or stolen following a data breach. Consumers might sue an organisation if it was found that the company was negligent in ensuring that proper cybersecurity safeguards were in place to protect consumer data.
3) Data Protection
GDPR is much broader than CCPA; in addition to addressing consumer privacy rights, it tackles issues surrounding data security. GDPR requires organisations to ensure that appropriate safeguards are in place to maintain the integrity of consumer information and prevent unauthorised individuals from gaining access. These elements of GDPR were introduced in an attempt to create a more robust cybersecurity landscape in Europe and help protect EU citizens against the dangers associated with data breaches.
CCPA is less focused on data security than GDPR. However, CCPA introduces new fines for businesses whose data was unencrypted at the time of a data breach.
Although there exist some critical differences between the laws, both are significant pieces of legislation with significant consequences for organisations globally. More states are likely to create new data privacy legislation in the coming years. It is likely that any future laws will be heavily influenced by CCPA and GDPR alike.