The General Data Protection Regulation (GDPR) was created by the European Union and implemented on May 25, 2018. This measure was passed to increase the protection of personal data. Any companies that interacted with the personal data of anyone within the EU were required to become GDPR compliant. No matter where a company operated, from Hong Kong to Minnesota and everywhere in between, they would have to become compliant if they had the data of EU citizens. Many companies had to rethink their entire approach to the personal information of customers; they risked hefty fines if they did not. Learn more about the GDPR here.
Not long after the GDPR was implemented, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. The regulations outlined in the CCPA will come into effect on July 1, 2020. Much like the GDPR, the CCPA aims to protect customer data.
The extent to which the CCPA aims to protect personal information is unprecedented in the United States, and companies will have to make drastic changes to the way they handle customer data in order to become compliant. Any company operating in California or storing the personal data of California residents must be compliant. If not, like any companies working with EU customers that refused to become GDPR compliant, they will face heavy fines. See an overview of the CCPA here.
The Similarities and Differences of GDPR and CCPA
Similarities
Both the GDPR and the CCPA apply to businesses that store information on consumers under their jurisdiction, regardless of where in the world that business is physically located. No matter where a company is located, if they get a customer from the EU or California, they will need to be compliant with the relevant law. As such, it is considered a best practice for companies to become compliant even if they are located outside of the EU or California.
As aforementioned, both the GDPR and the CCPA strive to protect the personal data of consumers on and offline by regulating how companies are permitted to gather, share, or utilize that information.
Additionally, both require companies to give consumers access to the data that the companies have collected about them. Consumers also have the right to request that the collected data is erased. With these measures, consumers have been given a say in what personal information businesses are allowed to keep.
Differences
Although the GDPR and the CCPA are very similar in aims, there are some major differences between the two. For one, the CCPA applies to a more specific range of companies than GDPR. The GDPR is broader and simply applies to all organizations, whereas the CCPA specifies that it only applies to for-profit companies that meet any of the following requirements:
1. Has over $25 million in annual gross revenue.
2. Has over 50,000 consumers’ personal information for commercial purposes.
3. Earns over 50% of annual revenue from the sale of consumers’ personal information.
Another difference lies in the definition of personal data. The GDPR involves two types of data meant to cover all personal data: customers’ personal data (names, mailing addresses, and IP addresses, etc.) and special categories of personal data (religious views, sexual orientation, political opinions, etc.). On the other hand, CCPA applies only to personal data that is not available from governmental records.
Disclosures also vary between the two. Where the GDPR broadly asks companies to use clear and simple language, the CCPA specifies that companies must have a visible link on their homepage entitled “Do Not Sell My Personal Information” so that consumers can opt out.
With the GDPR, consumers must give their consent before any data is gathered about them. With the CCPA, companies can begin gathering information without consent, but they have to allow consumers to opt out if they want.
When individuals make requests (such as opting out or asking for personal information to be deleted), the GDPR requires companies to respond within 30 days. The CCPA grants more time, giving companies 45 days.
Overall, the main difference between the measures is that GDPR stresses certain points of data privacy more than CCPA does and vice versa.
What Does this Mean for Your Company?
Here’s the deal: once a company is compliant with one of the data privacy regulations, it takes a few, relatively small steps to become compliant with the other. Companies will only need to become slightly stricter with their policies in certain areas, depending on which measure they are already compliant with.
Why become compliant with both? For one, the GDPR and the CCPA cover a vast number of consumers in the world. The GDPR encompasses all EU data subjects, spanning many countries, and California is the fifth largest global economy. That’s about 552.2 million people! Regardless of where a company is in the world, it is highly probable they will encounter a consumer from the EU or California. When that happens, they can face fines if they decide to do business with those consumers, without being compliant. It pays to be prepared.
On top of that, customer privacy is a growing trend that will only continue spreading to other areas throughout the US and the world. In fact, Washington, Maryland, New Jersey, and eight other states have already introduced measures similar to the CCPA, and Brazil has passed the Lei Geral de Proteção de Dados (LGPD), a data protection law much like the GDPR.
Being compliant with both data privacy laws will prepare companies for future privacy legislation, allowing them to more easily adapt to new measures in the coming future. Plus, being compliant can give companies’ corporate reputation a boost—after all, customers favor companies that protect their privacy!
