5 Big Reasons Why Comparing CCPA to GDPR is a Bad Idea
The California Consumer Privacy Act, or CCPA, is a new law in the State of California regulating the collection and sale of personal data by organizations that do business in California or process personal data originating in California. The law is set to become effective Jan. 1, 2020, making compliance an urgent matter for organizations affected.
Given that CCPA governs the collection, processing, and sale of personal data, many organizations, even including those advising and educating businesses on CCPA, have been explaining CCPA by comparing it to the European Union’s General Data Protection Regulation (GDPR). On the surface, this seems like it would make sense, they’re both citizen privacy laws, right?
The fact that they seem similar at first glance is specifically why it is dangerous to think of CCPA in terms of GDPR – their similarities are only superficial. The laws have core fundamental differences. Here are 5 reasons why comparing CCPA to GDPR an lead to massive pitfalls:
Scope and Who is Affected
One of the pinnacle differences between CCPA and GDPR is who and what kinds of data each law applies to. In a sense, GDPR is more straightforward in its requirements than CCPA. Every entity, even those wholly outside the European Union, that processes personal data generated in the European Union, offers goods or services in the EU, or monitors user behavior in the CCPA has more nuance in who it applies to. For starters, it only applies to for profit organizations. Additionally, only data controllers are obligated to comply with CCPA. This means data controllers are wholly responsible for negotiating with their data processors to ensure data is being processed in a compliant manner.
Finally, CCPA is more lenient on how it defines “doing business”. That is, unlike with GDPR, monitoring user activity may not count as “doing business” under CCPA. This is an important distinction as it means organizations may be able to monitor user behavior in California without being deemed as doing business in California. In these situations, organizations would not fall within CCPA’s scope.
How Consent is Given (or Taken Away)
Perhaps the most obvious fundamental difference between GDPR and CCPA is the process for capturing consent to collect and process a given user’s data. With GDPR, an organization may only collect and process a user’s personal data if they meet at least one of six different legal bases:
- Consent is freely given
- It is necessary to satisfy a contract
- It is necessary to satisfy a legal obligation
- Collecting data serves to protect the vital interest of the individual
- It is necessary to perform a task carried out in the public interest
- Data processing is necessary for the legitimate interests of the data controller
Further, consent must be freely given, informed and unambiguous, and must be received prior to collecting data. Moreover, silence or an absence of explicit consent does not constitute consent under GDPR.
Opting out Under CCPA
Under CCPA, consent to collect and process data works in almost the completely opposite way. Companies may collect and process personal data unless the given consumer chooses to “opt out”.
Unlike GDPR, where organizations cannot collect any personal data without consent, if a consumer opts out under CCPA, organizations are still allowed to collect and process data for their own personal interests. The effect opting out has is that it prevents the business who collected the data from selling it or otherwise transferring it to a 3rd party for “monetary or other valuable considerations.” Valuable considerations can include things like renting, releasing, disclosing, communicating, or otherwise making the data available to others. This in turn necessitates a way to securely share data internally as to prevent a CCPA violation via accidental release of personal data.
Businesses are allowed to ask consumers to opt in after they have opted out, but must wait a period of 12 months before asking again.
Am I Exempt?
For GDPR, the answer is very short and sweet: no. There are no exemptions under GDPR.
CCPA, on the other hand, does provide for some exemptions, especially for non-profit organizations. Some financial services and healthcare organizations may also be exempt from CCPA if subject to other laws or standards that have more stringent privacy requirements.
Examples of laws that qualify organizations for exemptions under CCPA include the Healthcare Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley (GLBA) Act, Fair Credit Reporting Act, California’s Financial Information Privacy Act, or the California Driver’s Privacy Protection Act for financial services. Important to note, however, is that while organizations may be exempt from meeting the requirements laid out by CCPA, the law still provides an avenue for consumers to file lawsuits if a data breach occurs.
Accommodating Data Deletion Requests
The right to erasure of personal data under GDPR is much more clear cut than with CCPA. With GDPR, any organization must erase personal data when requested or if they no longer use it, regardless of the origin of the data. Organizations who receive such requests must comply within 30 days or face a penalty. They must also inform any downstream organizations of the deletion request.
Businesses under CCPA, however, only need to delete data collected directly from the consumer. Any data gathered from a public source may be retained. This being said, it is vital for organizations to implement a way to identify and track data sources as they are required to disclose the origin of data.
Penalties for Breaches & Violations
Penalties for both GDPR and CCPA violations can be severe, though what qualifies as a violation and the processes for penalizing organizations differs significantly between the two.
The European Union can fine organizations that violate GDPR for up to 4% of their previous year’s revenue, though this is usually reserved for the most egregious violations. GDPR penalties are generally assessed based on the risk of a violation becoming a breach or, if the breach has already occurred, the proportion of the breach. Additionally, citizens of the European Union have a private for any violation or data breach, .
Another difference is that unlike CCPA, which only covers data collected in the last 12 months, organizations can be penalized for a GDPR violation or breach no matter how long ago the data was collected.
CCPA assesses penalties in a completely different way, but can still be potentially catastrophic. Under CCPA, each individual record can count as a violation and businesses can be fined $7,500 per violation, with no cap on the number of violations that can be assessed.
Options for recourse for private citizens, as well as the processes for those actions, are also significantly different under CCPA than GDPR.
An important caveat to CCPA penalties, however, is that only data collected in the previous 12 months is in scope for penalties under CCPA.
Protecting Opted Out Data with XMedius
Companies who fall under CCPA’s purview need to quickly determine and implement processes for complying with the law. Since organizations can still collect and process data from someone who has opted out (until they receive a request to delete it), this includes methodology for preventing the accidental release of personal information.
XM Fax is a secure, easy-to-use, and highly interoperable fax-over-IP (FoIP) solution that can provide a way for organizations to share personal data between disparate office locations without risk of accidentally releasing the information or having it gleaned off an unencrypted or misaddressed email. XM Fax also includes rich auditing functionality, helping to provide organizations with a way to identify a source of a breach if one occurs and streamlining internal CCPA audits and audits for any other relevant standard (such as HIPAA, GDPR, SOX, FERPA, PCI DSS, etc).
XM SendSecure is a secure file exchange solution that features encryption in transit and at rest. Unlike many file sharing services, XM SendSecure enforces two-factor authentication (2FA) leveraging known contact information for the recipient, helping to prevent unauthorized access to the shared folder. It also features ephemeral storage, meaning the shared files will be automatically deleted after a set duration of time, helping to eliminate the risk of old information being gleaned off a forgotten or otherwise disused shared folder.
If CCPA impacts your organization and you’re looking for a way to protect and securely transfer personal information, reach out to us to learn more about how we can help.