Gone are the days when one could have numerous activities on the internet without worrying about how it affected people. Today, as every website host is working on getting more visitors and monitoring their behavior to understand the performance of the site, one must understand the guidelines and regulations.
Internet protection regulations are meant to preserve the privacy of users. Although there are global regulations, different states and countries are now coming up with their own laws to ensure that personal data of users remain safe. European Union (EU) was the pioneer in this department as it started the General Data Protection Regulation (GDPR) back in 2018. And recently, California also introduced its own privacy-focused regulation dubbed California Consumer Privacy Act (CCPA).
So, if you are a global website that’s serving the users of both EU and California, it’s pertinent for you to understand what these regulations are and how are they different. So, let’s take a closer look at CCPA and GDPR and how they compare with each other.
The policy prohibits the gathering and processing of individuals’ data by companies and organizations, both online and offline. Going through this policy is vital since penalties are applied to any company that is found guilty of violating any of the guidelines.
CCPA may not be as strict as the GDPR law, but it is still important. Here, the consumer has the right to choose how their data is used. They can either opt-out of third-party data sales, delete their data, or restrict some processes that affect the same. The policy was passed in 2019 but came into effect on the dawn of the new decade, i.e. January 1st, 2020.
Now that you have a CCPA and GDPR overview, it is vital to understand their differences. This will help you know what to change if your company falls under both obligations.
While the GDPR requirements affect any company and organization that uses data from the EU, the CCPA affects for-profit bodies who operate their businesses within California.
As per the GDPR compliance, if a company, e-commerce business, or even non-profit organization has access to data from EU member countries, it must comply with all regulations. Otherwise, a firm will attract expensive penalties.
For CCPA compliance, a company falls under it if it collects an annual gross income of $25 million and above, it serves more than 50,000 consumers, and over 50 percent of the revenue comes from these personal data. The company must also be operating within the state and collects Californian data for processing.
GDPR fines are quite severe for the company that’s not following the policy. It could go as high as $22million or £20million. Sometimes a 4 percent of the revenue might be deducted in lieu of penalties. It depends upon whichever amount is higher.
On the other hand, CCPA fines only apply when a breach of data has occurred. A non-compliance does not attract any penalties. However, in the event, a breach happens, and it is found out that the company did not comply to the CCPA, one may have to pay $2,500 for violations alone, $7,500 if the violations were intentional and from $100 up to $750 to cater for damages in a civil court.
For the two policies, only the fact that personal data is data that is directly linked to an identity marks a similarity. However, the terms of collecting, processing, and selling are defined differently by both GDPR and CCPA.
GDPR rules protect any personal data that is in the procession of an organization. The only restrictions applied are for data that is not filed and that which is altered by an individual for personal use. In contrast, CCPA text is not as general.
While the GDPR insists that a user has to opt-in for their data to be accessed, CCPA requirements only apply the opt-in rule when data is about to be sold. Also, data that is already available to the public, such as CMIA medical information, HIPPA, and data in the Driver's Privacy Protection Act is not considered private. This means one can use this data without being penalized.
Both CCPA and the GDPR emphasize on letting a consumer know when their data is being collected and for what purposes. The difference comes in when CCPA requires that reports are sent regularly outlining when the data was collected and which data, in particular. Third-party companies are also supposed to send notifications to individuals to let them know that they have obtained their data.
For GDPR, the notifications are more detailed. This is in terms of how long the data will be retained, used, and from what source the third party obtained the data.
This piece only shows some of the notable differences and aims to act as a starting point for one to understand the CCPA compliance checklist and GDPR checklist. The article doesn’t provide the complete details of the policies, and hence website owners, content creators, businesses, and organizations should do more research to know how to be CCPA and GDPR compliant. You could also choose to use the GDPR compliance software which ensures that your business remains compliant with the privacy laws. Consumers should also be encouraged to understand these policies to ensure that their data is not collected and used illegally.