GDPR vs. CCPA: What you Need to Know to Keep Consumer Data Safe

Like the GDPR legislation that affects the EU, the CCPA protects the consumer rights of California residents by requiring transparency and giving consumers ownership (and control over) their personal information. So, John Doe can contact a business and ask them to disclose the information they are collecting on Mr. Doe and with whom they are sharing it. He can request that they delete that information if he chooses. He can also request not to have his data sold to third parties. If Mr. Doe chooses to exercise his privacy rights, that business cannot treat Mr. Doe any differently - he must receive the same service and price that any other consumer would receive. 

If Mr. Doe’s son is between 13-16 years of age, businesses are not permitted to sell his son’s personal data. If he’s under 13, consent from a parent or guardian is required. 

The CCPA applies under several different scenarios. It applies to businesses operating in California (or with California residents) that collect personal information. Beyond that, the details get a little sticky. For example, the CCPA doesn’t specifically apply to non-profit organizations, but most would be wise to take it into account anyway. Many law firms have attempted to weigh in and sort through the complexities of the CCPA. jackson|lewis breaks it down in detail on a recent blog post. The article attempts to bring clarity to grey areas, including the involvement of third-party players. "It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied."

You don’t have to live in California to be affected by the CCPA. Considering that California has the highest population of any U.S. state, it would be a rare business owner who could claim that there was no chance of doing business with a California resident. Because other states are likely to pass similarly stringent legislation, it makes sense to be prepared regardless. It’s also important to know that while the wording is specific to consumer protection, the law also applies to business-to-business scenarios where personal information is harvested. 

There are lots of good reasons to comply with data privacy legislation like the CCPA. Protecting consumer data is simply the right thing to do, of course. However, if that’s not enough motivation, be aware that once the act takes effect, residents of California will have the right to bring litigation against companies not in compliance. The state can also level fines against companies in violation. 

You may be wondering how the CCPA differs from GDPR. While it’s true that they are very similar (the CCPA was heavily influenced by GDPR), there are a few noteworthy differences. For example, the penalties for violating the CCPA are more severe, financially speaking. For a little light reading, check out this detailed guide from Future of Privacy Forum comparing GDPR and CCPA. It’s complex, but it’s also a reflection of how legislators are taking consumer privacy more seriously than ever. 

Some business owners are hoping that the federal government will take over data protection requirements so that compliance is more straightforward (vs. keeping up with laws passed by 50 individual states). For now, it’s important to stay up to speed on the privacy-related legislation that does affect your business. Depending on the nature of your business, compliance may be somewhat straightforward (such as the “cookie” warning you’ve surely seen on many sites) or it may be a layered approach (possibly involving legal help). Your customers (and potential customers) need to feel confident that their data is safe with you.