The GDPR in Europe was one of the first major data privacy regulations to be implemented in recent times, followed closely by the CCPA in the United States. And since its enforcement, GDPR has been seen as the “gold standard” when it comes to data protection regulations. However, it is important to remember that each data privacy regulation has differences in areas such as what and who is protected and that they are not equivalent to each other in all areas. Let’s take a look at these first two regulations, GDPR and CCPA, and you will see that while they follow a similar framework, there are some significant differences between the two. So how do they compare, and what do organizations need to do to make sure that they are compliant with the nuances between various regulations?
GDPR and CCPA: A Top-Level Overview
GDPR and CCPA are both privacy regulations that dictate how personal data should be handled by businesses and organizations. These regulations require organizations to have visibility into what data they possess and where it is located, and in addition, gives consumers more say over how their data is used.
GDPR was the first major data privacy regulation to be introduced, coming into effect on May 25th, 2018, and has since driven the emergence of various data protection regulations globally. It was designed to standardize data protection laws in place across the EU member countries and introduced guidance including how customer data should be stored, as well as how companies must respond in the event of a data breach. Under GDPR, EU citizens have the following rights when it comes to their personal data, which include:
- The “right of access” – Data subjects have the right to obtain conformation from the data controller as to if their personal data is being processed and if it is, access that information.
- The “right to rectification” – Data subjects have the right to have their data corrected if it is inaccurate and the ability to add to it if it is incomplete.
- The “right to erasure (‘right to be forgotten’)” – Data subjects have the right to request that some or all personal data held about them be erased.
- The “right to restriction of processing”—Data subjects have the right to prevent the processing of their personal data.
- The “right to data portability” – Data subjects have the right to receive their personal data in a machine-readable format and the right to transmit that data without hinderance from the previous source.
- The “right to object”—Data subjects have the right to object to the processing of their personal data or stop the processing of their personal data.
Following in the footsteps of the EU’s implementation of GDPR, California was the first state in the United States to pass their own privacy regulation, the California Consumer Privacy Act (CCPA), which came into effect on January 1st, 2020. The CCPA gives consumers more control over the personal information that businesses collect about them, and gives California residents rights when it comes to their data, including:
- The “right to know” – Residents can request an organization disclose what personal information about them the organization has used, shared, or stored, and why. The organization must provide this information within 12 months of the request and must do so at no charge to the resident.
- The “right to delete” – Residents may request that an organization delete collected personal information and have their services providers do the same. However, there are exceptions that allow organizations to keep personal data including, but not limited to, security practices, legal obligations or claims, and types of information exempt from the CCPA, such as consumer credit reporting information.
- The “right to opt out” – Residents may request that organizations stop selling their personal information. After the request has been received, an organization may not sell the resident’s information unless the resident authorizes them to do so again.
- The “right to non-discrimination” – Organizations cannot deny goods or services, charge different prices, or provide a different quality of goods or services just because a resident exercised their rights under the CCPA. However, if the business needs personal information to provide goods or services, the business may not be able to complete the transaction.
GDPR vs CCPA
Now that we have a better base idea of some of the elements these regulations entail, let’s take a look at how they compare side by side:
|Who it applies to
|Any business or organization that processes personal data of individuals in Europe.
For-profit businesses that do business in California and meet any of that following:
- Have a gross annual revenue of over $25 million
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
- Derive 50% or more of annual revenue from selling California residents' personal information
|Who is protected
|Data subjects: identified or identifiable natural persons who are citizens of, or residing within, the EU
|Consumers that are California residents, A California resident is defined as a natural person who resides in California, even if they are temporarily out of the state.
|What is protected
|Personal data, which is defined as "any information relating to an identified or identifiable person natural person ('data subject')"
|Personal informational, which is defined as "information that identifies, relates to, or could reasonably be liked, either directly or indirectly, with you or your household
|Data security measures required
|These controlling and processing personal data are required to take appropriate technical and security measures to ensure personal data is properly secured.
|Does not directly impose that data security requirements be taken.
|Data breach reporting requirements
|A data breach including any personal data must be reported no later than 72 hours after the organization becoming aware of it
Notice of a breach must be delivered as soon as possible without delay, but there is no specified time limit.
However, the SEC has proposed an amendment to require organizations to report data breaches within 4 days, so this may change in the future.
|Civil penalties for non-compliance
|Organizations found in violation can be fined up to 20 million, or 4% of their annual global turnover (whichever is higher)
|Civil penalties are limited to $2,500 per violation, or up to $7,500 per each intentional violation. In addition, violating entities can be subject to an injunction.
Using Data Classification for Regulatory Compliance
Data classification uses visual labelling alongside customized metadata to protect and control its use. In addition, metadata applied to documents enhances the performance of downstream security solutions, such as DLP and DRM, which use the metadata properties to determine how a piece of data should be treated, handled, stored, and if necessary, disposed of.
Both GDPR and CCPA allow data subjects the right to obtain access to the personal data an organization holds on them, as well as the right to request that their information be deleted at any given time. By identifying and classifying data into appropriate categories, organizations have more control, making data easier to locate and retrieve, which is of particular importance when it comes to risk management, compliance, and data security.
Regulations, legislation, and compliance are some of the biggest challenges impacting data security within organizations today. In order for an organization’s data to be secure, and compliant with regulations, all data needs to be identified, categorized, and protected. Having data classified means you know where it is at all times, who is accessing it, and can mitigate the damage of a potential data breach within the allotted time.
Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population. In order to prepare your data for future regulations, Gartner recommends standardizing security operations using GDPR as a base, and then adjusting for individual jurisdictions. Enza Iannopollo, principal analyst at Forrester, echoes this, saying that while all regulations have their own unique details, GDPR is still the reference point for organizations to follow when it comes to best practice data protection. Enza explains that if an organization has developed these best practices in relation to GDPR requirements, going forward this will significantly ease the challenge of meeting compliance requirements with other current and upcoming privacy regulations.
While starting your regulatory compliance journey by following the requirements for GDPR is very helpful when it comes to preparing to be compliant with other data privacy regulations, such as the CCPA, it is equally important to know exactly what the nuances are of other regulations, and how they compare to what you already have in place, to avoid a costly mistake. While the GDPR laid the groundwork for data privacy regulations, remember that it is just one of many privacy regulations organizations are bound to adhere to in today’s data-centric world.