CCPA vs GDPR: The 5 Step Comparison Guide
The CCPA: Lessons from GDPR and Relevance for Start-UpsThe California Consumer Privacy Act (CCPA) , signed into law in June, 2018, went into effect on January 1, 2020. It was the first meaningful step to providing a regulatory framework to online privacy rights in the United States. It impacts how all enterprises make changes when handling personal information. However, unlike the European Union’s General Data Protection Regulation (GDPR), which applies to all organizations regardless of size, the California privacy law contains includes small businesses that do not meet certain thresholds specified in California Laws.
Does CCPA Apply To Your Business?The CCPA applies to your company if it collects consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).
- Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Impact on Start-Ups
Businesses that decide they do not need to comply may find themselves at a strategic disadvantage to other online platforms, specifically not get their next round of funding, or close an enterprise deal. Adherence to CCPA is going to become table stakes to do business because of their fiduciary risk (financial penalties, sanctions) on the larger vendor to comply with the statute. If your company works with larger businesses and is considered their service provider, the larger company will need a contract to govern your relationship with consumers. This means any collection, sale, or use of personal information on behalf of your enterprise customer will be prohibited except as necessary to perform the business purpose.
- 1. Procedures. Under the CCPA, information that your company might collect, sell or share from users is required to be stated clearly on your website and also include other public disclosures of policy regarding individual rights of access, portability and information retrieval or erasure. The GDPR generally requires broader disclosures than the CCPA, so to comply you should update to reference the CCPA, provide a toll-free number, address HR data and provide information about selling and sharing data.
- 2. Disclosures. Determine whether your company is selling or sharing personal information and build opt-in/opt-out procedures. A key provision of CCPA is that individuals are able to opt-out of the sale or sharing of their personal information. A key provision of CCPA is that individuals are able to opt-out of the sale or sharing of their personal information. The sale or sharing of personal information of children is restricted without an opt-in to ages 13-16, or with parental consent when under 13. If you sell (or disclose) personal information “for monetary or other valuable consideration,” you will need to update your website to include a clear and conspicuous link that says: “Do Not Sell My Personal Information.” If you’ve already prepared for the GDPR, you can create opt/in and opt/out options on your website to cover the CCPA requirement.
- 3. Business and IT Process. You will need to review and possibly update all of your data classification for personal information for California residents and households. The CCPA expanded some definitions for personal information to include: IP address, biometric information, geolocation, professional or employment-related information, education information, browsing and search history, and other noted types of data.
To comply with the CCPA, a prudent course of action would be to take an inventory of your data and begin tracking internal consumer and employee data flows to be able to respond to requests from Californians (e.g., check your CRM, email management, benefits/HR providers, sales leads, and data agreements). Companies should also consider developing a “self-service” tool on websites or apps to enable Californians to access, download and request deletion of their personal information. Similarly, the GDPR affords individuals with the additional rights of correction. If you prepared for the GDPR, individual rights processes can be adapted to Californians. However, you may want to review these procedures to identify any required procedural or operational improvements.C. Incident Response Requirements under the CCPA
The CCPA includes a private right of action in the event of a data breach. However, prior to filing a claim, a business must first notify the business of the violation (such as a breach), and provide the business 30 days to cure the violation. It is unclear how a business would “cure” a breach, but it does highlight the importance of rapid detection, containment, and mitigation. The GDPR’s notification requirements are more rigorous - 72 hours to notify the Data Privacy Authority but with no private right of claim.D. Pricing Transparency: A New CCPA Requirement
While both the GDPR and CCPA do prohibit businesses from discriminating against individuals who exercise their rights under the law, the CCPA specifically addresses pricing practices. Accordingly for the CCPA, businesses should confirm non-discriminatory practices and pricing guidelines, and document what portion of the cost relates to the collection and management of personal information.E. Governance Impact of the CCPA
While the CCPA may not define a role for program governance, you should consider designating a role with responsibility for CCPA compliance to clarify decision-making authority, provide oversight, and ensure sustained maintenance of the compliance program, much like you would do with GDPR. We recommend this be a combination of a practitioner within your organization, such as an engineering or IT leader combined with an executive sponsor such as a VP of Engineering, Products or Marketing.Given the similarities in compliance obligations, businesses may wish to consider a role (internal or external) with responsibility for both GDPR and CCPA compliance, and ensure your workforce receives updated training on procedures related to the handling of private data - including HR, marketing and sales. New data subject rights requests and incident response requirements under the CCPA will necessitate new, or changes to existing processes. Update your employee awareness training and consider tabletop exercises to use for training purposes.