The digital era has changed how we interact with the world, leaving a trail of personal data online. Consumers are increasingly concerned about how their information is collected, used, and shared. Their concerns arise from the increasing numbers of data breaches in hospitals, banks and on social media sites. This has spurred the creation of data privacy regulations around the globe. Two of the most prominent examples are the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). While both aim to empower individuals with control over their data, they differ significantly in scope, requirements, and enforcement.
Understanding the Scope:
- CCPA: This California-specific law protects the privacy rights of its residents. It applies to for-profit organisations that:
- Have an annual revenue exceeding $25 million.
- Possess personal information of at least 50,000 California residents.
- Derive more than 50% of their revenue by selling personal information.
- GDPR: This regulation has a broader reach, encompassing any organisation that processes the personal data of EU residents, regardless of its location.
What Information is Protected?
Both CCPA and GDPR define personal data broadly but with some key distinctions:
- CCPA: This law protects information that identifies, relates to, describes, or could be linked to a particular consumer. This includes names, email addresses, browsing histories, shopping records, and biometric data. However, it excludes publicly available government records, medical information covered by HIPAA, and personal information protected under other specific laws such as the Gramm-Leach-Bliley Act and California’s Driver’s Privacy Protection Act.
- GDPR: The GDPR protects “personal data” related to an identified or identifiable natural person. This includes information like ID numbers, email addresses, phone numbers, online identifiers, and sensitive data revealing physical, physiological, genetic, or social identity. Deceased individuals’ data, anonymized data, and personal data used for purely domestic purposes fall outside the GDPR’s scope.
Consumer Rights:
- CCPA: California residents have the right to:
- Know what personal information is being collected about them.
- Access their personal information.
- Delete their personal information.
- Opt-out of the sale of their personal information.
- GDPR: EU residents enjoy a more comprehensive set of rights, including all those provided by the CCPA, along with:
- Data portability: The right to receive their data in a machine-readable format for easy transfer to another service provider.
- Object to automated decision-making and profiling: The right to challenge decisions made solely by algorithms and restrict the automated processing of their data for profiling purposes.
Compliance Requirements:
- Under CCPA- Organisations must:
- Provide clear and conspicuous privacy notices explaining what data is collected, used, and sold.
- Allow consumers to submit requests to access, delete, or opt-out of the sale of their personal information.
- Implement procedures to verify consumer requests and respond within specific timeframes.
- Under GDPR- Businesses must:
- Implement appropriate technical and organisational measures to ensure data security.
- Obtain clear and informed consent from individuals before processing their data.
- Designate a Data Protection Officer (DPO) to oversee compliance efforts.
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
- Report data breaches to relevant authorities and affected individuals within specified timeframes.
Enforcement and Penalties:
- CCPA: Enforcement is handled by the California Attorney General’s Office. Penalties can reach $7,500 per violation, with an additional 30 days for companies to cure the violation before facing further penalties.
- GDPR: Each EU member state has its own data protection authority responsible for enforcing the GDPR. Violations can incur significant fines: up to 4% of a company’s annual global turnover or €20 million (whichever is higher) for the most severe offences.
Developments:
Since its implementation in 2020, the CCPA has seen significant development. In 2023, the California Privacy Rights Act (CPRA) came into effect, expanding on the CCPA’s provisions. Notably, the CPRA introduces the concept of “Sensitive Personal Information” (SPI) like social security numbers and health information, granting Californians additional rights to limit its use and disclosure.
Conclusion:
CCPA and GDPR represent significant steps towards data privacy protection. The GDPR sets a higher bar with stricter requirements and harsher penalties. Nevertheless, the CCPA has paved the way for similar legislation in other US states, and its evolution through the CPRA demonstrates a growing commitment to consumer data privacy. Businesses operating globally must carefully navigate both regulations to ensure compliance and respect for individual data rights.