Recent consumer privacy scandals, including Facebook-Cambridge Analytica, the fitness app Polar, and scores of others, have had one impact that is sure to last: the emergence of new consumer privacy regulations worldwide. The European Union established new standards for data privacy when the General Data Protection Regulation (GDPR) went into effect last year. While the United States has a growing patchwork of laws and regulations that govern data privacy and security, California took significant steps to strengthen consumer rights with the forthcoming California Consumer Privacy Act (CCPA), which is scheduled to go into effect January 1, 2020. More states are now following suit, including Nevada, Vermont, Colorado, New York, and Washington.
Navigating these varying regulations will be an ongoing challenge for virtually every business. To illustrate the magnitude of this effort, we performed a detailed analysis of GDPR and CCPA. Here are the top seven differences we identified.
Disclaimer: These regulations are still undergoing significant changes. As of the writing of this article, twelve bills are pending in the California State Legislature that would alter CCPA. Experts expect EU regulatory actions during 2019 and 2020 to clarify some aspects of GDPR. We’ve done our best to provide information that’s accurate at this time.
Difference #1: Consumer privacy as a benefit or fundamental right
According to GDPR, processing personal data is illegal unless it can be justified under one of six lawful bases. CCPA does not actually prohibit data processing; it simply requires that consumers have a way to opt out. The lawful bases underlying these two regulations reflect a fundamental difference in how Europeans view privacy as a fundamental human right rather than a consequence of a business relationship that can be subject to negotiation.
Difference #2: Businesses subject to regulation
Perhaps because of its lawful basis, GDPR applies to any business that processes personal data of data subjects in the EU in relation to offering them goods or services or monitoring their behavior (i.e., any company doing business in the EU). The CCPA does exempt some smaller businesses, with the exception of data brokers (companies that derive fifty percent or more of their annual revenue from selling consumers’ personal data). If your business generates less than $25 million in annual gross revenue and collects personal information from fewer than 50,000 consumers, devices, or households, you may not need to comply. Note that multiple devices owned by one consumer would be counted separately.
Difference #3: Definition of personal information
GDPR defines personal data as “information relating to an identified or identifiable natural person (data subject).” In addition to personal information, it defines pseudonymous data, which is data that has been processed in such a manner that it can no longer be attributed to a specific data subject without the use of additional information. It also defines sensitive data, specific types of personal data that warrant extra attention: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
CCPA provides a broader definition: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It extends protection to households as well as individuals, and it does not make a distinction between pseudonymous and sensitive data. This broader definition could include information like search history, clickstream data, or location.
Difference #4: Right to data portability
Under GDPR, consumers have a right to receive personal data from data controllers (the business that collected the data) in a commonly used, machine-readable format. They also can demand that this data be transmitted to another data controller. While CCPA provides for a similar right to access, businesses are not required to transfer personal information to another business on behalf of a consumer.
GDPR does not specify how consumers should be able submit requests. However, CCPA requires that consumers have a way to submit requests via a toll-free number and the business’s website. These requirements would also apply to the right to data erasure, discussed below.
Difference #5: Right to data erasure/“to be forgotten”
GDPR obligates data controllers (businesses) to erase data “without undue delay” upon the request of a consumer. They are also obligated to inform other data controllers (for example, businesses with whom they have shared data or to whom they have sold it). The exceptions to this right are when processing collides with freedom of expression and information, when processing is necessary to comply with a legal obligation, to support a public interest, for archiving or scientific, statistical, and historical purposes, or when it is necessary for establishing, exercising, or defending legal claims.
CCPA clarifies that the deletion right only applies to the data that a business has collected from the consumer and not any data about the consumer that was collected from third-party sources. The exceptions are broader; in addition to legal obligations, businesses can maintain data for internal lawful use or to complete a transaction.
Difference #6: Right to opt out of sale of personal information
One of the primary goals of CCPA was to give consumers power over the sale of their information by data brokers. As such, it specifically prohibits businesses from selling personal information of a consumer who has made an opt-out request. The opt-out stays in place until the business receives express authorization from the consumer, and the business cannot request this authorization for at least 12 months after receiving the opt-out request. CCPA also limits the sale of minors’ personal information: It must have explicit opt-in for any minor, and minors under 13 require consent from a parent or guardian.
However, sale is defined broadly and practically covers any transfer of personal information “for monetary or other valuable consideration.” This could affect businesses in unintended ways, since any consumer-related service and a number of business applications and web-based and cloud-based services involve transmission of personal information. The seemingly overarching reach of the term sale is not yet clear.
Although GDPR does not directly address the sale of personal information, it contains a very broad right to object that gives consumers the ability to opt out of any type of commercial use of their personal data.
Difference #7: Consequences of violations
GDPR specifies fines of four percent of annual worldwide revenue or €20 million (about $22.5 million) per violation, whichever is higher. CCPA does not introduce fines. Instead, the California Attorney General may bring an action against a company and ask for $2,500 per violation and $7,500 for a willful violation. Since one person’s violated rights constitute one violation, a single incident affecting millions of California residents could result in a lawsuit that greatly exceeds the GDPR cap. In addition, CCPA awards $100-750 per consumer for a data breach with no cap. Affected consumers have a private right of action and do not have to demonstrate actual harm (as the law is written now), which would make class action lawsuits for data breaches much easier to file.
Key takeaway: Consumer privacy is serious business
Both GDPR and CCPA create significant financial exposure for businesses that violate their requirements. So far, Google is the only business that has received a shocking penalty, €50 million (about $56 million) handed out by the French agency CNIL, but many more cases should be decided by the end of 2019. (More than 60,000 breaches have been reported.) With up to four percent of annual revenue at stake under GDPR and high legal liability under the CCPA, it pays to take privacy very seriously.
The good news is that while regulations differ, there will be a common set of privacy-by-design practices that will help businesses comply with all of these regulations. At the essence, these practices are about:
- Rethinking why you are collecting personal data and collecting the minimal dataset you need
- Being transparent with consumers about what is collected
- Asking for their permission while explaining the legitimate use of personal data
- Securing data and using proper anonymization techniques
- Defining the full data lifecycle, including disposal
- Putting Data Processing Agreements (DPAs) in place with all service providers to ensure that they are able to meet compliance requirements