As American leadership understands more about what constitutes personal data rights and breach risks in online platforms, GDPR has become increasingly pertinent as a broadly applicable model to protect personal data. Absent federal regulation, some states in the US are following the EU’s lead with data privacy regulations, notably the California Consumer Privacy Act (CCPA). Despite their common goal, there are key differences between the CCPA and GDPR with respect to what they protect and how they enforce those protections.
What constitutes personal data?
Before we can dive into what it means to protect personal data through GDPR and the CCPA, it’s important to identify how these laws define personal data.
GDPR’s predecessor, the Data Protection Directive, defined personal data as “any information relating to an identified or identifiable natural person,” including identification numbers and factors related to a person’s physical, physiological, mental, economic, cultural, or social identity. GDPR broadened the definition to include IP addresses, biometrics used for personal phone security, and geolocation. This update takes a valuable look at how technology has transformed what data we leave behind, intentionally or not, with our online activity, and how that data can be harnessed by third parties to alter our internet experience.
The CCPA, which goes into effect in January 2020, does not veer far from GDPR in terms of the data it considers protected. Any information that is not publicly and lawfully available by federal, state, or local governments constitutes personal data under the CCPA. However, the Act does expand the scope of personal data to include information about households, i.e. spouses or children.
What exactly is GDPR?
GDPR was implemented because the EU’s many legislative bodies recognized that privacy and personal data regulations needed to be compiled into an overarching regulation applicable across technological platforms. Different countries throughout the EU upheld nonidentical policies related to the ownership and sharing of personal data. By consolidating legislation, GDPR could control data sharing, so long as the individuals whose data was in question were from the EU or within the European Economic Area.
GDPR focuses on disclosing the uses for consumer data to the consumer. It requires that every business gives its consumers the opportunity to either contribute or decline to contribute their data as they use a business’s online materials or products. GDPR also mandates that when requested, a consumer must be guaranteed access to retrieve or remove their personal data. Even with express permission to store and disseminate data, an administrative penalty can be applied to a business if it fails to meet security or privacy requirements. Encryption is the most recommended method of maintaining privacy while storing and distributing personal data, but GPDR does not strictly require it.
Should a breach occur, the GDPR mandates that regulatory bodies be notified within 72 hours, and all potentially impacted users must be informed of the breach as well. Penalties are imposed on a case-by-case basis, including either four percent of a company’s global turnover or up to 20 million euros, depending on the nature of the breach.
Who is subject to regulation?
Both the CCPA and GDPR focus on enforcing businesses’ responsibility to their consumers for transparency. The GDPR sets itself apart from its predecessors in the broad base of businesses subject to these new requirements. Any business that processes personal information from EU citizens is subject to regulation, regardless of their locality. It is obviously more difficult to enforce these rulings on foreign organizations, but ultimately the goal is that all businesses that handle personal data from the EU apply and will owe the same restitution.
Along the same lines, the CCPA imposes financial penalties on companies that are not compliant. The CCPA also gives consumers the right to sue companies for breaches. California law mandates that companies must alert California residents if their personal information was compromised. The CCPA only applies in the event of a breach, unlike the GDPR where penalties can be imposed for unsecured personal data storage and usage absent an incident.
The CCPA is also more limited in scope, as it only covers California citizens using services from California-based companies. Regulated companies must make a gross annual revenue of at least $25 million or collect the personal information of at least 50,000 California residents. Although if a company’s primary business model is the exchange of personal data, they are subject to the CCPA.
Why does it matter?
GDPR is designed to empower consumers’ control over their personal data. It is one of the more sweeping regulations against abuses of personal data by online organizations. Throughout the US, states draw clear inspiration from the EU’s regulations to create the same sense of transparency and security for American consumers. California’s new regulation is a prime example of this inspiration, and these new standards can easily be expected to continue through more states across the US as consumers develop a better understanding of how their personal data is being used — with or without their consent.