A quick look at the two approaches to privacy
The rave of recent scandals including the Facebook-Cambridge Analytica paved way for new consumer privacy regulations worldwide. The European Union was the first to come forward with a new set of standards for data privacy with the General Data Protection Regulation (GDPR) compliance that went into effect last year.
California, too, is about to govern the data security of its citizens with the forthcoming California Consumer Privacy Act (CCPA) which is scheduled to go live in 2020. More states like New York, Nevada, Vermont, and Washington will be seen following suit soon.
Here’s an overview of both the approaches.
Similarities and Differences
While both GDPR and CCPA regulations are not the same, the core of the practices remain intact. They are:
- Being transparent with consumers
- Rethinking why businesses collect personal data
- Offering consumers a legitimate explanation for the use of personal data
- Defining the data lifecycle
- Outlining ways for disposing data at consumer's discretion
Moving further, here is an analysis of the differences that sets CCPA apart from GDPR.
1. The use of consumer privacy
The processing of personal data is illegal under the GDPR compliance. But then, though data processing is not prohibited under CCPA, businesses need to offer consumers a way to opt-out.
2. Businesses subject to regulation
GDPR applies to any business located within or outside of the EU, provided they offer goods or services to monitor the behavior of its citizens.
CCPA applies to companies that earn 50% or more of its annual income by selling consumers’ personal data. Moreover, businesses that do not have 50,000 or more consumers or whose annual gross revenue is less than $25 million USD need not comply.
3. What data is considered personal?
Any information that can exclusively identify a person is considered personal under the GDPR compliance. It also includes sensitive data that warrants extra attention or data consisting of political opinions, religious beliefs, ethnic origin, genetic data, biometric data, concerning a person’s sex life or sexual orientation.
CCPA includes broader coverage. It covers data that identifies or is capable of being associated or linked with a particular consumer or household. For example, a consumer's search history, clickstream data, or location is considered personal under CCPA.
4. Right to be forgotten
GDPR obligates businesses to erase customer data upon request and also inform third-party businesses where they have sold.
CCPA, on the other hand, obligates businesses to erase only those data that's been collected from the consumer and need not approach third-party sources.
5. Right to opt-out
The CCPA gives consumers the power to opt-out from the sale of their personal information and businesses cannot question such requests for at least 12 months.
The GDPR does not directly restrict the sale of personal information. But it offers a broader approach instead that gives consumers the ability to opt-out of having their data used for commercial purposes.
6. Violations and penalties
GDPR penalizes businesses with 4% of global annual income or €20 million Euro per violation, (whichever is higher), whereas penalties under CCPA are much narrower and are capped at $7,500 per violation.
To learn more about the GDPR and the CCPA compliances, check out the infographic by LoginRadius.