Happily! Unless you eat, sleep, and breathe data privacy as we do, it’s hard to keep the nuances of these two game-changing privacy regulations separate in your head. Here’s the skinny on what distinguishes GDPR and CCPA.
Note: GDPR and CCPA aren’t the only games in town, they’re just two of the biggest. There’s a whole other world of privacy acts like HIPAA, PCI, TCPA, CASL, CAN-SPAM, the Gramm Leach Bliley Act, and more.
The GDPR was the first major international privacy act and it changed the data landscape entirely. GDPR went into effect in March of 2018 and businesses have been running down GDPR compliance ever since.
GDPR affects businesses of all sizes around the world. Whether you’re a multinational corporation, a nonprofit educational institution, or running a small online business, if you collect personal information from an EU resident, GDPR rules apply to you.
One of the major accomplishments of GDPR was to provide a thorough definition of individual rights over personal data. GDPR gives EU residents significant controls over their information, including:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
GDPR also takes the step of defining special categories of sensitive data. This private information includes:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation
In short, these rights key EU residents in on how their personal data is being collected, stored, and used by companies. It gives them the right to consent, object, and delete their information.
And if organizations don’t comply? They risk massive fines, legal action, and reputational damage.
Want to learn more about GDPR, its scope, and how it impacts organizations across the globe? We’ve got a white paper for that.
CCPA, as noted above, is the largest state-level privacy regulation in the United States. It’s only been enforceable since July 1, 2020, but businesses have been busy getting their compliance ducks in a row since the legislation rolled out in 2018:
The CCPA applies to your business if:
- You’re a for-profit business that:
- Collects and controls California residents’ personal information AND
- Does business in California AND
- Has one of the following:
- Annual gross revenues in excess of $25 million
- Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
- Derives 50% or more of your annual revenue from selling California residents’ personal information
Under CCPA, consumers have a new set of individual rights. These include:
- The right to notice
- The right to access personal data and information
- The right to know if their personal data is being shared (and with whom)
- The right to deletion
- The right to know whether their data is being sold and the option to opt-out of the sale
- The right to equal rights and services
Want a closer look at individual rights? We’ve got an article for that, too.
Under CCPA, your team has to be prepared to support these individual rights via consumer requests. You’ve got to provide up-to-date privacy notices. You’ve got to meet deadlines for responses and appropriately verify their information. CCPA provides individuals with the right to legal action if a company violates their rights, although the right is admittedly not well defined.
Learn more about the nuances of CCPA here.