Happily! Unless you eat, sleep, and breathe data privacy as we do, it’s hard to keep the nuances of these two game-changing privacy regulations separate in your head. Here’s the skinny on what distinguishes GDPR and CCPA.

Note: GDPR and CCPA aren’t the only games in town, they’re just two of the biggest. There’s a whole other world of privacy acts like HIPAA, PCI, TCPA, CASL, CAN-SPAM, the Gramm Leach Bliley Act, and more. 

GDPR

The GDPR was the first major international privacy act and it changed the data landscape entirely. GDPR went into effect in March of 2018 and businesses have been running down GDPR compliance ever since.

GDPR affects businesses of all sizes around the world. Whether you’re a multinational corporation, a nonprofit educational institution, or running a small online business, if you collect personal information from an EU resident, GDPR rules apply to you.

One of the major accomplishments of GDPR was to provide a thorough definition of individual rights over personal data. GDPR gives EU residents significant controls over their information, including:

• The right to be informed
• The right to access
• The right to rectification
• The right to erasure/to be forgotten
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

GDPR also takes the step of defining special categories of sensitive data. This private information includes:

• Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
• Trade-union membership
• Genetic data, biometric data processed solely to identify a human being
• Health-related data
• Data concerning a person’s sex life or sexual orientation

In short, these rights key EU residents in on how their personal data is being collected, stored, and used by companies. It gives them the right to consent, object, and delete their information.

And if organizations don’t comply? They risk massive fines, legal action, and reputational damage.

Want to learn more about GDPR, its scope, and how it impacts organizations across the globe? We’ve got a white paper for that. 

CCPA

CCPA, as noted above, is the largest state-level privacy regulation in the United States. It’s only been enforceable since July 1, 2020, but businesses have been busy getting their compliance ducks in a row since the legislation rolled out in 2018:

The CCPA applies to your business if:

• You’re a for-profit business that:
• Collects and controls California residents’ personal information AND
• Does business in California AND
• Has one of the following:
  • Annual gross revenues in excess of $25 million
  • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
  • Derives 50% or more of your annual revenue from selling California residents’ personal information

Under CCPA, consumers have a new set of individual rights. These include:

• The right to notice
• The right to access personal data and information
• The right to know if their personal data is being shared (and with whom)
• The right to deletion
• The right to know whether their data is being sold and the option to opt-out of the sale
• The right to equal rights and services

Want a closer look at individual rights? We’ve got an article for that, too.

Under CCPA, your team has to be prepared to support these individual rights via consumer requests. You’ve got to provide up-to-date privacy notices. You’ve got to meet deadlines for responses and appropriately verify their information. CCPA provides individuals with the right to legal action if a company violates their rights, although the right is admittedly not well defined.

Learn more about the nuances of CCPA here.

Wouldn’t it be nice and straightforward if it did mean that?! Lots of companies assume that GDPR compliance automatically grants them CCPA compliance. Now, those data privacy processes and controls that they’re putting in place for GDPR or CCPA compliance are helpful. There’s definitely crossover between these compliance frameworks. But there are nuances in the definition, goals, and requirements behind them that need to be observed. (And carefully!)

Before starting off on a compliance journey, it’s good to focus on why you need to comply in the first place. You start by thinking about your customer. What controls do you need to protect them? What are the risks to their data? How do your information systems handle that data? Starting with these questions helps you think specifically about the needs of compliance frameworks.

On a financial level, non-compliance can be devastating. Not taking compliance seriously can bring legal action, significant fines and fees, and damage your reputation and relationship with your clients and colleagues.

Compliance is often framed in a negative light: it’s a lot of work, it’s hard to keep up with, and so forth. It’s true that compliance is a big undertaking. But it offers your organization valuable opportunities. When you prioritize compliance, you give your business the chance to build internal structures and controls that help you streamline and manage your data collection processes. You learn where your weak points are and how to reinforce protections.

And it’s huge for your customers. Offering them transparency and security shows that you take their trust seriously. (And trust is what long-term relationships thrive on, isn’t it?)

Not all data is created equal. While you should work to minimize data collection in general, it’s especially important to build security around personal data.

What information do you need to be locking down, though? You should provide protection for personal data, which is any piece of information that can be used to identify an individual, whether on its own or combined with other information. This includes, but isn’t limited to dates of birth, passport numbers, drivers’ licenses, social security numbers, and more.

Data minimization is a major principle behind security and privacy, but it’s common for companies to collect way more personal data than they actually need or use.

This usually isn’t born out of ill intentions, but at the same time, it’s important to evaluate why you really need data. Know what you need, what you’re going to do with it, and then collect the minimum amount and types of data required to achieve these goals

For example, while it might make sense for a company selling health remedies to collect information on the types and quantities of vitamins an individual consumes, an athletic-clothing manufacturer should think twice (even if it is related to an ad campaign) before collecting that sort of data.

We’re huge proponents of training. According to a study by CompTIA, your biggest security threat isn’t a mysterious hacker but rather your very own employees. Human error causes 52% of recorded security breaches.

Error! Simple human error! It’s preventable. When you give your employees the right data privacy training, you can make a huge dent in that number. What do we mean by the “right training”? It needs to be more than your run-of-the-mill confidential information training. The “right training” takes a deep dive into:

• The risks inherent in handling and sharing personal information
• Their responsibilities and the best practices that apply to their job
• The regulations that apply to your organization and what they entail
• Consequences of data breaches, information loss, and non-compliance

It’s also important that you build privacy and security into your workplace culture. This should be part of your employee training, helping them better understand your approach to and policies behind them.

One of the best things that you can do to stay ahead of the curve is to have a solid data inventory. Your data inventory should map out what data you store, where it’s kept, who has access to it, and where it comes from and goes to. If you have data that is considered sensitive by data privacy laws (such as GDPR), you should also include this in your data inventory and document the security measures that protect it against data breaches.