GDPR vs. CCPA
Data drives the world. Everything from starting your car to brushing your teeth can generate a data point that companies eagerly devour. Personal data in the hands of those concerned only with making money despite the consequences have brought about public conern. Governments around the globe are crafting legislation to ensure this information is kept out of the wrong hands.
In 2018, the European Union enacted the General Data Protection Regulation (GDPR). In 2020, California will roll out the California Consumer Protection Act (CCPA). The list of differences between the GDPR and CCPA are below.
- GDPR pertains to all EU citizens (“data subjects”) while CCPA pertains only to CA residents (“consumers”).
- GDPR applies to individual data subjects only, without regard for how much a business makes or where it is. CCPA only applies to businesses that do business in CA, have $25,000,000 or more in annual revenue AND buys and/or sells information of 50,000 or more consumers, households or devices.
- GDPR allows for Subject Access Requests that must be fulfilled in 30 days. CCPA allows 45 days for fulfillment, with a possible 45 day extension.
- GDPR and CCPA both have data subject/consumer rights of erasure. CCPA has more exceptions that would allow a business to decline the request, and pertains only to PII/data that the consumer provided directly to the business.
- GDPR is focused on the collection and processing of data subject information whether or not it’s sold. CCPA is focused on the SALE of consumer information.
- GDPR requires Data Process Flow Mapping and predetermined amount of risk to data per business process that involves privacy data. CCPA doesn’t require mapping, and specifies nothing about Data Privacy Impact Assessments (DPIA).
- GDPR maximum fines are 4% of gross annual revenue or €20,000,000, whichever is greater; and can be imposed as a result of audit and non-compliance. The biggest fine so far is £183,000,000 to British Airways. CCPA imposes fines up to $7,500 per violation and only if the data is breached.
- GDPR could further evolve but it’s been essentially the same since submitted in 2016 and went into effect in 2018. CCPA could change before and after it goes into effect in 2020.
The final point underscores that responding to these regulations will evolve over time. Get a handle on your data and digital infrastructure by requesting an assessment from Cipher.