Fear can be fun, as witnessed by how many of us enjoy riding a rollercoaster or watching horror movies. Fear can be useful, especially when your doctor tells you to stop eating greasy food after turning 45 or you will end up like your father and have a heart attack at 55 years of age. Fear can also be a powerful motivator, especially in our personal lives. But put into the work context, fear can be constraining and counterproductive, especially in the digital arena – whether marketing, communications, or digital product and service delivery.
A particular area of fear in the past several years has come from digital privacy regulation. Leading up to May 25, 2018, it was the European Union's General Data Protection Regulation (GDPR). This year I am seeing organization agonize over meeting the January 1, 2020 deadline to comply with the California Consumer Privacy Act (CCPA). But before you start feeling like you are on a rollercoaster plummeting toward earth at 70 miles per hours or begin hearing imaginary Pet Cemetery’s Zelda echoing cries from the attic, let’s break down GDPR and CCPA and talk about what they require, their similarities and differences. That will help you understand how close you are to complying, and hopefully lower your stress level.
Tomayto, Tomahto: Aren’t GDPR and CCPA the same?
Although the GDPR and CCPA share some of the same data protection concepts, they are not the same regulation. Many industry analysts have couched CCPA as being triggered by GDPR, and that might be true. However, compliance with the GDPR does not equate to compliance with the CCPA, and vice versa. But don’t panic just yet thinking that you will have to pull double duty. There is a lot of overlap, and the differences are straightforward to understand. Well, mostly. Let’s take a look.
There are always nuances, regardless of which side of the Atlantic you sit on or the regulation in question. I advise my clients to consider the GDPR and CCPA differences and identify where they have the most need to focus. From there, they can drill in on the details. I recommend you do the same. Take a look at the following similarities and differences between the regulations, and then drill down into the areas that are of higher priority or concern for your organization.
Significantly different. GDPR requires the organization to name a data privacy officer (DPO) and keep a log of personal data processing activities. CCPA does not have the same requirements. My advice: Defer to GDPR on this one, assess your need for a DPO, and document roles and responsibilities for compliance.
Definition of personal data
Somewhat different. While both regulations use broad definitions for personal data, CCPA provides specific examples of any identified or identifiable person. CCPA also extends the definition to households, which significantly impacts organizations that offer products or services associated with IoT and digital devices. Unlike CCPA, GDPR very specifically defines sensitive data and prohibits the processing of such data unless specific exceptions apply. My advice: If subject to both GDPR and CCPA, defer to the CCPA definition of personal data and you will be on target to meet the GDPR definition as well.
Almost the same. GDPR and CCPA address organizations and entities in the same way. Organizations outside of the EU offering products and services in the EU must abide by GDPR. In the same manner, organizations doing business in California must comply by CCPA regardless of where they are located. My advice: It is very clear cut whether you are subject to GDPR and/or CCPA. As such, adopt their requirements for the EU and/or California. You might want to select the criteria globally as a competitive advantage and since it is a challenge to silo data privacy to geographic regions.
Significantly different. GDPR is much broader in defining who is regulated (anyone who markets, sells, or deals with a person located in the EU), whereas CCPA says individuals living or working in California. The level of protection is extended by CCPA, as it includes information linked to the household or a device, making many IoT devices in scope.
GDPR initially had a provision excluding small and medium businesses, in the final version that exception was removed. The CCPA specifically excludes firms with annual gross revenue below $25 million, or that possesses the personal information of fewer than 50,000 consumers, households, or devices; or earns less than half of its annual revenue from selling consumers' personal information. My advice: If you are subject to both regulations, count on meeting the GDPR requirements and expand the definition of personal data to households and devices. In that way, you will be well positioned for complete compliance.
Completely different. GDPR indicates that personal data processing is lawful under six specific grounds. The CCPA does not define prerequisites for data collection, selling or disclosing which is a significant difference for any business. Instead, the CCPA allows consumers to post-collection the right to opt out (by a straightforward and publicly accessible link in the organization's website) to the sale and disclosure of personal information. My advice: let GDPR guide you on this one since it is more rigorous.
Almost the same. GDPR and CCPA overlap in their definition of personal information, but the CCPA differs from GDPR by defining anonymous data, and not including aggregate consumer information and de-identified data from the application, collection, storage and processing of the data. My advice: Let the GDPR become the priority on this one. The details are where it is at, and GDPR is far more stringent when you delve deeper into the specifics.
Controller and processor definition
Almost the same. Controllers under GDPR is similar to businesses under CCPA. And processors under GDPR is similar to service providers. The two differ when it comes to the obligations required under each, as GDPR requires a contract or legal tool (DPA) to be used between controllers and processors for data processing purposes. CCPA requires personal information to be shared based on the terms of a written contract. My advice: Prioritize GDPR and its requirements, and in the process, you will also meet CCPA.
Children’s online privacy protection
Almost the same. CCPA prohibits the selling of any consumer under the age of 16, but children ages 13-16 can give their consent for data collection and sale. Children under 13 require permission under CCPA. The GDPR states that the processing of data belonging to a person under the age of 16 requires parental consent. It is worth noting that individual EU member states can (and do!) lower the age of consent, but no less than 13 years of age. My advice: Go with the GDPR on this one and defer to the definition of a child based on the ages defined in local country laws. Not only will you meet CCPA, but you will also address other regulations such as the Children’s Online Privacy Protection Act (COPPA) which is a US-specific law.
Scientific and medical privacy considerations
Significantly different. Unlike the GDPR, CCPA excludes clinical trials from its scope. CCPA also leaves medical data privacy considerations to other regulatory statues (e.g., HIPAA). It is also worth noting that GDPR defined scientific research very broadly, while CCPA stays in a narrowly defined area of systematic study. My advice: If you are subject to both regulations, look to adopt the GDPR requirements which are far more stringent, and you will meet CCPA in the process.
Individual rights to erasure (“right to be forgotten”), opt-out, information access, portability, non-discrimination
Significantly different. Both GDPR and CCPA allows individuals to request deletion of their personal information unless exceptions (legal, for example) apply. Both regulations include requirements to inform individuals when collecting and processing their personal data, but CCPA does not distinguish notice for collecting information directly from individuals versus 3rd parties. The right to object (or opt-out) differ in that CCPA is prescriptive and requires a link with the title “Do Not Sell My Personal Information” on the business’ homepage, and under CCPA users can only opt-out of the sale of personal data. Both laws provide the right to access data, but CCPA mandates not just portable data but usable as well. Whereas CCPA considers the right to portability as part of the right access to access, GDPR separates an individual’s right in that regard into a separate section, but the requirement remains the same. Perhaps the most notable difference in this area is that CCPA introduces the right not to be discriminated against if any rights under CCPA exercises are. GDPR lacks this provision. As they say, the devil is in the details; while the two regulations mostly are aligned in this area, when looking to implement them within an organization, the differences become more notable, and I advise closer examination of the details. My advice: This is one area where you will be looking to address both requirements. While the definitions between GDPR and CCPA are relatively similar, CCPA is more prescriptive with its obligations, including the need to provide a "Do Not Sell My Personal Information" link on your organization's homepage. Because GDPR requires pre-authorization to collect and process data and the CCPA applies retroactively, GDPR should be your main guide and the CCPA differences ought to be represented as additional requirements to meet in the data privacy initiative.
Completely different. Unlike GDPR, CCPA allows businesses a 30-day window to cure violations. My advice: If you are adopting both GDPR and CCPA, then you will be required to meet the more stringent GDPR framework which doesn’t have the cure period. In my experience, most authorities are willing to allow a cure period even if the regulation does not specify one. However, time for rectification is usually granted based on demonstrated intent to meet the law, so you ought to have a robust policy and a plan for compliance in place.
Somewhat different. The civil fines under CCPA are $2,500 per violation or $7,500 for each intentional violation, versus GDPR’s €20 million or 4% of global revenue (whichever is greater). Both can be significant to a business so be mindful of the risk. My advice: While the two regulations differ in the number of potential penalties, your strategy ought to be to determine how compliant you are to both and your fiscal and brand impact of possible fallout.Insurance should is a reasonable consideration, but make sure you take the potential range (with GDPR likely being the higher one) into account when weighing your options.
Private rights actions
Significantly different. CCPA stipulates that a company can be liable for $100-$750 per consumer incident in a private rights action, whereas GDPR has no limit. My advice: Because of GDPR's lack of a limit on potential private rights actions, consider GDPR as the worst case scenario and plan accordingly.
It all seems complicated, so where do you start?
If you are required to comply with GDPR, you may have already started the adoption process in advance of last year's deadline. But if you are anything like the average business, you still have some tasks ahead of you, and this is a great time to consider whether you will be adopting CCPA. For those that must address both regulations, I recommend that you do a little homework and align efforts now. After all, if you will be adopting the most stringent requirements of the two, why create a process that you will need to revisit and alter or change down the road?
My favorite starting point for any data privacy regulation compliance is:
Determine which regulations apply to you. We’ve discussed GDPR and CCPA here, but others to consider are Brazil’s Lei Geral de Proteção de Dados (LGPD) which is similar to GDPR, South Africa’s Protection of Personal Information Act (POPIA) and the newest one of them all, Washington Privacy Act (WPA).
Rather than looking at the global requirements, step through the categories of regulation necessities that each act specifies. I’ve mapped one model for you above (e.g., private rights actions, rectification, governance, etc.).
Get each part of the business involved in discussing the requirements of the data privacy regulations. When a new client calls me, they usually are working in a silo in their corner of the building. Be brave and inclusive and invite your colleagues to participate. Who ought you include? Data privacy regulations touch every part of the business, so the list of participants should be just as exhaustive: marketing, communications, IT, HR, procurement, legal, compliance, finance, security, privacy, and your business units.
If you get lost along the way, or if you need a faster way to get to the bottom of the GDPR/CCPA/LGDP/POPIA/WPA debate, I recommend using an agile policy development process. Take a look at appendix H of my book, The Power of Digital Policy, if you need a starting point. Or get in touch if I can facilitate your policy development workshop and get you there faster.
Because the GDPR and CCPA are such new regulations and we have had little (GDPR) to no (CCPA) interpretations by the enforcement authorities, it is quite challenging to tell how regulatory enforcement will play out over the next five to ten years. However, we do have digital precedents that can give us glimpses into what the new world of data privacy compliance might look like. And what we know from almost every historical, massive initiative is twofold:
Governments don’t see digital regulation as a money-making scheme, so it will likely take time before full enforcement comes into play.
If you run afoul of the law but can demonstrate good intent, you are much likelier to merely get a slap on the wrist.
On every data privacy project I work on, I see there is power in knowledge. And the ability of education to release digital workers’ fears is high since we can embrace new data regulations and succeed in the digital arena. This is your opportunity to do the same, and keep the rollercoasters and screams for the theme park and movies.