What is CCPA?
California Consumer Privacy Act (CCPA) is a soon to be implemented consumer data protection act in the US and applies to all the California residents. Signed on June 28, 2018, in effect January 1, 2020, it is the most robust consumer data privacy law in the US to date. The law gives Californians more control and power over their personal data. Organizations that meet one of the below criteria are subject to the CCPA:
- Annual gross revenue is over twenty-five million dollars ($25,000,000).
- Buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Earns 50% or more of the annual revenues from selling consumers’ personal information.
Read this article for more info.
What is GDPR?
General Data Protection Regulation (GDPR) is a data protection regulation introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016 and then came into effect on May 25, 2018. The law applies to all bodies, regardless of their location, that deal with the data of EU member state residents. For example, even if a website is not based in the EU but has visitors from EU member states, it must take the necessary steps to become GDPR compliant. Read more about GDPR here.
CCPA vs. GDPR: Key Similarities and Differences
Let’s look at some of the key similarities and differences between CCPA and GDPR.
|Organizations that meet one of the below criteria are subject to the CCPA:
They also must meet the following conditions to fall under the scope of CCPA:
|Any organization (in and outside the EU) that handles personal data of people in the EU.|
|Information that identifies, directly or indirectly, with a particular consumer or household.
Personal information” does not include “publicly available” that is lawfully made available from federal, state, or local government records.
|Any information that can identify a data subject, alone or with other data, for example, name, age, phone number, bank details, e-Mail, login credentials, IP addresses, location, identification numbers, etc.
It also includes ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation.
Fines and Penalties
|Up to $7500 per intentional violation.
Organizations have 30 days to fix any alleged violations.
|Severe violation will subject to 4% of annual global turnover or €20 million - whichever is higher.
Less severe violation will subject to 2% of annual global turnover or €10 million – whichever is higher
Other actions include written warning, temporary or permanent ban, data deletion, and restriction on data transfers.
|The act does not specify prior consent.
Opt-out option to be made available to consumers on the website to opt-out of the sale of personal information.
|Organizations must obtain prior consent from the data subjects before processing their personal data.
Data subjects should be able to withdraw their consent at any time.
|Provide a link on the websites, titled “Do Not Sell My Personal Information,” for consumers to opt-out of the sale of the consumer’s personal information.||Data subjects should be able to withdraw or refuse consent through a practical and easily accessible opt-out option at any time.|
|An opt-in requirement for selling personal information of minors between 13 and 16 years old, while parental consent required for children under 13.||Parental consent required for children under 16, with EU Member States being allowed to lower that age to 13.|
|Organizations must notify any California resident whose personal information was affected.
Organizations that are required to notify more than 500 California residents must also submit a single sample copy of that notification to California’s Attorney General.
Organizations have the opportunity to fix the alleged violation within 30 days.
Consumers can claim statutory damages up to $750 per incident or they can seek legal action against the organization if the court deems right.
|Organizations must notify the respective Supervisory Authority within 72 hours.
If there is a high risk to the rights and freedom of the data subjects, then organizations must inform and advise them about an action plan.
Complying with GDPR will make the organization CCPA-compliant as well, as GDPR is more extensive. However, if an organization falls under the scope of both CCPA and GDPR, then it must ensure that it does assessments for both laws. Certain disclosures of CCPA require organizations to be ready to disclose information (if requested) dating back to one year, i.e., January 1, 2019. So, they should already be well prepared to welcome the new Act. Check out this checklist for CCPA Compliance.
Disclaimer: This article does not represent any legal advice. The sole purpose of this article is to share general information. Hence, for any legal counsel, please contact a lawyer specialized in the area.