Note: This post has been updated from our original article in 2018 to include more detailed data on the EU's GDPR and California's CCPA.
On May 25, 2018, new requirements, known as the General Data Protection Regulation (GDPR), went into effect in the European Union (EU). That was soon followed by the passage of the California Consumer Privacy Act (CCPA), which became law on Jan. 1, 2020.
Both laws are meant to strengthen online data protections for their citizens by giving people more control over their personal information, and regulating how businesses can access and use their data. They resemble each other in some respects and differ in others, making it difficult for companies to determine if they are in compliance with both regulations.
Below you'll find a brief breakdown and comparison of both the GDPR and CCPA, and how your U.S.-based business needs to adapt if it hasn't already.
What is GDPR?
The General Data Protection Regulation is a series of rules for "data controllers" designed to give EU residents more control over their personal data and simplify international regulations.
It gives EU citizens the right to access and request the deletion of their personal information, and requires businesses and organizations to have a "legal basis" for collecting the data of customers and web visitors. The GDPR also requires businesses to appoint a data protection officer in certain circumstances (mainly within larger companies).
It is considered one of the most comprehensive data protection laws in the world (so far), and has the potential to touch businesses across the globe by applying to organizations physically present in the EU, as well as those handling the data of EU citizens.
The GDPR includes detailed rules about the:
- Type of data that is collected
- Purpose of the data collection
- Security methods used to protect that data
- Length of time that personal data should be stored
The data in question refers to a wide range of personal data that may be harvested, including name, address, location, health information, online identifiers, IP addresses, cultural profiles and more.
What is CCPA?
Much like the GDPR, the California Consumer Privacy Act establishes new data rights for California citizens, and new data handling rules for companies that collect information about them. It also incorporates an expansive view of personal information, including geolocation, device identifiers, biometric data and audio/visual data tied to a person or household.
Under the law—the first in the nation—California residents can access their personal information, request to have it deleted and opt out of its sale (such as to a third-party service).
The CCPA will not be the last word on data regulation in the state, unfortunately. Voters in November 2020 passed a proposition creating the California Privacy Rights Act (CPRA), which will actually replace the CCPA when it goes into effect in January 2023. The new law stiffens enforcement penalties for businesses that expose users' information, and creates a new agency to pursue those claims.
The CCPA will remain in effect until January 2023, according to the Privacy Rights Clearinghouse.
What's the difference between GDPR and CCPA?
While both laws focus on increasing transparency and accountability around data collection and usage, the GDPR and CCPA do differ in a few important respects. Here are a few of the more notable points:
"Data controllers" vs. companies: The GDPR is designed to broadly cover any "data controller" that collects the data of EU citizens, including companies, public institutions and nonprofits, while the CCPA is more narrowly targeted to companies that meet one or more of the following criteria:
- Annual gross revenues of $25 million or more (adjusted annually for inflation)
- A company that "annually buys, receives, sells or shares the personal information of 50,000 or more consumers or households"
- A company that derives 50% or more of its annual revenues from selling personal information
"Legal basis": The GPDR is built around the requirement that organizations have a "legal basis" for collecting and storing customer data. That requirement is not included in the CCPA.
"Do Not Sell My Personal Information": The CCPA focuses more on limiting the sale of personal information, and requires companies working with California residents to include a "Do Not Sell My Personal Information" link on their website homepage. The GDPR does not impose this requirement.
Scope of regulated information: Both laws incorporate a broad definition of regulated personal information, but the CCPA includes more exceptions. Some forms of data, including medical data covered by other U.S. laws and data from credit reporting agencies, are exempt from the CCPA, but would still be regulated under GDPR.
What should business owners do?
The nature of these laws reach well beyond the borders of the EU and California. In an increasingly global economy, there are innumerable scenarios where individuals from the EU or California could be accessing your website and doing business with your company.
The simplest answer is that these laws potentially affect any business with a website, so don't assume these laws doesn't apply to your business. While EU enforcement may seem unlikely for companies outside the continent, the state of California will soon establish a new agency dedicated to enforcing its privacy laws (CCPA/CPRA), which could mean more regulatory headaches for U.S.-based businesses.
Here at Informatics, we are recommending a three-step process to our clients who are working to increase compliance with these laws:
Step One: Education
The first step in compliance is education. The European Commission has put together interactive infographics and resources including a 7 Steps for Businesses guide (PDF), while California Attorney General has built a comprehensive FAQ site for the CCPA. It may also be helpful to consult an attorney or legal expert familiar with the laws for more detailed guidance.
Step Two: Data Inventory
Take time to review your business' marketing efforts and data collection practices, so you can understand which customers you are targeting. Some examples of marketing efforts include email marketing, search engine marketing, affiliate marketing, etc.
Step Three: Plan
- appointing a Data Protection Officer, if required by GDPR rules
- adding a "Do Not Sell My Personal Information" link to your website to ensure compliance with CCPA
- excluding GDPR-affected countries from email marketing campaigns or blocking IPs from affected countries.
If you need help tackling GDPR and CCPA compliance for your business, reach out to the internet experts at Informatics. We can help you untangle these new regulations and plot a strategy to keep your business (and data) in the clear.