SBN

CCPA vs GDPR: What You Need to Know About These Data Privacy Laws

These two far-reaching pieces of legislation are confusing — we’ll provide
a bit of clarity about how they affect your organization

Looking at the information security and data privacy industries is much like looking at a bowl of alphabet soup: FIPS. PCI DSS. HIPAA. PIPEDA. CCPA. GDPR. Or, even more complicated — comparing two of them, like the CCPA vs GDPR.

A, B, C, D, E, F, G… 🎵

So many acronyms, so many audiences — so little time.

Without context or an understanding of what each of these
different acronyms means, these data privacy laws and regulations can be
confusing. Luckily, you have us to wade through the muck and break down the meaning
behind these data privacy laws and regulations. 

In this article, we’ll compare and contrast the GDPR and
CCPA — what each law is, how are they similar or different, and what they mean
for your organization. 

So, as we like to say around here…

Let’s hash it out.

What we’re hashing out…

  1. These two far-reaching pieces of legislation are confusing — we’ll provide
    a bit of clarity about how they affect your organization

    1. The Battle of Two Privacy Laws: CCPA vs GDPR
      1. What is the General Data Protection Regulation?
        1. What is the California Consumer Privacy Act?
        2. 6 Major Similarities Between the CCPA and GDPR
          1. 1. Both Laws Give Individuals the Right to View and Access the Data
            Companies Collect on Them

            1. 2. Businesses Are Required to Delete Personal Data Upon Request (With Some
              Exceptions)

              1. 3. Businesses Must Disclose Specific Details on How They Handle Personal
                Data

                1. 4. Businesses Can Ignore Both Laws (But Only for Specific Reasons,
                  Including Law Enforcement)

                  1. 5. CCPA vs GDPR: Businesses Who Don’t Comply Will Be Fined
                    1. 6. Both Laws Require Businesses to Implement Cyber Security Measures… But
                      They’re Not Very Specific

                    2. CCPA vs GDPR: 12 Key Ways That the Two Regulations Differ
                      1. 1. CCPA Gives Individuals the Right to Stop Companies from Selling Their
                        Data

                        1. 2. GDPR Requires Companies to Have 1 of 6 Legal Bases Before Processing
                          Personal Data

                          1. 3. CCPA vs GDPR: GDPR Took Years to Craft — The CCPA Was Passed Within Months
                            1. 4. GDPR Protects the Personal Data of Anyone in the EU (No Matter Where
                              Your Company is Located)

                              1. What Counts as Public Data?
                                1. Who or What Is a Data Subject?
                                2. 5. CCPA Protects the Data of Californians (No Matter Where Your Company Is
                                  Located)

                                  1. Who’s Considered a California Consumer?
                                    1. What Counts as Personal Information?
                                    2. 6. GDPR Has Additional Requirements for Companies Handling Health-Related
                                      Data

                                      1. 7. If You’re Any Sort of Business, Institution, or Organization That
                                        Handles Covered Data, GDPR Applies to You

                                        1. 8. CCPA Only Applies to For-Profit Business (And Most Small Businesses Are
                                          Exempt)

                                          1. 9. GDPR Requires Data Protection Officers and Additional Processes and Paperwork
                                            1. 10. The CCPA Provides Greater Protection from Discrimination or Unequal
                                              Treatment — Sort of

                                              1. 11. CCPA vs GDPR: Violators Will be Fined Under Both Laws — But GDPR Fines
                                                Are Much Higher

                                                1. GDPR Civil Penalties
                                                  1. CCPA Civil Penalties
                                                  2. 12. CCPA vs GDPR: Consumers Can Seek Much Higher Compensation for Violations Under GDPR
                                                    1. GDPR
                                                      1. CCPA
                                                    2. A Few Final Takeaways from Our Look at the CCPA vs GDPR

                                                      The Battle of Two Privacy Laws: CCPA vs GDPR

                                                      When comparing the European Union’s General Data Protection Regulation (GDPR) versus the California Consumer Privacy Act (CCPA), there are some blatantly obvious similarities and differences, as well as some more nuanced differences.

                                                      The first thing to note about these two regulations is that they affect two geographically different audiences:

                                                      • GDPR: It’s all about protecting the private
                                                        data and personal information (PI) of “natural persons” (individuals) who are in
                                                        the European Union from businesses, public bodies and institutions that are
                                                        established inside and/or outside of the union.
                                                      • CCPA: It aims to protect the private
                                                        information of California consumers from for-profit businesses that meet
                                                        specific thresholds (more on that in a bit).  

                                                      Although they share some similar definitions, in many ways,
                                                      the CCPA and the GDPR are also different in their approaches. They have
                                                      different terminology concerning whose data is protected, what types or
                                                      categories of data are protected, and the types of organizations or businesses
                                                      that the laws apply to.

                                                      Comparing the CCPA vs GDPR is much like looking at apples and oranges. They have many similarities —they’re both roundish tree-grown fruits with stems and strong flavors (oh, and they both make juices that taste fabulous and are great additions to any sangria… but I digress.) — but when you get down to comparing CCPA vs GDPA, there are many differences between the two.

                                                      What is the General Data Protection Regulation?

                                                      Graphic: CCPA vs GDPR

                                                      The EU’s General Data Protection Regulation is a set of privacy regulations that have been in effect since May 25, 2018. The law aims to protect the fundamental rights and freedoms, particularly the right to protection of personal data, of “natural persons” (which, according to the regulation, are known as “data subjects”) in the European Union.

                                                      How does it do this? By requiring data “controllers” and “processors”
                                                      — organizations and businesses that collect, use, or process the personal data
                                                      of these data subjects — to disclose how the information they collect is
                                                      processed and used. It also gives users more control over how their data is
                                                      collected and processed.

                                                      So, basically, if you want to use people’s personal data,
                                                      you need to explain why you’re collecting it, how it’ll be used, and what
                                                      rights they have concerning access and consent. 

                                                      Now, let’s turn around attention to the west coast of the
                                                      United States to briefly discuss the CCPA.

                                                      What is the California Consumer Privacy Act?

                                                      Graphic: CCPA versus GDPR

                                                      Sometimes called the U.S.’s version of the GDPR, the California Consumer Privacy Act is, in some ways, the toned-down version of its European counterpart. It’s the smaller, somewhat less imposing younger brother. However, it’s still significant and is poised to have a global impact considering that:

                                                      • The U.S. lacks a comprehensive federal data privacy law;
                                                      • California is the fifth largest global economy (ranking ahead of the U.K., France, and India); and
                                                      • The regulation applies to businesses worldwide who meet certain criteria.

                                                      The CCPA applies to any organization, regardless of
                                                      location, that deals with California consumers and/or their private data.
                                                      However, there are certain size requirements that the organizations must meet
                                                      to be subject to the law (which we’ll address later). The regulation officially
                                                      goes into effect Jan. 1, 2020, although it does have certain provisions that
                                                      required organizations to provide certain information to consumers for the year
                                                      leading up to it. It also has an amendment that will go into effect Jan. 1,
                                                      2021.

                                                      So, what else is there to know about the CCPA vs GDPR? A lot. We’ve covered a brief overview of what these laws are. Let’s see what similarities they share and how they differ.

                                                      6 Major Similarities Between the CCPA and GDPR

                                                      The California Consumer Privacy Act and the General Data Protection Regulation share several similar requirements and expectations. In this section, we’ll break down some of the top things that these two pieces of legislation share.

                                                      1. Both Laws Give Individuals the Right to View and Access the Data
                                                      Companies Collect on Them

                                                      The California Consumer Privacy Act and the General Data
                                                      Protection Regulation are similar in that both serve to ensure that covered
                                                      individuals can exercise their rights to access or limit the use of their
                                                      personal data. When comparing the CCPA vs GDPR, both of these data privacy laws
                                                      establish additional protection for individuals who are age 16 and younger.

                                                      The GDPR enforces an individual’s right to access their EU
                                                      personal data that’s processed and for that information to be imported or
                                                      exported into a user-friendly format. They can access their personal data from
                                                      the past 30 days (longer in some circumstances) and can request access to it an
                                                      unlimited number of times.

                                                      The CCPA also requires that the information can be exported
                                                      in a user-friendly format but there’s no requirement for importing it. Unlike
                                                      the GDPR, however, the CCPA’s collected data has a 12-month window. Information
                                                      about how their data is collected, used, or sold can only be requested up to
                                                      two times in that period.

                                                      2. Businesses Are Required to Delete Personal Data Upon Request (With Some
                                                      Exceptions)

                                                      When comparing the CCPA vs GDPR, both regulations also provide private individuals with a way to access and delete their personal information.

                                                      Under both the CCPA and GDPR, covered individuals have the right
                                                      to request that a business or organization delete their personal information
                                                      (under specific circumstances). Under the CCPA, that business must direct any
                                                      service providers who also have that information to delete those records as
                                                      well. However, a business doesn’t have to comply with this request if the
                                                      consumer’s personal information is considered necessary for specific operations
                                                      as outlined in 1798.105(a).

                                                      Under the GDPR, a covered individual’s right to erasure (as outlined in Article 17) is also known as “the right to be forgotten.” Catchy, no? This article specifies several grounds upon which an individual can obtain, without undue delay, the erasure of their information — many of which have legal bases.

                                                      3. Businesses Must Disclose Specific Details on How They Handle Personal
                                                      Data

                                                      Both the CCPA and GDPR go to great lengths to require
                                                      transparency about how their information is collected, shared, and used. Under
                                                      the CCPA, for example, businesses must provide information as to:

                                                      • the categories of information they collect;
                                                      • whether the information will be sold or shared
                                                        with third parties; and
                                                      • what rights the individual has concerning data
                                                        erasure.

                                                      Under the GDPR, the “right to be informed” is made very clear concerning EU citizens (and people located in the EU, even just temporarily). It does, however, stipulate a difference between data obtained directly from that individual (Article 13) versus data obtained from another source (Article 14).

                                                      Both the CCPA and GDPR require detailed privacy notices from organizations and businesses that collect private and personal information. Under the GDPR, the law has different requirements for information that’s obtained directly from the data subject versus information obtained from another source. If the former, the person must be informed immediately (when the data is collected); if the latter, they must be informed “within a reasonable period of time, but at the latest after a month” unless the info will be used to contact them directly — then they must be informed “upon being approached.”

                                                      Under the CCPA, businesses that collect consumers’ personal
                                                      information must inform them all or before the point of collection about what
                                                      categories of information are being collected and how the info will be used. If
                                                      a consumer submits a verifiable consumer request for their information, that
                                                      info must be disclosed and delivered to them without charge within 45 days of
                                                      their request being received.

                                                      Although the way that each law requires businesses to handle the
                                                      data they collect or receive differs, the general takeaway is essentially the
                                                      same: As a general rule of thumb, if you’re going to collect the private or
                                                      personal information from individuals who fall under these protections, you should
                                                      state up front what types of information you’re going to collect, how the
                                                      information will be used, and what their rights are to opt out of the
                                                      collection of that information.

                                                      4. Businesses Can Ignore Both Laws (But Only for Specific Reasons,
                                                      Including Law Enforcement)

                                                      Both the CCPA and GDPR have exceptions to individuals’
                                                      rights to data privacy. These exceptions often include matters concerning law
                                                      enforcement-related investigations, judicial proceedings, or public safety
                                                      concerns. In Section 1798.145, the CCPA outlines that:

                                                      “(a) The obligations imposed on businesses by
                                                      this title shall not restrict a business’s ability to:

                                                      (1) Comply with federal, state, or local
                                                      laws.

                                                      (2) Comply with a civil, criminal, or
                                                      regulatory inquiry, investigation, subpoena, or summons by federal, state, or
                                                      local authorities.

                                                      (3) Cooperate with law enforcement
                                                      agencies concerning conduct or activity that the business, service provider, or
                                                      third party reasonably and in good faith believes may violate federal, state,
                                                      or local law.”

                                                      The GDPR also makes similar exceptions — but on a much broader scale. Article 23 outlines that its obligations may be restricted when it comes to national and public security, defense, criminal investigations and prosecutions, judicial independence and proceedings, as well as multiple other considerations.

                                                      5. CCPA vs GDPR: Businesses Who Don’t Comply Will Be Fined

                                                      Both the CCPA and GDPR outline civil penalties that can be
                                                      brought against businesses or other organizations for violations or
                                                      infringements of the regulations. However, the civil penalties vary drastically
                                                      between the two. We’ll speak more to that in the next section.

                                                      6. Both Laws Require Businesses to Implement Cyber Security Measures… But
                                                      They’re Not Very Specific

                                                      When comparing the CCPA vs GDPR in terms of how well they provide strategies or guidance for mitigating risk, both regulations are lacking. In Article 32, it does mention the “pseudonymisation and encryption of personal data” but the law intentionally doesn’t provide specific recommendations. The CCPA isn’t much of a help in this area, either. It simply specifies that they must maintain “reasonable security procedures and practices” but doesn’t provide guidance as to how to accomplish this task. This is likely because lawmakers realize that technologies and processes change over time, so they thought it best to not list specific technologies or methodologies that will quickly become outdated or obsolete.

                                                      CCPA vs GDPR: 12 Key Ways That the Two Regulations Differ

                                                      Now that we’ve looked at the similarities, let’s compare the
                                                      CCPA vs GDPR to see what some of what their most notable differences are. Some
                                                      CCPA requirements overlap with existing GDPR requirements. However, some
                                                      processes, systems, and policies will require updates or tweaking to match the
                                                      specific requirements of the new Golden State law.

                                                      1. CCPA Gives Individuals the Right to Stop Companies from Selling Their
                                                      Data

                                                      The CCPA and GDPR differ significantly in terms of their
                                                      core frameworks and their scope of personal information processing. For
                                                      example, the CCPA focuses primarily on transparency-related obligations and
                                                      provisions that inform them about your company’s data sales practices and limit
                                                      the sale of personal information. Businesses must include a “do not sell my
                                                      personal information” link on their website home pages to give consumers the
                                                      right to opt out of allowing their information to be sold.

                                                      The GDPR, on the other hand, doesn’t explicitly address the sale of information to third parties. This is just one of multiple ways in which the CCPA vs GDPR differ.

                                                      CCPA vs GDPR: GDPR requires a legal basis for data processing.

                                                      The GDPR, on the other hand, focuses significantly more on
                                                      accountability-related obligations and frequently requires having a “legal
                                                      basis” concerning the need for data processing. (The CCPA requires no such
                                                      legal basis as a justification for collecting and using personal info.)

                                                      Under Article 6, these legal bases include the following:

                                                      1. “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”;
                                                      2. “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”;
                                                      3. “processing is necessary for compliance with a legal obligation to which the controller is subject”;
                                                      4. “processing is necessary in order to protect the vital interests of the data subject or of another natural person”;
                                                      5. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
                                                      6. “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

                                                      3. CCPA vs GDPR: GDPR Took Years to Craft — The CCPA Was Passed Within Months

                                                      The two laws took significantly different amounts of time to
                                                      prepare and build. On one hand, the GDPR, the first of its kind, is a sweeping
                                                      piece of legislation that took several years to create and debate before being
                                                      approved and, eventually, put into effect.

                                                      The CCPA, in comparison, was a rush job that took only months from the time it was introduced to the time it was approved by the governor and chaptered by the Secretary of State. This is because the law was passed quickly as part of a deal to avoid a more restrictive measure, a proposed initiative (No. 17-0039) that was known as the Consumer Right to Privacy Act 2018, from being placed on the ballot.

                                                      4. GDPR Protects the Personal Data of Anyone in the EU (No Matter Where
                                                      Your Company is Located)

                                                      What Counts as Public Data?

                                                      In a nutshell, the GDPR applies to the processing of personal data
                                                      of “data subjects” — more on what that means in just a moment.

                                                      So, what is considered “personal data?” Article 4 outlines that personal data includes a variety of direct and indirect identifying information such as:

                                                      • names,
                                                      • location data,
                                                      • online identifiers,
                                                      • economic information,
                                                      • physical, genetic, physiological or mental
                                                        identifiers, or
                                                      • social or cultural identifiers.

                                                      The term “processing” refers to various types of operations,
                                                      including the “collection, recording, organization, structuring, storage,
                                                      adaption or alteration, retrieval, consultation, use, disclosure by
                                                      transmission, dissemination or otherwise making available, alignment or
                                                      combination, restriction, erasure or destruction” of personal data.

                                                      To put it another way, the law applies to any organization that
                                                      accesses, collects, uses, alters, stores, or otherwise operates on covered
                                                      individuals’ personal data in virtually any way. It’s important to note that the
                                                      GDPR applies to publicly available data, whereas the CCPA does not
                                                      .

                                                      Who or What Is a Data Subject?

                                                      But who or what is considered a “data subject” under the
                                                      law? This term refers to someone:

                                                      […] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.”

                                                      Essentially, Recital 14 states that it protects “natural persons” (individuals) rather than “legal persons,” or legal entities — so, private individuals rather than companies. Article 3 specifies that these data subjects are those who are in the EU. It doesn’t specify that they have to be EU residents or citizens, however. This means that the PI of someone visiting from another country — say, an American visiting an EU member state — would be protected so long as they’re located in the European Union.

                                                      5. CCPA Protects the Data of Californians (No Matter Where Your Company Is
                                                      Located)

                                                      The CCPA, on the other hand, takes a different approach and
                                                      protects the rights and “personal information” of California “consumers.”

                                                      Who’s Considered a California Consumer?

                                                      A consumer is defined as “a natural person who is a California
                                                      resident, as defined in Section 17014 of Title 18 of the California Code of
                                                      Regulations… however identified, including by any unique identifier.” More on
                                                      the definition of “personal information” momentarily.

                                                      What Counts as Personal Information?

                                                      The CCPA protects “personal information” of California consumers,
                                                      meaning “information that identifies, relates to, describes, is capable of
                                                      being associated with, or could reasonably be linked, directly or indirectly,
                                                      with a particular consumer or household.” In section 1798.140, it does,
                                                      however, include a variety of specific personal identifiers and data such as:

                                                      • names and aliases,
                                                      • postal addresses,
                                                      • unique personal identifiers
                                                      • online identifiers
                                                      • IP addresses, email addresses, and account
                                                        names,
                                                      • social security numbers, driver’s licenses,
                                                        and passport information (or other similar identifiers),
                                                      • demographic information,
                                                      • geolocation data,
                                                      • commercial information,
                                                      • internet and electronic network activity info,
                                                      • audio/electronic, visual, thermal, olfactory,
                                                        or similar information,
                                                      • professional and employment-related
                                                        information
                                                      • education information

                                                      However, a recent amendment (AB-25) to the law, has made it so
                                                      that PI collected “in the course of the natural person acting as a job applicant
                                                      to, an employee of, owner of, director of, officer of, medical staff member of,
                                                      or contractor of that business” would be exempt for one year until the
                                                      amendment sunsets on Jan. 1, 2021. The exceptions to this change would be the
                                                      civil action provision (which we’ll discuss more later) and the business’s
                                                      obligation to inform consumers about the types of personal info that the
                                                      business will collect.  

                                                      Steps you can take to help prevent cyber attacks at your company

                                                      Any article talking about the differences between the CCPA vs GDPR would be remiss to not at least mention healthcare or medical-related information and data. GDPR places greater protection on personal data relating to health than its California counterpart. It separately defines “biometric data” and “genetic data” as two separate types of personal data, whereas under CCPA, such information is encompassed under the single category of “personal information.” 

                                                      CCPA, on the other hand, is less specific than the GDPR in
                                                      addressing health, biometric, and medical-related information. It tends to
                                                      defer to other U.S. legal frameworks concerning the processing of certain
                                                      categories of personal information such as health or medical-related
                                                      information that would be addressed by the Health Insurance Portability and
                                                      Accountability Act or the Confidentiality of Medical Information Act.  

                                                      7. If You’re Any Sort of Business, Institution, or Organization That
                                                      Handles Covered Data, GDPR Applies to You

                                                      Under the GDPR, the law is pretty generic in that it applies to
                                                      any virtually business, organization, or institution that collects, processes, or
                                                      operates on the data of people located in the European Union.
                                                      It also
                                                      applies to businesses or organizations that monitor the behaviors of
                                                      individuals in the EU.

                                                      As we mentioned earlier, however, the exception to this rule is that
                                                      the regulation doesn’t apply to law enforcement or data relating to
                                                      national security areas. (Although the laws may still apply to any businesses
                                                      that provide services to such organizations or government entities.)

                                                      8. CCPA Only Applies to For-Profit Business (And Most Small Businesses Are
                                                      Exempt)

                                                      Under the CCPA, on the other hand, a “business” is considered a
                                                      for-profit legal entity who deals with California customers and/or their
                                                      personal data. Although the company isn’t required to have a physical presence
                                                      in the state, it does need to be conducting business in it. This includes
                                                      companies that:

                                                      • share the personal information of at least
                                                        50,000 consumers;
                                                      • have $25+ million in gross revenue; or
                                                      • get at least half of their annual revenue from
                                                        the sale of consumers’ personal info.

                                                      9. GDPR Requires Data Protection Officers and Additional Processes and Paperwork

                                                      GDPR is more stringent in that it requires the appointment
                                                      of data protection officers, maintaining a record of processing activities, and
                                                      sometimes requires the use of data protection impact assessments in specific
                                                      instances. The CCPA doesn’t require any such appointments or processes.

                                                      10. The CCPA Provides Greater Protection from Discrimination or Unequal
                                                      Treatment — Sort of

                                                      The CCPA explicitly states in 1798.125(a)(1) that individuals who
                                                      exercise the new rights afforded by the regulation are not to be discriminated
                                                      against by businesses. Nothing so explicit is addressed by the GDPR. Essentially,
                                                      the idea here is that no business can deny California consumers service, charge
                                                      them different prices, or offer different levels of service based on whether
                                                      they choose to exercise their right to data privacy.

                                                      This is all fine and good conceptually, but this is where it also
                                                      gets a bit confusing and, frankly, contradictory. 1798.125(a)(2) says:

                                                      Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”

                                                      Furthermore, 1798.125(b)(1) states:

                                                      A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

                                                      So, does this mean that you as a business can or can’t
                                                      discriminate or provide any form of “financial incentives” to consumers? It’s
                                                      six of one, half a dozen of the other. I guess this is why lawyers and judges
                                                      get paid the big bucks to argue and interpret these types of nebulous — or, at
                                                      times, downright contradictory — laws. I’ll leave that to the experts.

                                                      11. CCPA vs GDPR: Violators Will be Fined Under Both Laws — But GDPR Fines
                                                      Are Much Higher

                                                      As we mentioned earlier, the CCPA vs GDPR take different approaches when it comes to administering penalties and fines for noncompliance.

                                                      GDPR Civil Penalties

                                                      Unlike some other data protection laws and regulation, the GDPR has teeth when it comes to punishing violations. The penalties are among the largest the world has seen for data privacy violations. For example, Article 83 states that organizations that infringe the rights may “be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

                                                      This means that organizations that fail to comply with this data privacy law and regulation could face €20 million in noncompliance penalties. Google was one of the first to experience the woes of noncompliance with a €50 million penalty (approximately $57 million) for data privacy violations concerning France’s citizens. This marked the first reported occasion of a major tech company being penalized by the privacy law.

                                                      Although, realistically, this amount is just a drop in the bucket for a company as big as Google, it is a showstopper for organizations that are smaller in size. It would definitely close the doors of small to mid-size businesses and would put a significant dent in the coffers of some large businesses.  

                                                      CCPA Civil Penalties

                                                      Under the CCPA, businesses that fail to “cure” any alleged
                                                      violation within 30 days of receiving a noncompliance notice is subject to a
                                                      civil penalty of no more than $2,500 for each violation, or $7,500 for each
                                                      intentional violation. Penalties recovered would be deposited into the Consumer
                                                      Privacy Fund to cover costs incurred by the state courts and attorney general.

                                                      To me, it seems like nothing more than a small slap on the
                                                      wrist — and, frankly, a slap to the faces of consumers whose rights to data privacy
                                                      are violated. Thankfully, there’s something they can do to get some
                                                      compensation for these violations under the CCPA… although, frankly, they’ll
                                                      likely be disappointed with that, too.

                                                      12. CCPA vs GDPR: Consumers Can Seek Much Higher Compensation for Violations Under GDPR

                                                      The actions that individuals can take under the CCPA vs
                                                      GDPR, when their rights as outlined under the regulations have been violated,
                                                      are very different. And the level of compensation they may receive also varies,
                                                      with GDPR holding the promise of higher payback for privacy violations.

                                                      GDPR

                                                      Under the GDPR, a data subject has the right to lodge a
                                                      complaint with a supervisory authority for any perceived infractions concerning
                                                      the processing of their personal data. If they disagree with the decision of
                                                      that authority, or if that authority does not handle the complaint or provide
                                                      them with an update on the progress or outcome of their complaint, they have a
                                                      right to an “effective judicial remedy” against them. The data subject can also
                                                      take the same legal approach against a controller or processor for any
                                                      perceived noncompliance.

                                                      The data subject has the right to receive compensation from
                                                      a controller or processor for damages that result from GDPR violations (unless
                                                      the accused can prove that it wasn’t responsible for causing the damage). The
                                                      bad news? This means that if your business (let’s say you’re a controller)
                                                      gives customer information to a third-party service provider (processor) who
                                                      uses it unlawfully or against your instructions, your business — and/or the
                                                      processor — can be held liable.

                                                      Each party — the controller, processor, or both — will be
                                                      held liable for the entire damage to ensure effective compensation. The good
                                                      news? If you’re a controller or processor who pays full damages to the data subject,
                                                      you can then get back part of the compensation regarding your responsibility if
                                                      that other party acted outside or contrary to your instructions. This means
                                                      that the PI you provide to a third-party service provider is used in any way
                                                      other than instructed, you have a right to pursue compensation from them.

                                                      CCPA

                                                      Under the CCPA, a consumer can bring a private civil action
                                                      — the civil action provision we mentioned earlier — against a business that
                                                      fails in its duty to protect their “nonencrypted or nonredacted personal
                                                      information” if that failure results in “unauthorized access and exfiltration,
                                                      theft, or disclosure.” However, the burden falls on the consumer, who must
                                                      provide the business with 30 days’ written notice identifying the specific
                                                      violations of the regulation.

                                                      However, if the business fixes the violation and assures the
                                                      consumer (in writing) that no further violations will occur, “no action for
                                                      individual statutory damages or class-wide statutory damages may be initiated
                                                      against the business.”

                                                      Otherwise, the consumer may be eligible to pursue civil
                                                      action to:

                                                      1. recover damages of $100-750 per consumer per
                                                        incident or actual damages, whichever is greater.
                                                      2. receive injunctive or declaratory relief.
                                                      3. any other relief the court deems appropriate.

                                                      A Few Final Takeaways from Our Look at the CCPA vs GDPR

                                                      All that we’ve discussed about the CCPA and GDPR demonstrates
                                                      why it’s so important for every business, regardless of size, to take a hard
                                                      look at their existing policies, processes and procedures. In this digital era,
                                                      it’s imperative that businesses take the proper steps to ensure data security —
                                                      both to protect the rights and security of individuals but to protect
                                                      themselves. These steps include evaluating:

                                                      • how information is collected, stored, and used
                                                        by your own organization, as well as
                                                      • how it’s transmitted to or otherwise provided to
                                                        and used by authorized third-party service providers.

                                                      Unfortunately, the GDPR doesn’t provide much in terms of how
                                                      to approach risk mitigation in data processing aside from requiring
                                                      organizations to conduct risk assessments and adopt necessary security
                                                      measures. That’s why we’ve come up with a list of our own recommendations:

                                                      • Keep all private and personal information encrypted. To avoid issues concerning the exposure of nonredacted or unencrypted information, ensure that all info is transmitted using the secure, encrypted HTTPS protocol for both your website and email servers. Encrypt data at rest by using encryption solutions offered by your database vendor. Furthermore, secure your emails themselves with email encryption solutions such as S/MIME certificates.  
                                                      • Implement strong access control mechanisms, policies, and procedures. The goal here is to mitigate unauthorized access. Taking this step ensures that access to sensitive personal information is limited to only those who need it to perform their jobs. Put procedures in place that ensure access is removed once it’s no longer required for an employee to perform their job or if the employee no longer works there.
                                                      • Teach employees cyber security best practices and provide cyber awareness training. The goal here is to help your employees — everyone from the CEO and board members down to the janitorial staff — recognize potential threats such as phishing emails or malicious links. Provide them with real-world examples and run phishing simulation training as well to help them recognize threats in the wild.  

                                                      We hope this article provides clarity about the similarities and differences between the CCPA vs GDPR. Although the CCPA affords greater rights to a smaller group of individuals and affects fewer businesses than the GDPR, it’s still a powerful piece of legislation that is posed to have a major impact to businesses worldwide. And while the preparations your business may have implemented to prepare for GDPR are helpful, they won’t encompass all of the necessary updates or changes you’ll need to take care of before Jan. 1, 2020.


                                                      *** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/ccpa-vs-gdpr-what-you-need-to-know-about-these-data-privacy-laws/