The game of data collection has changed for the better — for consumers. New regulations with effects around the globe require better transparency, higher security, and strengthen consent. Whether you’re in the business of marketing, technology, or e-retail, these new data protection laws could apply to your business.
The California Consumer Privacy Act (CCPA), and its counterpart the California Privacy Rights Act (CPRA), creates rights and requires transparency for Californians. (FYI: It applies to businesses outside of California). The CCPA is currently the strictest data security law in the U.S. in effect, soon to be followed by the CPRA, which enhances many of the elements within the CCPA.
The General Data Protection Regulation (GDPR) is an EU law that protects the processing of data of individuals within the EU. (Again: It applies to businesses outside of the EU).
Many features of the CCPA and GDPR go hand-in-hand — both are meant to protect the privacy, power, and data security of certain individuals, and both have global effects . . . but there are areas where the two laws diverge in scope and enforcement.
If you’re concerned about whether your business is required to comply with the laws of either, the attorneys at Rockridge® can work with you to see if (or when) the GDPR or CCPA will apply to your business and draft a plan to ensure you’re in compliance (and avoid significant fines).
To learn more, check out our article: Key Elements of an Effective Data Privacy Compliance Program.
Scope of Protection
The GDPR protects any individual located inside the EU, whereas the CCPA protects California residents.
Although similar, the scope of protection for the two laws is not quite the same. The GDPR protection extends to anyone that enters the EU’s borders — whether they live there or not. That protection goes away when the individual exits the EU’s borders — whether they live there or not. The CCPA, on the other hand, offers protection to its citizens and residents — whether or not they are currently within the state.
The scope of businesses that must comply with the regulations also slightly diverge. Under the GDPR, any website, company or organization that processes personal data on individuals inside the EU must comply. Under the CCPA, only companies or for-profit organizations that meet the law’s definition of business are required to comply. Either law may apply to a business, despite the business’s physical location or state of incorporation.
If you would like to learn more about whether the GDPR or CCPA applies to your organization, check out our articles: GDPR for Small Businesses and Does the CCPA Apply to Me?
New Rights
Consumers are entitled to similar rights under the GDPR and CCPA. These include the right to be forgotten, the right to access, the right to portability, and strengthen consent.
While there are minor differences in how the GDPR and CCPA define the right to be forgotten, the right essentially allows for consumers to request that companies delete the consumer’s information. This not only includes information the consumer provided, but any other information collected by the business, i.e., analytics, notes, etc.
The right to access entitles individuals to request that a company share with the consumer all of the information that has been stored about them. The consumer typically does not have to pay for this information transaction.
Closely following the right to access is the right to port any of that information to another business, if the consumer so requests. The idea behind this element is to allow for the free movement of consumers from company-to-company. The information that is ported must be shared in a common, machine-readable format.
Lastly, and here is where the GDPR and CCPA truly differ, is the idea of strengthen consent. The GDPR centers on the concept of “privacy by design.” The CCPA, conversely, is focused on creating transparency for its citizens. While business obligated to follow the CCPA must provide California residents with a method to opt out of data collection, the GDPR requires that individuals within the EU must first opt-in before a company may collect any data.
Enforcement
When it comes to the enforcement of the GDPR and the CCPA, the two data privacy laws are similar in type, but again different in their scope.
Fines for non-compliance of the GDPR can range as high as 4% of a company’s total global net profits or 20 million euros, whichever is highest. The amount of the fine will depend on the nature, gravity and duration of the infringement.
The CCPA, on the other hand, is less reaching. Non-compliance can lead to a maximum of $2,500 per violation, with international violations of up to $7,500.
Recap
The GDPR is a broader privacy law, with a larger scope of protection than the CCPA. The concept of privacy is tossed upside-down, where the consumer is first handed a key to lock up their data before a company ever takes a look. The CCPA, in comparison, is a smaller, more specific law meant to protect Californians and their decisional rights over their data. It is also the law that most U.S. states are aiming to imitate. The two laws are different on a fundamental level and creates two very different legal frameworks for privacy and data autonomy in Europe and California.
About RVL®
Rockridge Venture Law® is a certified B Corp law firm embracing the mantra of technology lawyers for good. Rockridge® services include corporate, intellectual property, litigation, M&A, privacy, technology, and venture capital law. Rockridge has been recognized as a B Corp Best for the World and Real Leaders Top 150 Impact Company, and has been featured by Conscious Company Magazine, Forbes, and other top media focused on industry leaders in impact and innovation.
The Rockridge team has worked with Grammy winners, Nobel Prize winners, and world champion athletes to create and monetize distinctive intellectual property assets. Rockridge clients include founders, investors, and multinationals scaling disruptive technologies and iconic brands. Rockridge is headquartered in Tennessee, with satellite offices in Durham, New Haven, and New York.
We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.