We live and work in an era where data flows freely across borders and platforms, businesses face an increasingly complex challenge: safeguarding customer information while adhering to a web of regulations.
For marketing directors and managers of mid-to-large businesses, this challenge is particularly significant, as the implications of mishandling data can reverberate across both legal and brand integrity realms.
In this comprehensive guide, we delve into multiple topics of the major data protection laws:
- The General Data Protection Regulation (GDPR), its requirements, rules for gathering data, and penalties.
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the requirements, who the law pertains to, and its fines and penalties.
- The Differences between GDPR and CCPA, which include scope, how the two laws define personal data, frameworks, rights of individuals, and enforcement.
What is the GDPR?
Enacted by the European Union in May 2018, the General Data Protection Regulation (GDPR) stands as a pivotal internet data privacy law. Its impact, however, extends beyond the borders of EU member states and applies to any organization, regardless of whether they live within EU member states or not, that targets or collects data on EU citizens. This includes both those organizations within the EU and those beyond its confines.
At the heart of GDPR lie seven fundamental principles of protection and accountability that dictate the handling of EU citizen data. When processing any data of an EU citizen, the seven protection and accountability principles outlined in the GDPR must be followed. Those seven protections are:
- Lawfulness, fairness, and transparency - processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation – You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization - You should collect and process only as much data as absolutely necessary for the purposes specified
- Accuracy - You must keep personal data accurate and up-to-date
- Storage limitation - You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality - Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption)
- Accountability - The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Requirements
When it comes to adherence to the GDPR, little leeway is given. Data controllers must be able to show that they are GDPR compliant before gathering or using any data of EU citizens. Demonstrating GDPR compliance requires a systematic approach that substantiates responsible data management. Here are several avenues to establish your compliance:
Comprehensive Documentation: Maintaining meticulous records detailing the data you gather, its intended purpose, storage procedures, assigned data custodians, and all necessary documentation is essential. This not only showcases your commitment but also enhances transparency.
Appointing a Data Protection Officer: Designating a qualified individual to oversee data protection matters further emphasizes your dedication to compliance. This role is pivotal in ensuring ongoing adherence and providing a point of contact for data subjects.
Training and Technical Measures: Equipping your staff with proper GDPR awareness and training is pivotal. Additionally, implementing technical safeguards, such as two-factor authentication, Google’s Consent Mode, and encrypted data storage, showcases your commitment to data security.
Data Processing Contracts: If third parties handle data collection on your behalf, ensure robust data processing contracts are in place. These agreements should underscore the responsibilities and compliance standards of all parties involved.
Organizational Measures: Bolstering your organization's data privacy measures involves embedding GDPR principles within your team's mindset. This can encompass staff training, adding a data privacy policy to your employee handbook, and carefully limiting access to personal data.
GDPR rules for legal data gathering/processing
Article 6 of the GDPR states when an organization is allowed to process or use EU citizen’s data. If you can not adhere to one of these six outlined uses, then do not under any circumstances collect, use, or sell user’s data. Those six legal uses are:
- Explicit Consent: Processing data is permissible if the data subject has provided clear and unambiguous consent for the specified purpose. For instance, when users willingly opt into your marketing email list, they grant such explicit consent.
- Contractual Necessity: When data processing is essential for executing or preparing to enter into a contract with the data subject, such as conducting a background check before leasing property, this becomes a lawful basis.
- Legal Obligation: Processing data to fulfill your legal obligations, such as complying with a court order within your jurisdiction, is firmly within GDPR guidelines.
- Vital Interests: Data processing can be warranted to save a person's life. You’ll probably know when this one applies.
- Public Interest or Official Function: Processing data can be legitimate when it serves a task in the public interest or is part of an official function. For example, private garbage collection companies can operate on this basis.
- Legitimate Interests: This represents a flexible basis for data processing as long as your legitimate interests do not infringe upon the "fundamental rights and freedoms of the data subject." It's important to note that the interests of children hold particular weight.
When seeking consent of a user to collect their data, the GDPR imposes strict new rules on how an organization must receive consent from a user. To get consent from a user you must:
- Consent must be “freely given, specific, informed, and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parents.
- You need to keep documentary evidence of consent.
GDPR Penalties
The GDPR imposes tough penalties on any organization that violates the law. The GDPR established the European Data protection Board, which oversees and enforces the GDPR. For less serious offenses or violations of the law organizations can be fined up to 10 million euros or 2% of worldwide sales, and for more serious offenses up to 20 million euros or 4% of total worldwide sales, whichever amount is greater.
What is the CCPA?
If your business is a for-profit organization operating in California, it's crucial to gain a comprehensive understanding of the California Consumer Privacy Act (CCPA). This understanding is essential not only to ensure adherence to the law but also to prevent potential fines and penalties.
Enacted in 2018 and taking effect on January 1, 2020, the CCPA stands as a pivotal internet privacy law that provides a robust framework for data protection. It empowers consumers in California with greater control and protection over their personal information.
This Act was designed to make organizations responsible for the data they possess. Although the CCPA imposes many obligations similar to those required by the GDPR, a business that already complies with the GDPR may have additional obligations under the CCPA.
Additionally, the California Privacy Rights Act (CPRA) is an amendment to the CCPA that was passed in 2020 and went into effect in 2023. It expands the scope of the CCPA to include additional types of personal information and gives consumers even more rights over their data.
The CCPA establishes the following privacy rights for people in California:
- A right to know what personal data is collected, used, shared, or sold by businesses.
- A right to delete personal data.
- A right to prohibit the sale of personal data. Children under the age of 16 must give explicit consent to have their data eligible for sale, and a parent or guardian must give explicit consent for a child under the age of 13.
- A guarantee that consumers who exercise their rights under the CCPA will not be penalized with higher prices or lower levels of service than those who do not.
What are Requirements
The CCPA mandates a comprehensive framework to safeguard consumer rights and data privacy.
Obligations for businesses Include:
- Notifying consumers in advance of the personal data being collected.
- Making it easy for consumers to exercise their rights under the act, such as by providing links on their websites and mobile apps to prohibit selling their data.
- Responding within specific time frames to requests made by consumers under the act.
- Verifying the identity of consumers making requests under the act.
- Disclosing any financial incentives offered in exchange for the retention or sale of personal data, as well as how the value of this data was calculated. Also, businesses must explain why they believe such incentives to be permitted under the CCPA.
- Keeping records of all requests made under the act and how they responded.
- Maintaining data inventories and mapping data flows.
- Disclosing data privacy policies and practices.
Incorporating these obligations into your business practices not only ensures legal compliance but also reinforces your commitment to respecting consumer privacy rights.
Who Needs to Adhere to the CCPA
Businesses that meet at least one of the following three criteria are subject to the CCPA:
- Generating gross annual revenues of $25 million or more.
- Purchasing, selling, receiving, or sharing personal data from 50,000 or more individuals, households, or devices for commercial purposes.
- Sales of personal data represent 50% or more of annual revenues.
Additionally, businesses that handle personal data from more than 4 million consumers eventually may face additional obligations.
What are Fines/Penalties
The Office of the Attorney General of California is exclusively authorized under the CCPA to enforce this law. Simultaneously, consumers under the CCPA have the power to exercise their private right to action, allowing them to take an organization to court and pursue legal claims against them for violating the law. This power is limited only when their unencrypted or unredacted personal information is breached.
In the case of non-compliance, the penalties include:
- Intentional Violations: Businesses facing intentional violations may incur maximum civil penalties of $7,500. Once notified by the Attorney General's Office, they have 30 days to address and resolve the violation. Failure to comply within this timeframe results in financial penalties.
- Unintentional Violations: For unintentional violations, businesses can encounter maximum civil penalties of $2,500. Similar to intentional violations, the same 30-day window is granted for resolution, failing which financial penalties are imposed.
- Civil Lawsuits: Consumers can file private lawsuits for between $100 to $750 damages or for actual damages (whichever are higher) for each incident of breach of their unredacted and unencrypted data stored in a business's server. Companies will have only 30 days to resolve the violation upon being served a notice by the consumer or will face civil penalties.
Organizations must note that there is no upper cap on penalties under the CCPA. The CCPA states that the maximum civil penalty is $2500 for every unintentional violation and $7,500 for every intentional violation of the law. Therefore the CCPA considers a penalty per violation, which, once stacked, becomes a costly risk for businesses who must comply with the CCPA.
What are the Differences Between CCPA & GDPR?
In an era where personal data has become a valuable commodity, the need for robust data protection legislation has gained unprecedented significance. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the world’s most comprehensive data privacy laws.
Despite a common goal to protect consumer data in an increasingly data-driven world, there are several key variations that set the two laws apart. These differences include geographic applicability, definition of personal data, data coverage, framework, rights of individuals, and enforcement & penalties.
Geographical Scope & Applicability
One of the most noticeable distinctions between GDPR and CCPA lies in their geographic reach. In general, the GDPR applies to the U.K. and the European Economic Area (EEA). However, it is important to note that the GDPR applies to any company that processes the personal data of individuals within the EU, regardless of where those companies are actually based.
In contrast, the CCPA applies to organizations that do business in California and organizations that process the consumer data of California residents. This means that even if a company is not based in California, it will still have to ensure CCPA compliance if it is a for-profit organization conducting business in California and meets the required characteristics. Though this law focuses solely on the state of California, its impact reverberates beyond state borders due to the economic influence of California and the interconnectedness of businesses.
Definition of Personal Data
GDPR and CCPA both cover vast amounts of personal data that protect their residents' data. Nonetheless, they have separate definitions for personal data.
The GDPR adopted a broad interpretation that describes this personal data as any information about an identified or identifiable person, such as their identification number, online identifier, email address, phone number, or sensitive type of data relating to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject.
This excludes data related to a deceased person, data gathered through non-automated means, anonymous data, or data gathered for personal or houseful means.
The CCPA defines personal information as any information that identifies, relates to, describes, is associated with, or could be reasonably linked, directly or indirectly, with a particular customer, device, household, such as a name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information covered by the CCPA.
The CCPA will exclude information relating to medical information protected under the Confidentiality of Medical Information Act (CIMA) or Health Insurance Portability and Accountability Act (HIPPA), information related to clinical trials, sale of information to or from consumer reporting agencies, personal information under the Gramm-Leach-Bliley Act, and any public information from federal, state, or local government records.
GDPR and CCPA Frameworks
Both GDPR and CCPA prioritize giving individuals control over their personal information. However, the GDPR grants individuals the right to access their data, rectify inaccuracies, request erasure, and object to processing, among others.
Under the GDPR, websites, companies, and businesses in the EU need a legal reason for obtaining and processing personal data, especially consumer consent. Therefore, the GDPR requires organizations to offer an opt-in process for data collection and most forms of data collection will occur under individual consent.
On the other hand, the CCPA emphasizes the right to opt out of the sale of personal information. Under the CCPA, business organizations do not need a user’s prior consent to process or sell personal data, but consumers do reserve the right to request businesses to delete their data.
Rights of Individuals
The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA) introduce distinctive sets of rights that empower individuals to exert control over their personal information. These rights collectively represent a pivotal shift towards fostering transparency, autonomy, and fairness in the treatment of personal data.
The GDPR provides the following data subject rights:
✓ | The right to be informed |
✓ | The right to access personal data |
✓ | The right to rectification |
✓ | The right to deletion and erasure |
✓ | The right to restrict personal data processing |
✓ | The right to data portability |
✓ | The right to object to personal data processing |
✓ | The right to object automated data processing for decision-making and profiling |
Under the CCPA, consumers have the following rights:
✓ | The right to know about and access personal information |
✓ | The right to delete personal information if collected from consumers |
✓ | The right to opt out of the sale of personal information |
✓ | The right to non-discrimination for exercising the CCPA rights |
The California Privacy Rights Act (CPRA) adds the following rights:
✓ | The right to know about and opt out of automated decision-making |
✓ | The right to correct personal information |
✓ | The right to limit the disclosure of sensitive personal information |
✓ | The right to opt out of the sharing and selling of sensitive personal information |
Enforcement and Penalties
The effectiveness of data privacy laws lies not only in their regulations but also in the enforcement mechanisms and penalties they employ. The General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) both establish rigorous frameworks for safeguarding personal data.
Understanding the nuances of these enforcement mechanisms is essential in comprehending the consequences and obligations that organizations face under these influential data protection laws.
European Union (EU) - GDPR Enforcement
In the EU, uniform application of data protection law is ensured by the European Data Protection Board (EDPB). They oversee GDPR enforcement and initiate actions against potential violators. Simultaneously, the European Commission investigates EU law breaches, including GDPR, and retains the authority to levy fines on companies found to be in violation.
GDPR penalties are differentiated based on the severity of offenses. Data protection authorities within EU member states can impose fines, ranging from €10 million or 2% of total worldwide sales for less serious breaches, to up to €20 million or 4% of total worldwide sales for more significant infringements. Individuals affected by GDPR violations also have the right to pursue private legal claims, seeking compensation for their losses.
California - CCPA Enforcement
The California Attorney General’s Office takes charge of CCPA enforcement, responding to complaints and initiating enforcement actions.
CCPA penalties encompass a civil penalty framework. For intentional violations, the California Attorney General can impose civil penalties reaching up to $7,500, while unintentional violations may lead to penalties up to $2,500. These penalties can accumulate over time, without a maximum limit. Moreover, individuals can exercise their right to file private legal claims for data breaches, potentially resulting in actual damages recovery and statutory damages between $100 and $750 per consumer for each incident of non-compliance.
In comparing these enforcement mechanisms, the GDPR focuses on graduated fines related to sales, while the CCPA leans towards civil penalties and encourages individual legal claims. Understanding these distinct enforcement landscapes is vital for businesses to ensure compliance and minimize potential penalties.
Summary: Data Protection Compliance Mitigates Legal Risk & Increases Brand Trust
The intricate web of data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), presents both challenges and opportunities for businesses.
While the GDPR, CCPA, and CPRA share common goals of safeguarding personal data and empowering individuals, they diverge in significant ways, reflecting the distinct regions and frameworks in which they operate. From the GDPR's global impact on data processors and controllers targeting EU citizens to the CCPA's emphasis on consumer rights within the state of California, these laws wield considerable influence.
By recognizing the differences and similarities between these regulations, businesses can develop holistic data protection strategies that uphold legal standards, honor customer preferences, and align with evolving industry practices. Such awareness enables companies to proactively safeguard against potential legal pitfalls, hefty fines, and damaging penalties. By embracing this insight, organizations not only exemplify a commitment to ethically managing data but also shield themselves from the risk of costly lawsuits.
This proactive stance not only fortifies legal adherence but also safeguards reputation and customer trust, paving the way for sustainable growth and resilience in an era of heightened data scrutiny.