Getting It StraightThe European Union’s General Data Protection Regulation (GDPR) kicked off what would be a rolling introduction to more data privacy regulations across the globe. While countries and states can pass their own standards to protect their residents, the new and changing policies make it difficult for organizations to keep track of their responsibilities.
We’re going to break down two of the most well-known and pressing regulations, the GDPR and the California Consumer Privacy Act (CCPA) to give you a bit more clarity. What you need to know is that the general premise of these regulations is the same - to protect consumers’ right to privacy - but they can differ in their requirements and who is affected. There are detailed nuances to both, but the following chart should give you a good overview of their key differences.
All Data Privacy Laws Are Not The Same
|Date||Implemented on May 25, 2018||Implemented on January 1, 2020|
|Affected entities||Affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects.||Affects certain organizations inside or outside of California that do business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose. Regulated companies have gross revenue greater than $25M, handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.|
|Representation||Requires most companies outside of the EU to designate an EU representative if they don’t have a presence in the EU and process personal data of EU residents.||There is no similar representative requirement.|
|Fines||Lesser violations result in up to 10 million euros ($10.8M USD) or up to 2% of the firm’s worldwide annual revenue from the previous fiscal year, whichever is higher. More severe violations can be up to 20 million euros ($21.6M USD) or up to 4% of the firm’s worldwide annual revenue from the preceding fiscal year, whichever is higher.||Civil penalties (violations lacking intent) are $2,500 for each violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy.|
|Security||Requires data controllers and processors to implement satisfactory technical and organizational measures to ensure adequate security of data.||Does not define or impose data security requirements, but it does give consumers the right to take legal establish a right of action if a security breach occurs.|
|Opt-out Rights||No right to opt-out of personal data sales, but it does provide consumers the right to opt-out of processing data for marketing purposes and withdraw consent to process personal data.||Organizations must provide a clearly visible option for consumers to opt-out of the sale of their personal data and if they request “Do Not Sell My Personal Information”, the organization cannot ask again for another 12 months.|
|Rectification Rights||Data subjects have the right to request that an organization corrects any incorrect or incomplete personal data.||No right of rectification.|
|Age of consent||Age for consent is 16 and parents must consent for children under 16. Organizations must still provide an age appropriate privacy notice to the child and implement increased security measures to protect their personal data.||Age of consent is 13 and parents must consent for children under 16. All provisions in the federal Children’s Online Privacy Protection Act (COPPA) still apply.|
Make It Simple Through AutomationWe only highlighted the most contrasting requirements between the GDPR and the CCPA, but there are other factors that play into how your organization may or may not need to comply. There are also more data privacy regulations on the horizon. Not only will there likely be ongoing modifications to the GDPR and the CCPA, but other countries and states are poised to introduce their own set of standards in the near future.
This growing web of laws puts organizations in a precarious situation of having to keep track of not only where and with whom they do business but also understanding all of the new and changing privacy laws across the board. Without a global data privacy regulation that offers consistent regulations, it will continue to be a continuous battle to comply.