• Rebecca Ding

From CCPA to GDPR compliance: what your organisation needs to think about

If your organisation currently operates in California, it is likely that you are already compliant with the California Consumer Privacy Act (CCPA). Whilst this takes you one step closer to being compliant with the EU General Data Protection Regulation (GDPR), there are a few extra processes and checklists that your organisation must go through to be fully compliant. In essence, the GDPR is the stricter cousin of the CCPA and more work needs to be done on your end.


Background

In 2018, the European Union passed the General Data Protection Regulation (GDPR) to protect its citizen’s data rights. This transformed the way companies are able to handle the personal data of data subjects and the far-reaching consequences of breaching this regulation. It is the most comprehensive data regulation of its kind and has a wider scope in comparison to the CCPA.

The CCPA was introduced in January 2018 within the State of California, went into effect in January 2020 and was enforced on 1st July 2020, affecting businesses operating in California that collect personal information of California consumers.

How organisations can go from the CCPA to GDPR in a few simple steps:

  1. Understanding the different scope of application

  2. Understanding the different scope of protection

  3. Understanding data breaches and penalties


By way of introduction, there are a few basic similarities and differences between the two regulations that should be highlighted from the outset.


Where the GDPR applies to all organisations irrespective of whether it is a charity or for-profit, the CCPA only applies to for-profit entities. Whilst the two legislations both cover natural persons, the GDPR covers all data subjects, regardless of citizenship, whereas the CCPA only applies to California residents and ‘households’ which under the CCPA are deemed as ‘consumers’. The term household thus means that it extends beyond a data subject or natural person, which differs from the term of data subjects alone that is covered by the GDPR. Overall, this shows a substantial difference in approach yet the effects of the identifiable natural person is broadly similar.


Below are the further similarities and differences that your organisation should take note of to go from CCPA compliance to GDPR compliance.


Scope of application

When comparing the two regulations, the difference in their scope of application means that an organisation that is CCPA compliant will have to take extra steps to be compliant with the GDPR. This is because the GDPR applies to all types of organisations that deal with personal data from within the EU whilst the CCPA only applies to organisations that meet the following criteria:

  • Are for-profit;

  • has over $25 million in annual gross revenue; or

  • Derives more than 50% of its revenue from selling consumers’ personal information; or

  • Shares (buying or selling) the personal information of over 50,000 consumers, households or devices for commercial purposes


The processing under the CCPA is also only limited to Consumers who are natural residents of California and organisations that operate within California whereas the GDPR refers to data stemming from all data subjects, irrespective of residence, and geographical scope.

Key Takeaway

The scope of the GDPR is much broader than the CCPA as it regulates data controllers and processors that are both established within the EU and those that are not established within the EU so long as it processes EU data subject’s data to offer goods and services.

Scope of Protection

The signature difference between the CCPA and the GDPR is how they allow data subjects to manage and control how much of their data is being collected.

The GDPR operates on a legal basis for processing data so that as long as the organisation can show that it is processing data lawfully, it may continue to do so. That is unless it uses user consent as a legal basis for processing data in which case, a clear ‘opt in’ mechanism is required. The GDPR also has certain opt-out methods such as the withdrawal of consent for processing activities and the processing of data for marketing activities.

The CCPA on the other hand adopts an all-encompassing ‘opt out’ approach where organisations must make available a link that says “Do Not Sell My Personal Information” in a clear manner on their website. The organisation must then wait 12 months before it can ask the user for re-authorisation.


Key Takeaway

For CCPA compliant firms, the GDPR is substantially different in the way it treats the protection of data rights and how data is to be lawfully processed. As such, organisations will need to familiarise themselves with the legal grounds for processing data and the lawfulness of processing under the GDPR and understand where certain ‘opt-out’ mechanisms must be adopted.

Data breaches and Penalties

For non-compliance with the CCPA, there are no penalties until a data breach occurs. When such a breach happens, the organisation can be fined for each act of non-compliance.

The fines under the CCPA are:

  • $2,500 per violation,

  • up to $7,500 per violation if intentional.

However, it is only possible to sue for a data breach in limited circumstances, such as if non-encrypted and non-redacted personal information was part of a data breach due to the organisation’s failure to comply with the CCPA and not taking reasonable precautions. For other types of violations that do not involve a data breach, only the Attorney General can file an action. Such an action would not be on behalf of individuals who have their data breached but rather for California residents as a collective and aims to rectify patterns of complaints and misconduct.


The GDPR is structured slightly differently as penalties can be amassed for both non-compliance and data breaches. Here, the principle is to prevent the potential of a data breach in the first instance and as such, administrative fines are levied. The GDPR would fine organisations up to EUR20 million or 4% of annual global revenue, depending on whichever is highest. More information on breaches of GDPR and penalties can be found in our other blog post ‘6 Reasons SMEs get fined under the GDPR’.

Key Takeaway

The essential difference between the two legislations is that the GDPR aims to prevent data breaches in the first instance and thus sets out stringent guidelines to help prevent future breaches. As a result, it is far more proactive than its Californian counterpart, which aims to react to breaches alone and requires various hurdles before actions can be sought.


How Privasee can help you switch effortlessly from CCPA compliance to GDPR compliance

The Privasee platform can help you store and map your organisation’s data so that you know exactly what data you have, how long you have had it for and who it relates to. This can help you better understand where your data is located and any red flags within your data storage that you should become aware of. In transitioning from CCPA compliance to the GDPR, Privasee can support you through the lawful processing of data via features that prompt you to select under which legal basis you aim to process the data of EU citizens. It can also help you visualise which data is most likely to become subject to a data breach so that you can actively remedy any problems before a breach occurs.

Disclaimer

Privasee does not hold the above article to constitute legal advice in any form.


Sources and other articles

https://iapp.org/media/pdf/resource_center/CCPA_GDPR_Chart_PracticalLaw_2019.pdf

https://oag.ca.gov/privacy/ccpa

https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf