Having trouble meeting the GDPR guidelines? Our free GDPR resource kit can help. Download here!
With data leaks popping up more and more often nowadays, strong privacy policies are more important now than ever before. Both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are a testament to this, as both were created with the purpose of assuring strong data protection for the personal data of individuals from the businesses that collect, use, share, and transfer that data. Though we recently discussed some of the challenges companies could be facing in the near future, the impending CCPA could change things up significantly.
The CCPA is scheduled to go into effect on January 1st, 2020. GDPR, meanwhile, has already been in effect since May 25th, 2018 and has been indirectly influencing other countries to introduce similar data protection mechanisms across the globe.
Although the CCPA and GDPR share certain data protection requirements, there are also areas in which they differ, including:
- The scope of applicability
- The rights awarded to consumers
- The amount (and enforcement) of monetary penalties
Let’s take a look at how these laws differ when it comes to these three key aspects.
Scope: Personal, Territorial, and Material
GDPR has a broad scope; it includes businesses, public bodies, institutions, as well as non-profit organizations. CCPA, on the other hand, mostly covers businesses, and we have a threshold that helps determine which businesses can be covered under the law whereas GDPR does not. In terms of personal scope, CCPA defines the protection of “consumers” who are natural individuals and must be California residents. By contrast, GDPR signified we have “data subjects” who are individuals and it doesn’t clearly specify residency or citizenship requirements which can introduce more challenges for businesses.
Speaking about territorial scope, the GDPR extends its presence to a larger territorial scope than the CCPA. It can apply to corporations outside the EU if they offer any goods or services to or collect data of individuals within the EU. The CCPA is much simpler in this context and applies to businesses that do business in California.
In terms of material scope, the differences are quite simple. GDPR doesn’t exclude any specific categories of personal data and we have Personal and Sensitive Personal Information as such. The CCPA specifically excludes the following categories from its scope: medical information, information collected as part of a clinical trial, sale of information to or from consumer reporting agencies, and personal information under the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act as well as publicly available personal information.
Rights Awarded to Customers
Let’s face it – individuals have more rights with GDPR and CCPA coming into effect. Both allow individuals to exercise their right to deletion (a.k.a. right to be forgotten) and both GDPR and CCPA specify that organizations must have mechanisms in place to ensure that requests made by a data subject/consumer whose personal information is to be deleted.
While a Data Subject Access Request (DSAR) can be made free of charge for the individual, it’s not so free and easy for an organization to identify an individual’s data across a vast amount of systems (on-premise, in the cloud, or hybrid) and ensuring the appropriate controls/request is met according to the 30 (GDPR) or 45 (CCPA) days allowed to respond. In the case of James Titcombe’s Freedom of Information request to the Nursing and Midwifery Council, the cost for this single request to information was estimated at about £239,871.85 (close to $315,000 USD).
In this regard, third-party solutions like AvePoint Compliance Guardian can help by automating Data Subject Access Requests in multiple sources with the capability to automatically discover data and respond to the right to erasure, right of access, and right to rectification.
Enforcement (and Monetary Penalties)
Both GDPR and CCPA allow for monetary penalties in the case of non-compliance, but the key difference is in the amount paid in monetary penalties.
GDPR may enforce administrative fines issued by the data protection authority in the vicinity of up to 4% of global annual turnover or €20 million, whichever is higher.
CCPA may enforce civil penalties issued by a court and, depending on the violation, it can be $2,500 for each violation and $7,500 for each intentional violation. What this means is, if a company sells the profiles of 1000 users who have asked that their information not be sold, the maximum penalty is $250,000, not $2,500.
As you can see, there’s a BIG difference in terms of the maximum penalty amount for non-compliance between the two. Although GDPR has been in effect for some time, though, we still haven’t noticed any stratospheric penalty amounts for significant breaches that have occurred recently. Having said that, loss of reputation can be a much bigger penalty than any administrative or civil penalties; it’s all about being transparent and maintaining the consumer’s trust.
How AvePoint Can Help
At AvePoint, we’ve accumulated plenty of experience working together with our European customers since the early days of GDPR. With AvePoint’s compliance solution, organizations can now:
- Respond to Data Subject Access Requests
- Build their own data inventory
- Automate Data Protection Impact Assessments
- Access comprehensive search across all enterprise data sources and automate data protection controls to prevent violations
Want to learn more about our award-winning Compliance Guardian offering and request a free demo? Visit our product page for more details.