2018 was a busy year in the world of data regulation. GDPR came into effect within the European Economic Area (EEA) in May, and on the other side of the Atlantic, the State of California passed its own response to rising data privacy concerns in the form of CCPA, the California Consumer Privacy Act, which will take effect in January 2020.
Defining Personal Information
With a population of almost 40 million in California compared to an estimated 515 million in the EEA, the primary difference between these two sets of regulations is obviously their scope. GDPR applies to all companies and organizations that collect and process personal data within the EEA, regardless of the citizenship or location of users. CCPA, on the other hand, will apply to businesses operating in California who post an annual revenue above $25 million, or more importantly, those whose primary business function involves the buying, selling, transfer, or sharing of personal information for commercial purposes.
Personal information, under the California Civil Code, is defined as,
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1)
Similar to the GDPR verbiage, this definition can be broadly interpreted, and should be in order to ensure complete regulatory compliance. Although CCPA is specifically focused on consumers and businesses in California, the definitions of data and the individual rights of those data owners are protected in a similar way.
The Rights of Individuals
Both GDPR and CCPA include a litany of individual consumer and user rights, that cover the same general concepts:
Ensuring Total Compliance
The big takeaway for data collectors and processors is that a proactive approach is essential to staying ahead of emerging regulations. Both GDPR and CCPA are only the beginning of a larger trend of sweeping data regulation that is sure to continue as consumers become more privacy-focused. Beyond knowing the ins and outs of the regulations themselves, this means being transparent with panelists about how data is collected and used, and communicating that information clearly. In addition, companies can display their commitment to information security and privacy through external accreditation, such as achieving ISO27001 certification.
At the end of the day, regulations such as CCPA and GDPR have the same goal: to give consumers the power to control the data that they create. Companies and organizations who base their operation on this data are held responsible not only to the regulations, but to the consumers themselves who make their businesses possible.