From CCPA to GDPR compliance: what your organisation needs to think about

From CCPA to GDPR compliance: what your organisation needs to think about

Share this content

If your organisation currently operates in California, it is likely that you are already compliant with the California Consumer Privacy Act (CCPA). Whilst this takes you one step closer to being compliant with the EU General Data Protection Regulation (GDPR), there are a few extra processes and checklists that your organisation must go through to be fully compliant. In essence, the GDPR is the stricter cousin of the CCPA and more work needs to be done on your end.

CCPA Background

In 2018, the European Union passed the General Data Protection Regulation (GDPR) to protect its citizen’s data rights. This transformed the way companies are able to handle the personal data of data subjects and the far-reaching consequences of breaching this regulation. It is the most comprehensive data regulation of its kind and has a wider scope in comparison to the CCPA.

The CCPA was introduced in January 2018 within the State of California, went into effect in January 2020 and was enforced on 1st July 2020, affecting businesses operating in California that collect personal information of California consumers.

How organisations can go from the CCPA to GDPR in a few simple steps:

  1. Understanding the different scope of application
  2. Understanding the different scope of protection
  3. Understanding data breaches and penalties

By way of introduction, there are a few basic similarities and differences between the two regulations that should be highlighted from the outset.

Where the GDPR applies to all organisations irrespective of whether it is a charity or for-profit, the CCPA only applies to for-profit entities. Whilst the two legislations both cover natural persons, the GDPR covers all data subjects, regardless of citizenship, whereas the CCPA only applies to California residents and ‘households’ which under the CCPA are deemed as ‘consumers’. The term household thus means that it extends beyond a data subject or natural person, which differs from the term of data subjects alone that is covered by the GDPR. Overall, this shows a substantial difference in approach yet the effects of the identifiable natural person is broadly similar.

Below are the further similarities and differences that your organisation should take note of to go from CCPA compliance to GDPR compliance.

Scope of application

When comparing the two regulations, the difference in their scope of application means that an organisation that is CCPA compliant will have to take extra steps to be compliant with the GDPR. This is because the GDPR applies to all types of organisations that deal with personal data from within the EU whilst the CCPA only applies to organisations that meet the following criteria:

  • Are for-profit;
  • has over $25 million in annual gross revenue; or
  • Derives more than 50% of its revenue from selling consumers’ personal information; or
  • Shares (buying or selling) the personal information of over 50,000 consumers, households or devices for commercial purposes

The processing under the CCPA is also only limited to Consumers who are natural residents of California and organisations that operate within California whereas the GDPR refers to data stemming from all data subjects, irrespective of residence, and geographical scope.

Key Takeaway

The scope of the GDPR is much broader than the CCPA as it regulates data controllers and processors that are both established within the EU and those that are not established within the EU so long as it processes EU data subject’s data to offer goods and services.

Scope of Protection

The signature difference between the CCPA and the GDPR is how they allow data subjects to manage and control how much of their data is being collected.

The GDPR operates on a legal basis for processing data so that as long as the organisation can show that it is processing data lawfully, it may continue to do so. That is unless it uses user consent as a legal basis for processing data in which case, a clear ‘opt in’ mechanism is required. The GDPR also has certain opt-out methods such as the withdrawal of consent for processing activities and the processing of data for marketing activities.

The CCPA on the other hand adopts an all-encompassing ‘opt out’ approach where organisations must make available a link that says “Do Not Sell My Personal Information” in a clear manner on their website. The organisation must then wait 12 months before it can ask the user for re-authorisation.

Key Takeaway

For CCPA compliant firms, the GDPR is substantially different in the way it treats the protection of data rights and how data is to be lawfully processed. As such, organisations will need to familiarise themselves with the legal grounds for processing data and the lawfulness of processing under the GDPR and understand where certain ‘opt-out’ mechanisms must be adopted.

Data breaches and Penalties

For non-compliance with the CCPA, there are no penalties until a data breach occurs. When such a breach happens, the organisation can be fined for each act of non-compliance.

The fines under the CCPA are:

  • $2,500 per violation,
  • up to $7,500 per violation if intentional.

However, it is only possible to sue for a data breach in limited circumstances, such as if non-encrypted and non-redacted personal information was part of a data breach due to the organisation’s failure to comply with the CCPA and not taking reasonable precautions. For other types of violations that do not involve a data breach, only the Attorney General can file an action. Such an action would not be on behalf of individuals who have their data breached but rather for California residents as a collective and aims to rectify patterns of complaints and misconduct.

The GDPR is structured slightly differently as penalties can be amassed for both non-compliance and data breaches. Here, the principle is to prevent the potential of a data breach in the first instance and as such, administrative fines are levied. The GDPR would fine organisations up to EUR20 million or 4% of annual global revenue, depending on whichever is highest. More information on breaches of GDPR and penalties can be found in our other blog post ‘6 Reasons SMEs get fined under the GDPR’.

Key Takeaway

The essential difference between the two legislations is that the GDPR aims to prevent data breaches in the first instance and thus sets out stringent guidelines to help prevent future breaches. As a result, it is far more proactive than its Californian counterpart, which aims to react to breaches alone and requires various hurdles before actions can be sought.

How Privasee can help you switch effortlessly from CCPA compliance to GDPR compliance

The Privasee platform can help you store and map your organisation’s data so that you know exactly what data you have, how long you have had it for and who it relates to. This can help you better understand where your data is located and any red flags within your data storage that you should become aware of. In transitioning from CCPA compliance to the GDPR, Privasee can support you through the lawful processing of data via features that prompt you to select under which legal basis you aim to process the data of EU citizens. It can also help you visualise which data is most likely to become subject to a data breach so that you can actively remedy any problems before a breach occurs.

Disclaimer

Privasee does not hold the above article to constitute legal advice in any form.

Sources and other articles

https://iapp.org/media/pdf/resource_center/CCPA_GDPR_Chart_PracticalLaw_2019.pdf

https://oag.ca.gov/privacy/ccpa

https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf

May 6, 2021

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help