A Glimpse into the GDPR and the California Consumer Privacy Act of 2018
The General Data Protection Regulation (GDPR) passed in the EU on April 14, 2016 and was taken into effect May 25, 2018. It has since influenced places in the USA, such as California, who proposed the California Consumer Privacy Act of 2018/AB-375, to start forcing companies be more transparent on how they use a consumer’s personal information
There are many differences between the GDPR and the California Consumer Privacy Act, both call attention to how companies collect, use, and sell personal data online, but that is where the similarities stop. GDPR goes way more in depth and holds companies more accountable for the use of personal information, especially if it is collected without the consent of the consumer. Compared to the California Consumer Privacy Act of 2018, that only holds companies accountable once the consumer goes through a maze of paperwork and phone calls to request for a company to stop selling their data to third parties.
What is the GDPR?
In brief, GDPR is the new and modern foundation for data protection laws in the EU that regulates how companies collect personal data from consumers. GDPR claims in Article One Section One to protect, “Natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” GDPR states in Recital 1, that the protection of natural persons and their personal information is a fundamental right. It replaces the old data protection law that had been the online framework since 1995. GDPR is 88 pages in length and consists of 31 pages that contain 173 recitals and act as a preamble for the actual regulation. The actual regulation itself is 11 chapters long with a total of 99 articles that detail and define the layout on how companies collect personal data.
What is Personal Data?
Art. 4 para. 1 no. 1. GDPR defines Personal data as:
“'Personal data' means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Data Collection & Lawful Basis
Under GDPR a company can collect a user’s data under lawful basis, which means the explanation must be protected by law to collect a user’s personal data. Currently, there are six lawful basis:
When an individual gives clear consent for a company to collect their data.
When a contract has been issued and data processing is required to fulfill the agreement between a business and a consumer.
When collection and processing is vital to aid with the law.1Vital Interests
When collecting and processing data would be vital for saving the life of another.
When it would be in the best interest for public service to collect data.
When and if a business can prove it has a justifiable reason for collecting and using customer data.21 Does not include contractual obligations2 Including “For business purposes”--which has been criticized for its vague definition
GDPR forces companies who collect and handle personal data to get consent of personal and identifiable information from consumers and give them the option to opt. Companies have to make the option to opt out clear and without any legal jargon, it must be written in a way that the common person can read, understand, and decide for themselves to give consent or opt out.
Companies can not charge a consumer who chose to opt out more or treat them and their transactions with less care.
Did you know?
GDPR is not solely for EU and UK companies. Even companies outside of the EU who have collected data from EU citizens will have to comply to GDPR regulations.
How GDPR Effects Companies?
The maximum fine for noncompliance is:
» $24 Million
» €20 Million
» £17 Million
If a data leak happens, a company has 72 hours max to report it or fines will be implemented.
What is the California Consumer Privacy Act of 2018/ AB-375?
The California Consumer Privacy Act (CCPA), if passed would take effect as of January 1, 2020. Ever since the scandal with Cambridge Analytica, where tens of millions of people had their personal information mishandled and abused, the safety of consumers' personal information has been a hot topic. The CCPA is an attempt, like the GDPR, to regulate how companies share, sell, and purchase a person’s personal information online. But that is really where the similarities stop.
Personal information in the CCPA’s definition would include similar aspects of the GDPR with the inclusion of a California state ID/Driver’s license number.
Unlike the GDPR, the CCPA would only be applicable to California residents as long as they stay within California. If a Californian makes his or her way to, say, New Mexico, their personal information would no longer be “in protection” of the CCPA.
The CCPA states in Section 2 paragraph (b) :
“Since California voters approved the right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, a California law intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”
What does the CCPA mean by “A California law intended to give Californian’s the ‘who, what, where, and when of how businesses handle consumers’ personal information.”?
“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” 3
Unlike an EU citizen under GDPR, a business in California can collect a consumer’s personal data without their consent as long as the business informs that they are collecting the information. If requested, the company needs to tell the consumer what information they collected, and if the company sells personal data for “business purposes”, (again if requested) the business would have to inform the consumer who they sold the information to and what information was sold.
Under the CCPA, businesses don’t even have to give consumers the option to opt out. In fact, the only way Californians can opt out and know the who, what, where, and when of their personal data is if they send in a request to the company, who has a full 45-days to get the information to the consumer. The business could extend the 45-days by another 45 days, only as long as they inform the consumer within the first 45-day period.
3Section 3. TITLE 1.81.5. California Consumer Privacy Act of 2018 (b).
The term “Business Purposes” has been criticized as having a vague meaning, but it is said to be aimed at companies that deal with the programmatic processes, such as:
» Viewability verification
» Ad serving
» Impression measurement
What’s the difference between the GDPR and the CCPA?
The basic difference between the GDPR and the CCPA is that within California, the citizens have an option to request more transparency from companies in regards to personal data. The GDPR enforces companies to be transparent with the personal data they collect.