As high-profile data breaches have affected both individuals and the businesses responsible for keeping information safe, strict data privacy laws have been introduced around the world.
In 2018, the EU’s General Data Protection Regulation (GDPR) came into effect, followed by the California Consumer Privacy Act. These regulations affect businesses in different ways, based on where you and your customers are located.
What is GDPR?
The EU implemented its General Data Protection Regulation on May 25, 2018, to protect consumer privacy within the union. It regulates how much personal data businesses can access, store, share, process, or destroy. This personal data can include anything from a consumer’s name, race, or religion to their address, bank information, IP address, and much more.
How does it affect your business?
This regulation not only affects businesses within the EU. Any business that accesses the information of consumers residing within the EU also has to comply with the regulation. That means that even companies without offices or transactions taking place in the European Union still have to comply if they have customers that reside there.
Compliance with GDPR is a challenging process for companies of all sizes and failing to comply can result in financial penalties. So you need to ensure your entire staff understands the importance of GDPR compliance, taking an inventory of the personal data you interact with, and conducting an information audit if necessary.
What is CCPA?
The California Consumer Privacy Act came shortly after the GDPR, going into effect on January 1, 2020.
It gives California residents the right to know about the personal information businesses collect about them, the right to have it deleted, to know how it is used and shared, and the right to opt-out of it being sold on. It also means businesses can’t discriminate against individuals for exercising those rights.
How does it affect your business?
This regulation affects for-profit companies outside of California as long as they do business in the state, even if online.
You will need to adhere to the regulation if you have gross annual revenue of more than $25 million, deal with the personal information of 50,000 or more California residents, households, or devices, or if selling California residents’ information makes up more than 50 % of your annual revenue.
GDPR vs CCPA: What to know
When it comes to GDPR vs CCPA, there are some key differences to keep in mind.
When it comes to GDPR you need a legal basis - consent - to collect customers’ private data, while with CCPA you must enable users to opt-out of having their data collected. Also, remember that while CCPA only covers for-profit businesses, GDPR covers nonprofits and public institutions as well. GDPR also imposes hefty fines for both non-compliance and data breaches, while CCPA financial penalties only happen if there is a data breach.
With GDPR considered slightly stricter, the general consensus is that if you are GDPR-compliant then it should be easier for your business to become CCPA-compliant.
However, wherever you are operating, it’s imperative you put strong processes in place to maintain data privacy. Check your privacy protocols and make sure they support consumers’ rights. Ensure that you can provide consumers with their personal data and delete it upon request. It is also wise to designate an individual or team responsible for ensuring data privacy compliance as requirements and technology evolve.