GDPR vs. CCPA – What You Still Need to Do to Comply
Here’s a heads-up to all CMOs and marketing directors! Think your hard work to comply with the General Data Protection Regulation (GDPR) guarantees easy compliance with the California Consumer Privacy Act (CCPA)? Think again. With the new California law, most GDPR-compliant companies have significant additional work to do to prepare for the CCPA deadline of January 1, 2020. Even worse, many don’t yet realize they have a new CCPA deadline.
Here are just a few of the ways in which the CCPA differs from the GDPR — along with some suggestions about how to meet the new CCPA deadline.
GDPR vs. CCPA at a Glance
- Consumer communication
- Definition of personal data
- How deletion requests are handled
- How data is sold
- Can the customer’s request to delete data be refused?
- Requires consent for data collection.
- Regulates data pertaining to an individual consumer, such as name, address, phone numbers, etc.
- Can opt to delete or prevent data collection of ANY data. Opt-out requests must be processed within a month.
- No restrictions on selling data to third parties for commercial use.
- The GDPR contains few exceptions that make it legal to refuse the customer’s request to delete data.
- Requires a channel that lets consumers control their information, i.e. a toll-free number or a website.
- Expands the definition of regulated data to include any data that could reasonably identify households as well as individual consumers.
- Can only opt out of data collected directly from the consumer. Opt-out requests must be processed within 45 days.
- Companies must notify consumers whenever their data is sold and allow for them to opt out.
- Under some circumstances, yes, for example if it serves security purposes, is part of a transaction undertaken between the customer and the data holder, or is for a valid public purpose.
|Consumer communication||Requires consent for data collection.||Requires a channel that lets consumers control their information, i.e. a toll-free number or a website.|
|Definition of personal data||Regulates data pertaining to an individual consumer, such as name, address, phone numbers, etc.||Expands the definition of regulated data to include any data that could reasonably identify households as well as individual consumers.|
|How deletion requests are handled||Can opt to delete or prevent data collection of ANY data. Opt-out requests must be processed within a month.||Can only opt out of data collected directly from the consumer. Opt-out requests must be processed within 45 days.|
|How data is sold||No restrictions on selling data to third parties for commercial use.||Companies must notify consumers whenever their data is sold and allow for them to opt out.|
|Can the customer’s request to delete data be refused?||The GDPR contains few exceptions that make it legal to refuse the customer’s request to delete data.||Under some circumstances, yes, for example if it serves security purposes, is part of a transaction undertaken between the customer and the data holder, or is for a valtd public purpose.|
Below are the detailed explanations of each section in the preceding table.
The GDPR requires companies gain consent for gathering certain data and communicate how it may be used. The CCPA goes further, requiring companies to create a channel for consumers to request information regarding how their data is being used. Specifically, companies must create specific toll-free numbers or websites so California residents can easily request a report explaining what data is being collected, where it comes from, and the purposes for which it’s used. The format must also be one that consumers could share the report with others if needed. Consumers can also use these communication channels to request their data be deleted, which we will touch on later.
The definition of personal data
The CCPA expands the definition of personal data to include any household data. It protects information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly” with a certain household or consumer. This protection includes data such as IP addresses or voice search history from connected devices in the home, which could be used to compile a profile of the consumer and their attitudes, intelligence, preferences or psychological trends. The GDPR definition of personal data is more closely tied to an individual, such as their name, birthdate, location or social security number. A final distinction between the two laws is that the CCPA does not protect personal information which is considered public.
How organizations sell data
The CCPA establishes new requirements around selling data for commercial purposes. It requires organizations to inform consumers when their data is being sold to a third party and to give them the opportunity to opt out. The GDPR does not provide such protections for consumers. Organizations already in compliance with the GDPR will still need to take additional steps to meet the CCPA requirements. It’s worth noting that under both regulations, personal data that is anonymized can be sold with or without consumers’ permission. (The CCPA says data must not be “reasonably” linked with an individual, so allows for a looser interpretation of what “anonymized” data really means.)
How data deletion requests are handled
The CCPA establishes a different set of data deletion requirements compared to the GDPR as it relates to scope, timing, and exceptions. It gives consumers the right to request organizations delete information that they have collected from that consumer. Companies then have 45 days to respond to that request, or they face a fine. The difference here is that consumers cannot ask for companies to delete any and all data they have on the consumer, only that which the organization collection from the consumer directly. The GDPR allows for consumers to opt-out of any of their data being processed. It also calls for action to be taken with a month, not the longer 45 days.
Another area where both laws differ is the circumstances in which organizations can refuse to delete consumer data. Exceptions to the data deletion rule are far broader in the CCPA than the GDPR; the latter accounts for instances where data is being used for public interest projects or in compliance with another law. Under CCPA, an organization can refuse to delete data if it is being used as part of the business transaction with that consumer, is used by the organization for security purposes, or is being used in the name of public interest or in compliance with another law. Some opponents of the CCPA say that this long list of exceptions effectively eliminates a consumer’s ability to request that data be deleted.
GDPR-compliance is not CCPA-compliant by default
While the GDPR and the CCPA share a common goal of protecting consumer data, their rules, limits, and exceptions differ greatly. An organization that is GDPR-compliant is not CCPA-compliant by default. Across the board, CMOS, marketing directors, and other marketers should be taking a close look at the data they collect, how it is used and what the opportunity cost of storing, selling or using that data is.
Also, to help keep businesses informed on the evolving interpretation and implementation of the CCPA, Treasure Data has issued blog updates on privacy, including the CCPA. Here are several related blogs in our series on CCPA, GDPR and customer data protection:
- The California Consumer Data Privacy Act – 3 Steps Marketers Need to Take NOW
- Customer Personalization and Data Privacy: 6 Facebook Takeaways for CMOs
And if you’re looking for automated ways to make the compliance process more efficient, consider tools like Treasure Data’s Customer Data Platform, which helps marketers see which data they are collecting is really necessary to tell the story of their customer’s journey, and which might be an excessive, expensive liability. Many organizations find they can save themselves the time and resources needed to address customer data report requests or data deletion requests under the CCPA — simply by not collecting as much data, but making sure that what is collected is high-quality and usable for marketing purposes.