The CCPA takes into account a broader approach to what constitutes sensitive data compared to GDPR. The newly enacted law covers olfactory information, browsing history as well as records of a visitor’s interactions with a website or application. Here is a general round up of what CCPA classifies as personal information:
Furthermore, companies have 30 days to comply with the law once regulators inform them of a data violation. Then, if the issue is not fixed, a fine of up to $7,500 per record is placed.
“If you think about how many records are affected in a breach, it really increases very quickly,” Debra Farber, senior director for privacy strategy at BigID
adds.
How does the CCPA compare to other privacy laws?
CCPA is often being referred to as “GDPR-lite”, in terms of the similarity that this law has to the EU’s General Data Protection Regulation (GDPR), which was enacted in
May 2018.
However, this newly enacted law differs from GDPR in terms of the scope of application, the nature and extent of collection limitations and also regarding the rules concerning accountability. The GDPR imposes the appointment of a
Data Protection Officer (DPO), maintaining a register of processing activities and also stresses the need for a Data Protection Impact Assessment in certain circumstances. On the other hand, the CCPA does not focus a lot on accountability, even though such provisions exist. An example of such provisions can be the requirement for companies to train their employees that deal with requests from consumers.
GDPR has a broader scope, meaning that it affects all businesses that handle user data, whereas CCPA applies only to companies that have a gross revenue of over $25m, have more than 50,000 customers and a revenue of 50% or more based on user data.
Also, CCPA gives the chance to users who do not want their data to be sold for more explicit “opt out” options. Thus, companies must include a “Do Not Sell My Personal Information” link on their websites. On the other hand, under the GDPR, companies are not necessarily required to get user consent to collect and use their data as long as there are other valid “lawful basis” for processing.
Additionally, another difference lies in terms of collecting children’s data. Under the GDPR, parents must provide consent for data processing of children that are under the age of 16, whereas CCPA requires companies to get consent from parents of children ages 13 and under, while children that are older than 13 are able to give their own consent.
On a final note, considering the latest developments in data privacy management, it is inevitable that privacy laws and frameworks such as the GDPR, the CCPA, and others are enacted. Data mishandling, the lack of confidentiality, authorization are only some of the many concerns that consumers have regarding their personal information. With that being said, it is of utmost importance that companies follow these crucial laws and build secure frameworks so that consumers can feel safe in terms of the daily usage of online platforms.
