CCPA vs. GDPR

February 26th, 2020
CCPA and GDPR. Two distinct regulatory acts with one joint mission: to protect user data. They’ve already gone into effect, both have penalties for not complying, and both acronyms can send a chill down your spine if you’re in charge of managing a website for a company they impact.
These two acts are similar in structure and purpose but have fundamental differences. Much like GDPR impacts anyone doing business with a member of the European Union (whether that business is located inside or outside the EU), the CCPA specifically affects for-profit companies that conduct business in California. 

The CCPA (California Consumer Privacy Act) gives consumers in California explicit privacy rights, like:

  • The right to know what personal information is collected, used, shared, or sold;
  • The right to delete personal information collected by businesses;
  • The right to opt-out of their personal information being sold; and
  • The right to non-discrimination of price or service when a customers exercises privacy right under CCPA.

Similarly, the GDPR (General Data Protection Regulation) enforces data protection for citizens of the EU, and protects the following privacy rights:

  • The right to be informed;  
  • The right of access;  
  • The right to rectification; 
  • The right to erasure (right to be forgotten);  
  • The right to restrict processing;  
  • The right to data portability;  
  • The right to object; and 
  • The right not to be subject to automated decision-making including profiling 

Other key differences to know:

CCPA requirements to note

There are some major takeaways from CCPA to keep track of, like:

Notifications: Consumers must be notified that their data is being collected before or during data collection.

Notices: Businesses required to comply with CCPA must provide notice to consumers if intending to sell their data:

  • “Selling” means: selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
  • Your homepage should have a clear link titled “Do Not Sell My Personal Information,” which points to an opt-out page. 
    • You should note that it’s completely legal to create a separate, California-specific homepage (so you can keep the “Personal Information” text off your US-focused homepage) as long as you take reasonable steps to ensure California Consumers are directed to the homepage with the CCPA text.
    • You’ll also need to update your privacy policy to share information about the foregoing link, a description of this right, and any California-specific description of your Consumers’ privacy rights.
Timing: Businesses must respond to consumer requests to know, delete, and opt-out within specific (and yet-to-be-announced) timeframes. 
Identity verification: Businesses must verify the identity of consumers who request to know or delete their information.

Age restrictions: Business must receive consent to sell data of users under age 16, and parental opt-in to sell data of children who are under 16 years old; meaning business will need to ask consumers who reside in California to verify whether they are 16 years of age or older before they can begin selling any data obtained from a minor.

Financial incentives: According to the OAG, “Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information.”

Record maintenance: Businesses must maintain records of requests and how they responded for 24 months to demonstrate compliance. 

Privacy policy: Privacy policies must include a description of a consumer's rights to:

  • Request disclosure of information collected (GDPR).
  • Request disclosure of information sold.
  • Nondiscrimination relating to Consumers who exercise CCPA rights; and
  • opt out, along with a separate link to the “Do Not Sell My Personal Information” opt-out page.

Source: CCPA Fact Sheet

Checklist for becoming CCPA compliant

If your business meets the requirements for CCPA, you’ll want to ensure that:

  • You have a cookie notification opt-in for those who come to your site.
  • Your outbound communication has a clear opt-out option on all communications.
  • You’ve updated your homepage with a message that states,”Do not sell my personal information,” which links to an opt out form. 
  • You’ve updated your privacy policy.
  • You’ve received explicit consent to sell personal information from anyone under 16.
  • You create a process for responding to opt-outs in a timely manner. 
  • You’re disclosing any financial incentives and how the value was calculated. 
  • You create a system for maintaining accurate records of requests and responses. 

Feeling overwhelmed, perplexed, or even downright scared of these recent laws?

You’re definitely not alone. Many businesses across the board are still confused on what they need to accomplish to be compliant, especially with CCPA. To get the latest information on CCPA and how it will impact your website needs, drop us a line.

Contact FFW if you need a website update made ASAP.

Author

Kayla Eidenbrook

Kayla Eidenbrook

Marcom Specialist
Cookie