Two Birds with One Stone: Tackling the California Consumer Privacy Law & GDPR at the Same Time Pt 2
Updated: May 16, 2019
In our last post, we compared how the CCPA and GDPR differ conceptually. Today, we’ll look a the two systems in light of How CCPA compares to GDPR.
A comparison of CCPA with GDPR indicates some similarities. Both CCPA and GDPR apply to companies outside their borders. They share goals of access and transparency toward consumers. Both laws will cause companies great expense to comply with the new rules.
There are more differences, however, than similarities. GDPR has broader consumer rights, such as the right to be forgotten, the right to correct data collected, and the right not to be subject to automated processing decisions. CCPA does not include those rights.
Important: GDPR provisions are broader than the CCPA but do not devour it. For example, GDPR permits an "opt-out" provision so that consumers have control over the processing of their consumer information. CCPA does not have such a broad "opt-out" provision but provides a more limited "opt-out" for consumers who do not want their data sold to third parties. Companies subject to both laws will have to analyze how they can adapt their compliance strategies to the various consent and opt-out/opt-in provisions in the laws.
What companies need to do to comply. Companies will most likely need to revise existing administrative policies, as follows:
Make sure staff is aware of the rules under both new laws and how they apply in the ordinary course of business.
Identify an officer level position responsible for data protection and staying ahead of all legislative changes.
Insist on collaboration between marketing and fund-raising departments to ensure compliance with EU requirements with respect to non-profit organizations.
Inventory and prepare records of all personal data collected about California and EU residents.
Update privacy policies every 12 months to reflect new CCPA consumer disclosure request requirements.
Prepare to comply with all consumer requests for data access, deletion, and opt-out requests related to data sharing under CCPA and data correction and automated processing decisions under GDPR. GDPR allows residents to revoke permission to collect data at any time. Prepare parental consent forms for data sharing related to minors under CCPA.
Keep records of all information sources, data storage areas, data usage, and who received shared data. Keep GDPR personal data only as long as necessary and for reason collected.
Provide method for California and EU residents to request data access (e.g., a phone number).
Add an eye-catching CCPA "DO NOT SELL MY PERSONAL DATA INFORMATION" link to website homepage.
Consumer protection of personal data that moves cross-borders is the way legislation is moving these days. The more you can consolidate CCPA and GDPR compliance now, the less chance you will find yourself playing catch-up the next time changes come around.
To talk more about CCPA and GDPR, or anything else, please contact us. We are your resource for all your questions about using digital information to improve customer satisfaction, innovation, and managing risk.