What to do for the CCPA if you’re already GDPR compliant
With the California Consumer Privacy Act (CCPA) about to come into force on January 1, 2020, it’s time for all liable organizations to hit the gas on compliance. If you haven’t started yet, you should be aware that failure to comply could result in financial penalties in the form of damages paid to consumers and/or fines paid to the state.
Luckily, a fair number of organizations in California that fall under the scope of the CCPA have already encountered something like it in Europe’s General Data Privacy Regulation (GDPR). In fact, the GDPR is in many ways a parent legislation to the CCPA, heavily influencing its drafting and development.
For organizations that are already GDPR compliant, that means a simpler, quicker and cheaper road to CCPA compliance. But be careful: the GDPR and CCPA are not identical by any means. You absolutely must dedicate some time, energy and resources to understanding the CCPA and bringing your organization into compliance with its stipulations.
But what are they exactly? If you’re already GDPR compliant, what’s left to do? Let’s discuss three key differences in these regulations and how they impact the actions you’ll have to take to become CCPA compliant:
- Scope
One of the most obvious differences is which organizations these regulations target and which consumers they are meant to protect. The GDPR applies to any and all organizations (be they based in the EU or abroad) that process the data of Europeans. The CCPA targets only for-profit, California-based businesses and Californian consumers. This is why businesses like yours can be expected to comply with both sets of regulations.
And what does this mean for what’s required of you? You will have to map your data and processes regarding Californian consumers. You already did it for the GDPR, and the mapping required in Europe is usually similar if not identical for that required for the CCPA. Now you just need to follow the same process in California, creating a map of what’s being saved where and the processes involved.
- Privacy policies
California law already requires that companies maintain written privacy policies. The GDPR does as well, but gets detailed about how such policies should look and how they should be made available to consumers. The CCPA doesn’t include such strict stipulations, but does require that you issue an update to your privacy policies at least once every 12 months. Generally speaking, the privacy policy you established to meet the needs of the GDPR will fulfill the requirements of the CCPA as well. Now you need to put a protocol in place to review and update it every year.
- Opt-in/opt-out
While both pieces of legislation aim to put more power in the hands of consumers when it comes to the data they generate online, but they do it in slightly different ways. The GDPR requires that consumers knowingly opt-in to having their personal data collected and used, whereas the CCPA requires that consumers have the option to opt-out of these activities.
That means taking the opt-in mechanism you established for European consumers and applying it with small adjustments to meet the opt-out nature of the CCPA to your Californian consumers.
Generally speaking, the GDPR is more ambitious than the CCPA, creating a situation in which many aspects of GDPR compliance will more than fulfill the stipulations of the CCPA. However, there are several small differences, like those detailed above, that require action on your part. Luckily, as we can see in cases where differences exist, being GDPR compliant will be a huge advantage as you approach the CCPA.
Whatever the case may be, your first step towards CCPA compliance should be the performance of a gap analysis and defining precisely in what ways your organization needs to adjust the CCPA. The best way forward is always to consult with compliance experts to avoid mistakes and give yourself some valuable peace of mind.
