In 2018, the business world shuddered as the General Data Protection Regulation (GDPR) came into full force. More shuddering is expected shortly with the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020 – with enforcement measures beginning six months later. But what’s the difference between these two privacy acts? This article gives a high-level overview of the similarities and differences between the GDPR and the CCPA and why you need a flexible policy-based encryption solution to deal with one or both of them.
What is the California Consumer Privacy Act (CCPA)?
The CCPA establishes data privacy rights for Californian residents and it applies to businesses that sell products and services to California residents and collect information about them.
Under the CCPA, California residents have the right to:
- Know what personal information is collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Opt out of allowing businesses to sell their personal information.
- Access the personal information collected about them—in the last 12 months—in a user-friendly format.
- Equal service and price, no matter what privacy options they choose.
- Erase personal data collected (in some situations).
Under the CCPA, Californians can opt out of almost all secondary uses of their personal information including sale to data brokers, tracking and other uses not directly related to service delivery.
What is the General Data Protection Regulation (GDPR)?
The GDPR establishes data privacy rights for Eurpean citizens (who may or may not be residents); it’s a uniform privacy law that applies across the Eurpean Union to protect its 512 million citizens. Companies that do business in Europe are subject to the GDPR.
Under the GDPR, Europeans have the right to:
- Access their personal data.
- Correct errors contained in their collected personal data.
- Withdraw consent for data processing.
- Stop automated decision making when the decision has a legal implication.
- Withdraw the consent that allows businesses to sell their personal information.
- Erase personal data collected (in some situations).
- Access some personal information collected about them in a user-friendly format.
Similarities between the CCPA and the GDPR
Both acts give consumers access to personal data, the right to have companies erase some personal data, a way to opt out of having their personal data sold to third parties and claim damages through a private right of action.
Differences between the CCPA and the GDPR
The GDPR gives citizens the right to stop automated decision making when there’s a legal implication and the right to correct errors in collected data but these aren’t included in the CCPA. It’s hard to say which act is more aggressive with enforcement penalties. While the GDPR tops out at four per cent of a company’s annual global revenues, the CCPA allows fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Depending on the type of breach, those CCPA fines could add up quickly.
Advantages of the CCPA and the GDPR
For consumers, the advantages of the CCPA and the GDPR are clear: more privacy rights and the power to protect those rights through right of action damages and enforcement penalties. The advantages of the GDPR for business is that it’s one blanket regulation to conform to—which is easier than managing patchwork privacy. Imagine if every country in the EU had its own privacy regulations!
Challenges for businesses
American businesses don’t have to imagine patchwork privacy because it’s already happening with state privacy laws and laws governing cyber security, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Nevada, Maryland, Massachusetts, Maine and California. This means organizations that do business across America and Europe have an increasingly complex privacy landscape to navigate. Compliance must be built into the three Ps of business—people, process and products—because even sending an email is no longer simple.
National organizations, for example companies in banking, financial services and insurance, must adapt to and comply with new privacy laws because it’s unlikely the consumer data privacy trend will reverse itself.
Echoworx OneWorld: a flexible, policy-based encryption solution for GDPR and CCPA compliance
An enterprise privacy program covers everything from daily operations and compliance to policies, procedures and investigations. To build compliance across the 3 Ps of business, organizations must adopt a flexible, policy-based encryption solution.
OneWorld features that help enterprises navigate privacy laws including the GDPR and CCPA:
- Definable policies – This allows you to control which communications get encrypted (and how) based on the message content. These policies are based on your needs, legislation and encryption best practices. Flexible controls for every scenario allow you to create a customized user experience for senders and recipients and stay in control of encrypted messages in transit and at rest. This policy-based encryption helps you stay compliant with privacy laws.
- Easy and frictionless user experience – A recent Echoworx survey found that 53 per cent of organizations with encryption found it “too difficult to use.” OneWorld makes it easy for employees and customers to use, making encryption — and compliance — a consistent path of least resistance.
- Enable inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
Here’s how it works with OneWorld:
Whether it’s the GDPR or the CCPA, encryption is considered an appropriate measure for protecting personal data—and it comes with financial benefits. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.
By: Brian Cole, Senior Manager Security Operations and Support, Echoworx