Some companies may believe that their business practices may exempt them from the GDPR, the CCPA and other privacy regulations. However, they should make that determination only after consulting with attorneys and performing a careful evaluation of any possible business nexus that might make them subject to the regulations.
Fallacy: The GDPR and the CCPA Are More or Less the Same Thing
The GDPR and the CCPA have quite a bit in common. They are both broad privacy regulations designed to protect the personal information of individuals from corporate overreach. However, they differ greatly in many of the details. Firms should not assume that their GDPR compliance efforts necessarily make them compliant with the provisions of the CCPA or other laws.
For example, firms that carefully crafted privacy notices and policies in response to the GDPR will likely find that those policies need to be adjusted for the CCPA. They may also find that the service provider agreements written with the GDPR’s standard contractual clauses require tweaking.
The bottom line here is that compliance with each law must be treated as its own separate endeavor. Firms that already comply with the GDPR will find it easier to implement CCPA or other privacy compliance programs, but it’s still important to go through each regulation with a fine-toothed comb and assess it against the organization’s business practices.
Fact: Companies Should Take a Broad Approach to Compliance
While companies must consider each privacy regulation as an individual entity, they can still achieve operational efficiencies by meeting their requirements with overlapping controls. In fact, well-designed privacy programs should begin with clear objectives based upon a regulation-agnostic standard such as the Generally Accepted Privacy Principles that accountants use. This provides a bedrock foundation for a privacy program, grounding it in accepted best practices.
With a well-designed privacy program in place, organizations may then treat each of these regulations as a compliance exercise where they walk through each of the legal requirements they face and map it to the existing controls in their broader privacy programs. Sure, this may require changing some controls to meet the letter of each law, but it will also ensure that future privacy compliance obligations may be met without a massive undertaking.
Fact: A Just-Passed Law in California Adds More Requirements
In November 2020, California voters passed Proposition 24, creating the California Privacy Rights Act (CPRA). It expands the requirements of the CCPA, creating new privacy obligations for businesses handling the personal information of Californians. This new law will go into effect in January 2023.
The CPRA creates a new category of information called “sensitive personal information,” which resembles the “sensitive personal data” category of the GDPR. This class of information, which includes personal identifiers, geolocation data, health information and other sensitive data, is subject to new disclosure, consent and purpose limitation requirements.
The law also grants individuals new privacy rights in the areas of automated decision-making, fixing erroneous information and usage restrictions.
The time is now to begin analyzing the new requirements and assessing their effect on operations.
Privacy regulation will continue to be an emerging area of both U.S. and international law well into the future. Those that act now to develop comprehensive privacy and compliance programs will find themselves well situated to react to emerging regulations. They will also send a strong message to their customers, employees, and other stakeholders that they understand privacy concerns and continue to work to protect the information entrusted to their care.