Mar 15 2021

GDPR and CCPA: Businesses Must Comply With Both, and They’re Not the Same

The European and U.S. laws are similar but each has distinct features that organizations must account for in their privacy programs.

The past few years presented businesses around the world with a dizzying array of new and changing requirements for handling personally identifiable information. The European Union ushered in this wave of change in 2018 when the General Data Protection Regulation took effect. The California Consumer Privacy Act passed later that same year and went into effect in Januray 2020.

All the requirements from multiple jurisdictions can be confusing. Let’s separate the facts from the falsehoods to help businesses in their efforts to comply.

Fact: Virtually All U.S. Businesses Must Comply With These Laws

When the GDPR first passed, many U.S. businesses took a wait-and-see approach, believing that it would be difficult for EU regulators to enforce requirements on foreign companies. Similar beliefs followed the passage of the CCPA: Companies based outside of California wondered whether the long arm of the state could
reach them.

The reality is that these laws do have the potential to affect companies that are not physically located within the regulators’ jurisdiction. Most firms do business across these state and international boundaries, and regulators assert their ability to protect the personal information of their residents worldwide. European regulators have assessed and imposed fines against Google, Amazon, Twitter and other U.S. technology companies.

Some companies may believe that their business practices may exempt them from the GDPR, the CCPA and other p­rivacy regulations. However, they should make that determination only after consulting with attorneys and performing a careful evaluation of any possible business nexus that might make them subject to the regulations.

Fallacy: The GDPR and the CCPA Are More or Less the Same Thing

The GDPR and the CCPA have quite a bit in common. They are both broad privacy regulations designed to protect the personal information of individuals from corporate overreach. However, they differ greatly in many of the details. Firms should not assume that their GDPR compliance efforts necessarily make them compliant with the provisions of the CCPA or other laws.

For example, firms that carefully crafted privacy notices and policies in response to the GDPR will likely find that those policies need to be adjusted for the CCPA. They may also find that the service provider agreements written with the GDPR’s standard contractual clauses require tweaking.

The bottom line here is that compliance with each law must be treated as its own separate endeavor. Firms that already comply with the GDPR will find it easier to implement CCPA or other privacy compliance programs, but it’s still important to go through each regulation with a fine-toothed comb and assess it against the organization’s business practices.

Fact: Companies Should Take a Broad Approach to Compliance

While companies must consider each privacy regulation as an individual entity, they can still achieve operational efficiencies by meeting their requirements with overlapping controls. In fact, well-designed privacy programs should begin with clear objectives based upon a regulation-agnostic standard such as the Generally Accepted Privacy Principles that accountants use. This provides a bedrock foundation for a privacy program, grounding it in accepted best practices.

MORE FROM BIZTECH: What to consider when putting together a security plan for your organization.

With a well-designed privacy program in place, organizations may then treat each of these regulations as a compliance exercise where they walk through each of the legal requirements they face and map it to the existing controls in their broader privacy programs. Sure, this may require changing some controls to meet the letter of each law, but it will also ensure that future privacy compliance obligations may be met without a massive undertaking.

Fact: A Just-Passed Law in California Adds More Requirements

In November 2020, California voters passed Proposition 24, creating the California Privacy Rights Act (CPRA). It expands the requirements of the CCPA, creating new privacy obligations for businesses handling the personal information of Californians. This new law will go into effect in January 2023.

The CPRA creates a new category of information called “sensitive personal information,” which resembles the “sensitive personal data” category of the GDPR. This class of information, which includes personal identifiers, geolocation data, health information and other sensitive data, is subject to new disclosure, consent and purpose limitation requirements.

The law also grants individuals new privacy rights in the areas of automated decision-making, fixing erroneous information and usage restrictions.

The time is now to begin analyzing the new requirements and assessing their effect on operations.

Privacy regulation will continue to be an emerging area of both U.S. and international law well into the future. Those that act now to develop comprehensive privacy and compliance programs will find themselves well situated to react to emerging regulations. They will also send a strong message to their customers, employees, and other stakeholders that they understand privacy concerns and continue to work to protect the information entrusted to their care. 

Orbon Alija/Getty Images