GDPR and CCPA are data privacy regulations that are redefining how businesses process personal data of individuals. General Data Protection Regulation, commonly known as GDPR, is a data privacy law that gives more control to EU citizens on how businesses use their data. California Consumer Privacy Act, aka CCPA, is a bill that strengthens the rights of individuals over how companies use their information.
GDPR targets the companies established in the EU that process data inside and outside the EU. It also targets Non-EU businesses that process data of EU subjects.
User Rights under GDPR & CCPA
GDPR protects the rights of the individuals where they have the right to know what data is collected, and the choice to opt out of processing for marketing and resale of their data. It also empowers the consumer with the option to access their data and right to portability where users can request their info in a ready to use format. Under the GDPR, children in the EU should receive an appropriate data privacy notice. EU subjects also have the “Right to be forgotten” which enables users to ask enterprises to delete their data.
CCPA targets companies doing business in California but only those that have either revenue upwards of $25 million or those that process data of more than 50,000 consumers or those that make 50% of its revenue by selling data. CCPA protects the rights of California residents and employees. It empowers consumers with the right to know about all data collected by a business two times in a year at no additional cost. Under the CCPA, users will have the choice to opt out anytime from the sale of their personal information to third parties. As per CCPA personal information of any user under 16 cannot be sold without consent. California residents can request their data be deleted.
GDPR and CCPA are two of the most sweeping legislations to have come to the fore since PCI and HIPAA hit the financial and healthcare industries. With so many rights afforded to the users, complying with both these regulations require businesses to carefully assess how they are using consumer data and make changes to their data collection and enterprise workflows.
All EU subjects are afforded many rights to protect their privacy under the GDPR. For different rights of the customer, to be GDPR compliant, a business needs to do the following:
Right to Know: Users have a right to know what data is collected on them and for what purpose. Companies need to maintain a digital record that the user has given his/her consent. They also need to know the kind of permissions granted by the user, such as the consent to use data for marketing internally or externally, for sharing of data with 3rd parties, resale of data, etc. It is possible that a user may never request for these details but maintaining these records will help a business manage enterprise risk and avoid potential penalties. Enterprises also need to redraft the current privacy notices to comply with GDPR.
Right to Opt Out: Customers can opt out of any marketing activities and can also withdraw their consent for further processing. Customer’s data would usually be present in various lists like a promotional email list, remarketing list, primary customer dataset, etc. Enterprises need to know from which list or activity the user has requested to opt out to fulfill the user’s request. Having this precise categorization of user consent data would help businesses to only remove the user from the specific activity rather than brute force removal from all activity, thereby preserving the sanctity of customer data.
Right to Portability: Consumers have the right to receive their info in a ready to use a format that they can use to transfer from one entity to the other. To fulfill this right, enterprises need to keep track of all personal data of the customer such as their search history, location data, wearable tracking data etc. and have a system in place to export this data and share with the user in a format that the customer can use to switch to another service provider.
Right to be Forgotten: Users have the right to ask companies to delete their data and be allowed to be forgotten. Enterprises are obligated to remove user data from their systems as well as contact 3rd party recipients to whom the info has been sold. Managing this user request is a complex task since during the customer’s lifetime, data about them could have easily been transmitted to multiple enterprise systems in structured and unstructured formats. Enterprises may find it very difficult to implement this request when compared to some of the other requests that fall under GDPR.
In addition, an enterprise also needs to demonstrate that the user information is secured with reasonable security and inform consumers of data breaches, especially if their personal information is vulnerable. If an enterprise fails to comply with GDPR, they are liable to pay penalties ranging from €10 million (or 2% of the worldwide annual turnover of the prior financial year, whichever is higher) to €20 million (or 4% of the worldwide annual turnover of the prior financial year, whichever is higher).
To comply with CCPA, businesses that operate in California and fall under the ambit of CCPA as per the conditions defined earlier, are also required to afford similar rights to users as defined under GDPR. In addition, under CCPA enterprises are also required to:
- Implement procedures to obtain parental consent for children under 13
- Once a user has opted out, an enterprise cannot request an opt-in consent for the next 12 months
- Provide users a mechanism to submit data access request and at a minimum have a toll-free telephone number that users can call to submit their request
- If a business fails to comply with CCPA, they may face fines up to $7500 per violation.
Enterprises have to take a methodical approach to each right offered to users in GDPR and CCPA. The outlook on user data has to change if an enterprise wants to be GDPR and CCPA compliant. So do the processes and technologies deployed to ensure compliance.