How Can I Use What I've Done for GDPR to Help with CCPA? Part IV
The California Consumer Privacy Act (CCPA) requires businesses with California customers to be transparent about the personal information they collect, why they collect it, and who they share or sell it to. Under CCPA, Californians are granted five key privacy rights:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is being sold or shared—and with whom.
- The right to opt out of the sale of their personal information.
- The right to access their personal information.
- The right to equal service and pricing, even when they exercise their privacy rights.
Many organizations are actively reviewing or updating their business and data privacy practices to ensure compliance with these new requirements. For businesses already compliant with GDPR or in the process of implementing GDPR, adopting the necessary CCPA controls is often a smoother process, as they share some common ground.
Privacy professionals, including Data Privacy Officers, legal teams, consultants, and HR staff, find it invaluable to compare GDPR and CCPA side by side. This helps them pinpoint additional steps needed to ensure full CCPA compliance.
In our previous blog, we discussed CCPA’s personal information categories and compared key aspects of GDPR and CCPA, such as their law applies to, protect, protected information, and security standards. Let’s dive deeper into the continuation of this comparison:"
| Details | GDPR | CCPA |
|---|---|---|
| Anonymous, Deidentified, Pseudonymous, or Aggregated Data | Pseudonymous data still allows for some form of re-identification (even indirect and remote). This concept is not formally defined in the current EU data protection legal framework. Please check for the latest. Anonymized data is no longer considered personal data and is thus outside the scope of EU data protection law. | The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated. However, the CCPA establishes a high bar for claiming data is deidentified or aggregated (Aggregation. In order not to be singled out, an individual is grouped with several other individuals that share some or all personal data). |
| Privacy Notice / Information Right | When corporation collects personal data, they currently have to give people certain information, such as corporation identity and how corporation intend to use their information. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party. | Businesses must inform consumers about: The personal information categories collected. The intended use purposes for each category. Further notice is required to: Collect additional personal information categories.Use collected personal information for unrelated purposes. The CCPA requires that businesses provide specific information to consumers. |
| Opt-Out Right for Personal Information Sales | The GDPR permits data subjects, at any time, to: Opt-out of processing data for marketing purposes.Withdraw consent for processing activities. This allows data subjects to opt-out of third-party sales that support marketing purposes or rely on consent for their legal processing basis | Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses. Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage. |
| Security | The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – Data Protection Impact Assessments – mandatory in certain circumstances. The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. | The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law. |
| Children | The GDPR sets the age when a child can give their own consent to this processing at 16 (please check the minimum in the UK). If a child is younger, then you will need to get consent from a person holding ‘parental responsibility’. Children must receive an age appropriate privacy notice. Children’s personal data is subject to heightened security requirements. | The CCPA prohibits selling personal information of a consumer under 16 without consent. Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent. Also, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements. |
Leave a comment
Related Posts
Is Your Business Prepared? Key Steps for Disaster Recovery & Continuity Certification
But how does it relate to Disaster Recovery (DR), and why are they often misunderstood or misaligned? Let's break it down:
Artificial Intelligence Governance Part I
It's becoming increasingly clear that most new cybersecurity products involve some form of machine learning (ML) or artificial intelligence (AI).
How Can We Prevent, Detect, and Recover from Cyberattacks?
A thorough investigation of cyberattacks underscores the considerable damage these incidents can cause. Below are several key points that can help organizations identify potential threat actors.
