1 / 39

GDPR Vs CCPA - Brochure_compressed (1)

General Data Protection Regulation and California<br>Consumer Privacy Act are two very popular and<br>widely accepted data privacy legislations. Both<br>the laws are designed to secure and govern the<br>processing of personal data. Currently, legislation<br>has emerged to empower consumers with complete control over the use of their Personal Information. They are the Industry's best Standards for<br>Data Protection that regulate organizations that<br>process Personal Data / Information in a variety of<br>ways. Although the primary objective of both regulations is to ensure the security and privacy of<br>data subjects, y

Vista_Infosec
Download Presentation

GDPR Vs CCPA - Brochure_compressed (1)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR Vs CCPA - Key Similarities and Differences W: www.vistainfosec.com | E: info@vistainfosec.com US Tel: +1-415-513-5261 | UK Tel: +442081333131 | SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 | Dubai Tel: +971507323723 An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA and PCI SSFA USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.

  2. INDEX 05 Introduction 36-37 Differences on Legal Grounds 06 What is the General Data Protection Regulation Act? 38-49 Similarities in the Rights of consumer 07 What is the California Consumer Privacy Act? 50-61 Differences in the Rights of consumer 08 - 11 Similarities in Scope & Applicability 62 - 63 Similarity in Compliance Enforcement 12 - 17 Differences in Scope 64 - 71 Difference in Compliance Enforcement 18 - 27 Similarities in Key Terms & Definition 72 - 73 Conclusion GDPR Vs CCPA of Video 28 - 33 Differences in Key Terms & Definition 74 - 75 34 - 35 Similarities on Legal Grounds

  3. Introduction General Data Protection Regulation and California Consumer Privacy Act are two very popular and widely accepted data privacy legislations. Both the laws are designed to secure and govern the processing of personal data. Currently, legislation has emerged to empower consumers with com- plete control over the use of their Personal Infor- mation. They are the Industry's best Standards for Data Protection that regulate organizations that process Personal Data / Information in a variety of ways. Although the primary objective of both reg- ulations is to ensure the security and privacy of data subjects, yet both frameworks are distinct and cover various aspects of data privacy, security, and consumer rights. Covering more of this in detail we have outlined some of the key similari- ties and differences in the two privacy legislation GDPR VS CCPA. But diving straight to the differ- ences and similarities let us first understand the two legislation a bit in brief. 04 05

  4. What is the California Consumer Privacy Act? The California Consumer Privacy Act (CCPA) is a state-wide data privacy law established for businesses around the world that handle the personal information (PI) of California residents. CCPA applies to any for-profit business in the world that sells the personal information of California residents that rounds off to over 50,000 an- nually or has annual gross revenue exceeding $25 million or earns more than 50 percent of its annual revenue from selling the personal information of California residents. Even if a company shares a common branding in terms of the shared name, service mark, or trademark with a business that falls in the ambit of CCPA Compliance, the company will be subject to CCPA compliance too. Failure to comply with the CCPA can result in fines for business- es of up to nearly $7,500 per violation and $750 per af- fected user in civil damages for businesses. What is the General Data Protection Regulation Act? The General Data Protection Regulation (GDPR) is a Reg- ulatory Standard in EU law on Data Protection and Priva- cy. The Compliance Standard requires every organization within the European Union and the European Economic Area or outside the EU dealing with Personal data of citi- zens of the EU to comply with the set standard. It sets a new standard for consumer rights regarding the privacy of their Personal Data. The Standard provides rules about how companies should process the Personal Data of a citizen of the EU. It lays out responsibilities for organiza- tions to ensure the Privacy and Protection of Personal Data and grant citizens certain rights on the usage of their Personal Data. Non-compliance with GDPR re- quirements may lead to heavy fines or penalties for orga- nizations (€20 million or 4% of annual global turnover – whichever is greater). 06 07

  5. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Scope & Applicability Application The GDPR applies to any organization that deals with personal information of residents of EU. The CCPA applies to any organization that deals with Personal Information of residents of California. Processing Personal Data CCPA applies to businesses processing of personal data. Processing of data is any op- erations that are performed on personal data including collecting, selling or sharing. Collecting under the CCPA means business acquires personal information, be it directly from the consumer, or indirectly. Selling in- cludes renting disclosing, releasing, dissemi- nating, making available transferring, or oth- erwise communicating personal informa- tion for monetary or other valuable consider- ation. The GDPR applies to any businesses processing personal data. Processing personal data includes collection, recording,  storing, altering, retrieving, disclosing by transmission, dissemination or oth- erwise making available, or combination, restric- tion, erasure or destruction. Processing Data / Information Personal information is any information that directly or indirectly relates to or could rea- sonably be linked to a particular consumer or household. Personal data is any information that directly or indirectly relates to an identified or identifiable individual. 08 09

  6. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Scope & Applicability Anonymous Personal Data/Information Businesses are exempted from CCPA if the information collected cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to an individual, provided the business uses non-identified information and places some technical and organiza- tional measures to prevent re-identifica- tion. Anonymous data is out of scope under GDPR. Anonymous data is information that does not relate to an identified or identifiable person and that the data subject is not or no longer identifi- able. GDPR excludes processing of personal data used for purely personal or household purposes and not for professional or commercial activity. Exemption on Personal Information CCPA excludes business processing data that is used for non-commercial activities of a person. 10 11

  7. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Scope Application CCPA obligations apply to a business that collects and processes personal data for-profit or on behalf of which such infor- mation is collected and processed for profit. The GDPR obligations apply to businesses irre- spective of whether their activity is for profit or not, irrespective of their size and whether they are private law or public law entities. It applies to processors who process Personal Data on behalf of businesses. CCPA applies to any business that process- es personal data. However, there are no ob- ligations directed specifically to service providers, other than using the Personal In- formation as directed by business to serve them. Businesses can direct service provid- ers to delete consumer’s Personal Informa- tion from their records. Third-party Processors GDPR is applicable to organization across the globe dealing with personal data of citizens of EU. CCPA is applicable to organizations doing business within California and dealing with Personal Information of citizens of Califor- nia. Territorial Scope CCPA applies to businesses that share or sell information that they collect. GDPR applies to the processing of Personal Data regardless of the type of processing operation. Processing Personal Data 12 13

  8. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Scope Exclusion in Processing of Personal Data CCPA also excludes several specific pro- cessing activities from the definition of sell- ing which includes- Under GDPR, processing of Personal Information is excluded for two types of processing activities which includes- Processing conducted through non-automated which is not part of a filing system. Consumer directs business to disclose their Information to the Third-party. Processing conducted by an individual for a purely personal or household purpose. Sharing with third parties that a consumer opted-out from selling data. Sharing Personal Information with a third-party for the purpose of business. Business transfers the Personal Information to the third party as a part of a merger, acquisition, bankruptcy, or other similar transaction. 14 15

  9. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Scope Exclusion of specific category of Personal Information GDPR does not exclude specific categories of Personal Data from its scope of application. CCPA specifically excludes from its scope of application collecting and sharing of some categories of Personal Information which includes – Medical Information. Information collected as a part of clinical trial. Sale of information to or from Con- sumer Reporting Agencies. Personal Information under the Gramm-Leach-Bliley Act. Personal Information under the Driv- er’s Privacy Protection Act. Publicly available personal informa- tion, 16 17

  10. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Key Terms & Definition Definition of Personal Information “Personal Data” is defined as any information relat- ing to an identified or identifiable individual. An identifiable individual is the one who can be identi- fied, directly or indirectly, in particular by reference to an identifier like name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, eco- nomic, cultural or social identity of the individual. “Personal Information” is defined as “in- formation that identifies, relates to, de- scribes, or reasonably be linked, directly or indirectly, with consumer or house- hold. 18 19

  11. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Key Terms & Definition Category of Personal Information CCPA provides specific categories of infor- mation that is considered Personal Informa- tion which include - GDPR states that online identifiers may be con- sidered as Personal Data, such as IP addresses. Identifiers. Cookie identifiers. Commercial information Radio frequency identification tags. Biometric Information Article 9 in the GDPR specifies Personal Data as that which falls under special categories of Per- sonal Data. Internet or other electronic network activity. Geolocation data. Professional or employment information. Education information Inferences drawn from any of the infor- mation. 20 21

  12. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Key Terms & Definition Anonymized data CCPA is not applicable to the non-identified information that cannot be reasonably iden- tified or be linked, directly or indirectly, to a particular individual. GDPR does not apply to a data that can no longer identify the individual and is anonymized. Pseudonymisation CCPA in its guildelines does not clearly state whether it applies to Personal Information that has been Pseudonymized. As outlined in the GDPR, personal Data that has undergone pseudonymisation, and the data attributes to an individual by the use of additional information is considered as Identifiable Personal Information. Rules of identifying data subject CCPA clearly states that its rules cannot be construed for a business to identify or other- wise link information that is not maintained in a manner that would be considered Per- sonal Information. GDPR provides that the controller cannot be obliged to maintain, acquire or process additional information to identify the data subject comply- ing with the GDPR, if there is no need of process- ing. Governance of Personal Information Processing Data processing activities should be governed by a binding contract or a legal act with the business or Data controller. Processors can only process Personal Data on instructions from the controller. In case of termination of the agreement with the controller, the processors must return or destroy personal data at the choice of the controller. Under CCPA, a business can disclose Per- sonal Information for a business purpose based on a written contract. The contract should clearly state prohibition of retaining, using, or disclosing personal information for any purpose other than for the specified business purpose as stated in contract. 22 23

  13. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Key Terms & Definition Right to Delete Under CCPA, the data subject has the right to request for deletion of their Personal In- formation. Upon the request the organiza- tion must direct the service provider to delete the records of the data subject. Under the GDPR Regulation the data subject has the right ask for deletion of their Personal data. Upon the request, the Data Processor is obliged to comply with request as directed by the control- ler. Consequences of Non-Compliance for Third-party data processor Under CCPA, the third-party service provider will be liable for a penalty in case of misuse of Personal Information and violation of CCPA. Under GDPR the data subject has the right to claim compensation from the data processor for damages due to infringement caused by failure in data processing and contractual obligation. Consent on a child’s Personal Information Businesses are expected to obtain an opt-in consent to sell Personal Information of a child under the age of 16 and explicit con- sent from parents or guardians in case of a child below the age of 13. Businesses are expected to obtain explicit con- sent from parents or guardians for processing of data of a child between 13-16 years of age. 24 25

  14. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in Key Terms & Definition Personal Information collected for Research Personal Information collected and pro- cessed for research purpose shall be consid- ered compatible with the original purpose. GDPR requires that Personal Data collected for specific, explicit and legitimate research purpos- es should not be further processed for incompati- ble purposes. But, processing for scientific or his- torical research purposes shall be considered compatible with the original purpose. Right to deletion of Information collected for Research The right to deletion of the information may not be possible for it may seriously impair the achievement of such research. The right to deletion of information collected for scientific or historical research purposes may not be applicable for it may impair the achievement of the objectives of that processing. 26 27

  15. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Key Terms & Definition Personal Data under the GDPR covers publicly available information. So, businesses that collect publically available data will be subjected to GDPR. Personal information under the CCPA does not cover publicly available information that is lawfully made available in federal, state, or local government records. So, busi- nesses that collect publically available data will not be subjected to CCPA except for biometric information which is not includ- ed in the publicly available category. Publically available Information The GDPR prohibits processing of special catego- ries of Personal Data, which reveals racial or ethnic origin, political opinions, religious or philo- sophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of identifying indvidual data con- cerning health or data concerning an individual’s sex life or sexual orientation. CCPA does not separately define nor cate- gorize sensitive data or special categories of Personal Data. Further, the regulation does not provide any special rules for col- lecting and sharing biometric data which is considered as an exception of publicly available information Special category of Personal Information The GDPR protects Personal Data related to health as it is categorized under the special cate- gory of data. CCPA excludes medical, healthcare and clinical trail information for they are cov- ered in Confidentiality of Medical Informa- tion Act, Health Insurance Portability and Accountability Act and Federal Policy re- spectively. Medical/healthcare information 28 29

  16. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Key Terms & Definition The GDPR states that only when the control- ler/business has to re-identify a data is when the data subject provides the additional information to enable the controller/business to comply with request for the rights of the data subject. CCPA clearly states that the business is not required to re-identify or otherwise link in- formation in a manner that would be con- sidered Personal Information even in the case consumers request business disclose the categories or specific information col- lected. Re-identifying Data/Information Businesses sharing information to services providers for business purpose should not be considered as selling information, they must not further collect, sell, or use the Per- sonal Information of the consumer except when necessary to perform for business. Obligations on the third-party Data Processor Keep record of data processing activities. Implement appropriate technical and organizational measures. Data Protection Impact Assessment. Appointing a DPO (Data Protection Officer) Notify the controller of any data breach. 30 31

  17. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in Key Terms & Definition GDPR does not provide any exception or clarity on unintentional collection of a child’s Personal Information by controller/businesses. CCPA provides an exception for businesses that were not aware of a child’s age. Exception on unintentional collection of child’s personal information. Under GDPR, use of special categories of Personal Data, other than on the basis of consent of the data subject, is where processing is necessary for scientific or historical research purposes based on the Union or Member State law requires to pro- tect the right of the data subject. Under CCPA, internal research for techno- logical development and demonstration use of Personal Information is considered as use for business purpose and not for sell- ing. So, consumers cannot possibly opt out of it. Special Category Data 32 33

  18. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities on Legal Grounds GDPR provides data subjects with a right to with- draw consent at any time as well as a right to object if their Personal Data is processed on the basis of legitimate interest or performing of a task in the public interest. Under CCPA, no legal grounds required for collecting, selling or disclosing Personal In- formation. However, consumers may ask businesses not to sell their Personal Data. In case a consumer opts-out, the business will only be able to sell and/or disclose Per- sonal Information if the consumer gives their explicit permission. Withdrawal of consent GDPR entails special conditions for processing of Personal Data of children for information society services when such processing is based on con- sent. CCPA allows businesses to sell minors’ data on the basis of consent. However, this opt-in is only mandated for the sale of infor- mation, and is not required for the collec- tion of information. Processing personal data of children 34 35

  19. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences on Legal Grounds GDPR states that data controllers can only pro- cess Personal Data when there is a legal ground for it. The legal grounds include- The CCPA does not list the legal grounds for businesses to collect and sell Personal In- formation. It only provides that businesses must obtain the consent of consumers when they enter into a scheme that gives financial incentives on the basis of the Per- sonal Information provided. Legal grounds for processing Personal Information Consent from data subject. compliance with legal obligations to which the data controller is subject. to protect the vital interest of the data subject. carried out in the public interest or in the offi- cial authority vested in the data controller. for the legitimate interest of the data controller when this does not override the fundamental rights of the data subject. 36 37

  20. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Scope of right to deletion The scope is not limited to just the business that collects Personal Data, but also third parties to whom data has been sold/passed on. Scope is not limited to just the data controller , but also third parties including recipients, data processors and sub-processors who are required to comply for a deletion request. Free cost for exercising right to deletion Exercising rights is free of cost until requests are unfounded, excessive or is repetitive by nature. Exercising rights is free of cost until requests are unfounded, excessive or is repetitive by nature. Exercise data subjects right to delete As stated under CCPA, data controllers/busi- ness must ensure that the request made by the data subject for Personal Data to be de- leted should be implemented. As stated under GDPR, data controllers/business must ensure that the request made by the data subject for Personal Data to be deleted should be implemented. Provide information on right of deletion Under CCPA, Data Subject must be informed by business / controller abut their right of data deletion. Under GDPR, Data Subjects must be informed by business/controller about their right of data dele- tion. 38 39

  21. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Exceptions in deletion of data CCPA provides exception on deletion of data which includes- GDPR provides exception on deletion of data which includes- freedom of expression and information. free speech or another right provided by law. processing for research purposes. processing for research purposes. establishment, exercise or defense of legal claims. protect against illegal activity or prose- cute those responsible for the activity. complying with a legal obligation. complying with a legal obligation. Information to be provided CCPA clearly states that information on the following must be provided to individuals: GDPR clearly states that information on the fol- lowing must be provided to individuals: categories of personal information to be collected categories of personal data processed. purposes of processing purposes for which collected existence of data subjects’ rights. a business sells personal information about the consumer to third parties, the rights of the consumers and the methods to exercise such rights must be given to consumers. contact details of the data protection office. purposes of processing 40 41

  22. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Right to be informed before collection of data CCPA states that businesses must inform customers before or at the time of collection. GDPR states that information must be provided to data subjects by controllers at the time when Personal Data are obtained or when directly col- lected from consumer. Additional consent Businesses cannot collect additional Person- al Information without informing consumers the purpose, unless they provide them with further information. Data controllers cannot collect and process Per- sonal Data for purpose other than what consum- ers were informed, unless they provide them with further information. Way to exercise Opt-out CCPA clearly states that the Data subjects have the right opt-out from selling of their Personal Information. They also have the right to opt-out from the subsequent selling of their Personal Information by a third party that received their information from an ini- tial sale. Data subjects have several ways to opt-out of pro- cessing of their Personal Data withdraw consent exercise the general right to object object to processing of their data for direct marketing purposes 42 43

  23. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Privacy notice Consumers are expected to be given a priva- cy notice that provides them information about their rights and details about how their data being used and to whom is the data being sold. Businesses are expected to have in place a link to the page with ‘Do Not Sell My Personal Information’ included in the homepage of their business website. Data subjects must be given a privacy notice that provides them information about their rights and how they can exercise the same. Right to access their data CCPA also clearly states that individuals have the right to access and receive a copy of their Personal Data processed. Businesses are ex- pected to indicate the purpose of processing their data, their source of data collection, category of data processed and the third party to whom their data is disclosed. GDPR clearly states that individuals have the right to access and receive a copy of the Personal Data processed about them. Further, the data control- ler must indicate the purpose of processing their Personal Data and to whom has the data been disclosed. 44 45

  24. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Method of request Consumers are given the right to request over a call or through an electronic medium. Similarly, businesses are expected to re- spond back via the same medium of com- munication. Data subjects have the right to request over a call or through an electronic medium. Data Control- lers are expected to respond accordingly through the same medium of communication. Mechanism of request CCPA specifies that businesses must have a mechanisms to ensure that the request made by the consumer gets access. GDPR specifies that data controllers must have a mechanisms to ensure that the request made by the data subject gets access. Exercise rights with no fee charged Disclosure and delivery of Personal Informa- tion as required by the right of access must be free of cost. There may be some instances where a fee may be requested, notably when the requests are unfounded, excessive or have a repetitive character. GDPR states that data subjects can exercise right- free of cost. There may be some instances where a fee may be requested, notably when the re- quests are unfounded, excessive or have a repeti- tive character. Discrimination CCPA states that consumers must not be discriminated based on the exercise of their rights under the CCPA. GDPR does not include an explicit provision for discrimination on the basis of their choices on how to exercise their data protection rights. How- ever, it is implicit from the principles of the GDPR that individuals must be protected from discrimi- natory consequences derived from the process- ing of their Personal Data. 46 47

  25. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarities in the Rights of consumer Data portability right CCPA states that when businesses provide data electronically to the consumer follow- ing an access request this data should be sent in a portable and readily usable format data to third parties that allows for the trans- mission of this without hindrance GDPR states that data subjects have the right to receive their data processed based on their con- sent in commonly used, and machine-readable format. 48 49

  26. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer Right to deletion of personal data CCPA does not limit the scope of this right to specific situations, categories of personal in- formation or purposes. The right generally applies to Personal Information collected from the consumer and the consumer does not have to justify his or her request. The right to deletion only applies if there is no other legal ground for processing, or when per- sonal data is no longer necessary for the business purpose for which it was collected. Respond to request The deadline to respond a right request is 45 days from the receipt of the consumer’s re- quest. The deadline can be extended an ad- ditional 45 days when reasonably necessary, if the consumer is informed within the first 45 days, according to Section 1798.130(a). However, in a case of exception under Sec- tion 1798.145, the CCPA states that “the time period to respond can be extended up to 90 additional days where necessary, taking into account the complexity and number of the requests Data subjects’ requests must be replied without delay and in any event within 1 month from the receipt of the request. The deadline can be ex- tended to 2 additional months taking into ac- count the complexity and number of requests. In any case, the data subject must be informed of such extension within one month from the re- ceipt of the request. Method of submitting a request CCPA states that at least two or more desig- nated methods for submitting requests which include toll-free telephone number, and if the business maintains an internet website, a website address. Methods to submit a request include writing, orally or by other means which include electronic means. 50 51

  27. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer Exemptions to comply Under CCPA, a business is not required to comply under the following circumstances. Data controller is also exempted to comply with deletion requests for reasons of public interest in the area of public health. Perform a contract between the business and the consumer. Detect security incidents, protect against malicious, deceptive, fraudulent, or ille- gal activity, or prosecute those responsi- ble for that activity. Debug to identify and repair errors that impair existing intended functionality. Internal uses that are reasonably aligned with the expectations of the consumer. Use the consumer’s Personal Informa- tion, internally, in a lawful manner that is compatible with the context in which the consumer provided the information. 52 53

  28. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer Information to be provided to data subject The CCPA also states that information on the following must be provided to individuals: GDPR also states that information on the follow- ing must be provided to individuals: Identity of the controller. Categories of Personal Information collected / sold / disclosed for business purposes in the previous 12 months. Contact details of the Data Protection Officer. Alternatively, if no Personal Information was solid, that should be written in the privacy policy. Legitimate interest of the Data controller or the third party. Recipients or categories of Personal Data. Transfer of data to third-parties. Data retention period. Right to withdraw consent at any time. Right to lodge a complaint with a supervisory authority. Data necessary for performance of a contract. Existence of automated decision-making in- cluding profiling, including the logic involved and consequences of such processing. 54 55

  29. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer GDPR provides specific information that must be given to the data subject when their data is col- lected by a third party. Notice must be given within a reasonable period after obtaining the data, but at the latest within one month; or at the latest when Personal Data are first disclosed to a recipient. There is a specific requirement that consum- ers receive should receive explicit notice when a third party intends to sell Personal Information about that consumer that has sold to the third party by a business. Information on Third party involvement GDPR provides data subjects with the right to object the processing of their Personal Data when the processing is based on the legitimate interest of the controller or a third party. CCPA provides consumers with a right to opt-out from the selling and/or disclosing for business purposes of their Personal Informa- tion. The right to opt-out of the sale is abso- lute, in the sense that businesses cannot reject an opt-out request on the basis of their compelling legitimate grounds. Right to object GDPR does not prescribe the specific language to be used. Businesses must adhere to the language provided in the CCPA, namely the homep- age of their website must have a link titled ‘Do Not Sell My Personal Information. Language to be used for consumer notification 56 57

  30. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer Under the GDPR, the data controller must also provide information for request to access on the retention period, the right to lodge a complaint with the supervisory authority, the existence of automated decision making, and existence of data transfers. The right applies only to Personal Informa- tion collected in the 12 months prior to the request. Personal Data Information Data controllers can refuse to act on a request when it is unfounded, excessive or has a repetitive character. Business are not required to provide access to Personal Information if its asked more than twice in 12 months. Rejection of Data access request GDPR does not explicitly include right of non-dis- crimination and hence no scope is defined. CCPA defines the scope of this right by stat- ing that consumers must not be discriminat- ed against because of the exercise of their rights under the CCPA, which means they must not be: Denied goods or services. Discrimination Charged different prices or rates for goods or services. Provided a different level or quality of goods or services. Different price or rate for goods or ser- vices. 58 59

  31. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Differences in the Rights of consumer The right to data portability only applies to the Personal data that has been provided by the data subject and that is processed on the basis of con- sent or contact. The right to data portability is an extension of the right to access, and therefore it is sub- ject to the same limitation. Application of Data portability In addition to having data subjects receive per- sonal data under the right to data portability, the GDPR extends this right to having the Personal data transmitted directly from one controller to another. CCPA’s right is limited to allowing consum- ers receive Personal Information, and it does not extend to having a business transfer the information to another business. Transfer of Information 60 61

  32. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Similarity in Compliance Enforcement GDPR provides for monetary penalties in case of non-Compliance. CCPA provides for monetary penalties in case of non-Compliance. Monitory Penalties GDPR provide individuals right to seek damages for violation of privacy laws with regard to security measures violations and data breaches. CCPA provide individuals with right to seek damages for violation of privacy laws with regard to security measures violations and data breaches Damage for Violation 62 63

  33. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Difference in Compliance Enforcement Administrative fines can be directly issued by a Data Protection Authority. Civil penalties can be issued by a Civil court. Depending on the violation occured the penalty may be up to either Depending on the violation occurred the penalty may be up to Penalties Charged 2% of global annual turnover or €10 mil- lion, whichever is higher. $2,500 for each violation $7,500 for each intentional violation. 4% of global annual turnover or €20 mil- lion, whichever is higher. The amount of the penalty may also vary depend- ing on the nature, gravity and duration of the in- fringement, the nature of the processing, the number of data subject affected, and the damag- es suffered, the negligent or intentional character of the infringement, as stated under Article 83(2) of the GDPR. CCPA does not provide for a maximum amount that can result in imposition of sev- eral penalties for each violation. Levels of Penalty 64 65

  34. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Difference in Compliance Enforcement The administrative fine can be imposed directly by the competent Data Protection Authority taking into account other Data Protection Authorities may be involved if the violation involves more than one Member State. Any violation of the CCPA is assessed and re- covered in a civil action by the Attorney Gen- eral. Data Protection Authorities have powers to con- duct Data Protection Audits, access all Personal Data necessary for the tasks, obtain access to any premises of the data controller and processor. The Attorney General has the power to assess a violation of the CCPA. The CCPA does not specify which activities are includ- ed in the assessment. Investigative powers 66 67

  35. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Difference in Compliance Enforcement Data Protection Authorities have powers to The Attorney General has the power to assess alleged violations of the CCPA and to bring action before the court for civil penal- ties which include monetary penalties and injunctions. Corrective measures Issue warnings Reprimands Order controller and processor to comply Order the controller to communicate a data breach to the data subject Impose a ban on processing Order the rectification or deletion of data Suspend the transfer of data. Impose administrative fines. GDPR does not regulate how Data Protection Au- thorities are funded. This is left to the Member States to decide Monetary Penalties collected through civil actions under the CCPA form the Consumer Privacy Fund that funds the activities of the Attorney General in this sector. Regulatory funds 68 69

  36. Key Similarities and Differences between GDPR & CCPA GDPR Compliance CCPA Compliance Difference in Compliance Enforcement Any violation of the GDPR can result in claim for judicial remedies. Data subjects can claim both material and non-material damages. Judicial remedy is only allowed when non-encrypted or non redacted Personal In- formation is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of security obligations. Judicial remedies GDPR does not provide any figure for potential damages. The amount of damages is established by Statute which could be amounting to not less than $100 and not greater than $750 per consumer, per incident or actual damages, whichever is greater. Damage cost 70 71

  37. Conclusion achieved GDPR Compliance does not suggest business- es are CCPA Compliant, yet we believe it makes the jour- ney easy. GDPR Compliance will set a strong foundation for efforts of CCPA Compliance. For expediting CCPA Compliance, businesses should review their company’s existing compliance program to identify overlaps and gaps in requirements. Identifying common require- ments between the two laws, combined with additional actions will make efforts of achieving CCPA Compliance easy. Businesses must leverage the commonalities be- tween the laws and accordingly expedite their process. Since both the Regulations are similar and aim at Data Privacy & Data Protection, companies that are GDPR Compliant can leverage this to their benefit and aim for CCPA Compliance. CCPA mirrors several elements of the GDPR, including its security and notice requirements, and certain rights of consumer. Given the similarities, this can be leveraged to ensure CCPA Compliance. Busi- nesses and stakeholders looking to achieve CCPA Com- pliance should review policies, processes and procedures that have previously been implemented for the EU GDPR. That way it sets a foundation for attaining Compli- ance with the CCPA. While we do agree that having 72 73

  38. GDPR Vs CCPA Key Similarities and Differences

  39. info@vistainfosec.com US Tel: +1-415-513-5261 UK Tel: +442081333131 SG Tel: +65-3129-0397 IN Tel: +91 73045 57744 Dubai Tel: +971507323723 www.vistainfosec.com

More Related