When it comes to digital privacy, everyone is talking about two sets of recent regulations: 2016’s General Data Protection Regulation (GDPR) and 2018’s California Consumer Privacy Act (CCPA).
The former is the most comprehensive data privacy law to date. The GDPR unites the EU under one set of strict rules and includes a wide set of consumer protections, including the right to be forgotten, affirmative consent, timely breach notifications, plain language for service agreements, and hefty fines for businesses that violate the terms. These regulations have captured worldwide attention and have become a blueprint for many countries looking to implement digital privacy protections of their own.
CCPA (and the recent updates made via the California Privacy Rights Act) is the most comprehensive privacy law in the history of the United States, where privacy regulations tend to follow a patchwork pattern. Although it only applies to California residents, the law has garnered a great deal of attention in other states, and a push to implement a uniform federal policy has been gaining momentum. Large companies have a lot of say in the crafting of federal legislation, and from their perspective, it’s easier to comply with one standard legal framework, rather than have it vary by state.
Below, I offer a comparison of the major elements of the GDPR and CCPA. Placing them side-by-side not only allows us to see how privacy regulations are being shaped across the globe, but it also provides insight on the larger, long-term effects that these two policies will have on digital analytics and digital advertising.
The United States uses sector-specific, state-specific, and industry-specific regulations to target narrow areas of concern rather than implementing comprehensive federal legislation to address privacy regulation. That means that while CCPA is the most comprehensive privacy law in the United States, it still only protects residents of California.
The CCPA applies to companies conducting business in California who have gross revenue in excess of $25 million; who annually buy, receive, or sell personal information for more than 50,000 consumers; and who derive 50 percent of their income from selling consumer personal info. That being said, if a business outside of California meets all of the thresholds outlined in the CCPA, and they are marketing to consumers in California, those California consumers can expect the business to comply with the CCPA.
The GDPR protects individuals in the European Union, and it applies outside the EU when a company sells products or services to individuals inside the EU or when EU individuals are targeted. The regulation applies to data controllers and data processors. In short, its scope with respect to who it applies to, is much wider than CCPA.
Enforcement and Penalties for Violations
The CCPA is enforced by the California Attorney General, and the penalties range between $2,500 for a non-intentional violation to $7,500 for an intentional violation. Businesses who violate the CCPA are not liable and won’t be penalized if they can rectify their noncompliance within 30 days after notification.
Under the GDPR, there is no similar timeframe to rectify the violation. Additionally, the penalties are harsh compared to those in California, with fines administered proportionately. Less severe infringements can result in fines up to 10 million euros, or 2 percent of the global turnover of the preceding year, whichever is higher. More severe violations can be fined up to 20 million euros, or 4 percent of the global turnover of the preceding year, whichever is higher.
The European Data Protection Board ensures uniform application of GDPR rules across the EU, and each member state designates a data protection authority. This is an independent, public authority who monitors the implementation of GDPR.
Definition of Personal Data
According to the GDPR, personal data is defined as information relating to an identified or identifiable natural person. It also applies to pseudonymization for information that could still be used in conjunction with other attributes to identify a natural person.
The CCPA uses the term “personal information” and defines it as information that relates to, describes, or is capable of being associated with a consumer or household.
User Choice (Opt-in/Opt-out)
Under GDPR, consumers have rights with respect to the processing of their personal data. Users have the right to restrict any processing activity (opt-out) and businesses are required to have a legal basis for processing personal data. For purposes of marketing and advertising, either “legitimate interest” or “consent” will be the legal basis for processing used. Legitimate interest can be the legal basis for processing if the business can prove the processing activity is absolutely necessary for the use case defined (necessity test) as well as the value derived from the processing activity outweighs any risks to the user’s privacy rights (balance test). If consent is the legal basis for processing, then the consumer must offer informed, active, explicit consent prior to any processing of personal data occurring. In either case, again the user has the right to opt-out of the processing at any point.
Under CCPA, businesses must have a “Do Not Sell My Personal Information” link on the website. But CCPA only stops the sale of personal information (i.e., the exchange for value of consumer information). It doesn’t impact other uses. CPRA expands these protections to offer users the right to opt out of the sharing of any personal information but still stops short of restricting collection and first-party use. In other words, consumers in scope of the CCPA have fewer options and less control over how their personal data is used than consumers under the GDPR.
Right to Erasure
Both policies grant the right to erasure, which gives individuals the right to ask organizations to delete their personal data. Under GDPR, the right to erasure applies to all data concerning the data subject, and individuals can request deletion if the data is no longer necessary for its purpose, if they protest its use, if the data was unlawfully processed, if the data was collected from a child, or if the data erasure is in compliance with a legal obligation.
The CCPA stipulates that the right to erasure applies to data collected from the consumer. Furthermore, it is the business’s responsibility to ensure that the requested data is deleted with any third parties with whom they have shared or sold the user’s personal information. The data cannot be deleted if it’s necessary to complete the transaction for which the data was provided, to detect security issues, needed to identify and repair errors, or to comply with a legal obligation.
Right to Access
According to the GDPR, businesses must inform consumers of their rights when processing data, and data subjects have the right to request access to their personal data. That request must be met within one month from its receipt, although businesses may have an extension for two months if they notify the data subject.
With the CCPA, businesses must inform consumers at or before the time they collect data which categories of information will be collected and why. Consumers have the right to request information about what personal information is collected, how it’s processed, for what purpose, and with whom it’s shared. Businesses must disclose that information within 45 days of the request, although they have one 45-day extension if they notify the consumer.
The GDPR does not prescribe specific requirements for identity verification upon access and/or deletion requests, but states that controllers should use all reasonable measures to verify the identity of the data subject.
The CCPA states that businesses need to establish a method for verifying that the person making the request is the consumer about whom the business has collected information. This is a major issue for businesses because there is no standard way to accomplish this. Many organizations are likely not doing this well or properly, even though it is a requirement to make an attempt at verification.
Purpose Limitation and Data Minimization
Purpose limitation in the GDPR states that data collected for one purpose cannot be used for a new purpose. The GDPR’s data minimization component limits data collection to only what is required for the stated purpose. Collected data should not be held or further used unless it’s essential for reasons clearly stated in advance.
Neither purpose limitation nor data minimization were initially included in the CCPA. This changed with the passage of the CPRA in November 2020 to update and expand protections for California consumers. Under the new guidelines, which become enforceable in 2023, businesses must have justification for the use and retention of personal information as well as a process in place to purge the data once the stated business need has expired. There is now a need to figure out how to code the data we have to determine which uses it’s available for.
Takeaways for Digital Analytics and Digital Advertising
Regardless of your business’s scope or jurisdiction, the rising tide of data privacy requirements will soon be at your door. In both the GDPR and CCPA the liability resides with the entity determining what information is collected and how it is processed/used. It is your responsibility to uphold and respect the privacy rights of your users. For digital analytics and digital advertising professionals there are two key principles to take away: awareness and intent.
Awareness – marketers need to shoulder the responsibility of consumer data. We have to be aware of all the platforms used to collect data, which platforms are processing personal data, how that data is used, who it is shared with, and the effects on users.
Intent – be intentful in all data activities. The rights of users now stipulate that the processing of personal information must be limited to what is reasonable and necessary. The days of collecting anything available and figuring out what to do with it later are over.
Marketing and advertising needs to have a plan in place for what desired outcomes will be, what data is necessary to accomplish those outcomes, and data architectures must be adjusted accordingly. Without these intentful practices and privacy by design principles embedded in digital analytics and digital advertising strategy, your organization will always be leaving itself open to privacy litigation risk.