Location, location, location. Turns out, it matters to startups as much as it matters to real estate agents. After 2016, location became even more important.
In 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR) and gave its member states two years to implement it. In 2018, California passed the California Consumer Privacy Act (CCPA) and set it to take effect on January 1, 2020. These twin data privacy protection laws, passed within a few years of each other and an ocean apart, changed the world of compliance.
If you want to operate in California or the EU, then you need to comply with CCPA and GDPR, respectively. Both regulations emerged from modern concerns about privacy, but they differ in scope and approach. Understanding the differences between them is key to becoming compliant, and becoming compliant is key to landing enterprise deals.
If you want your business to grow, and if you want your total addressable market (TAM) to eventually include businesses all over the world, then you need to know the difference between CCPA and GDPR.
CCPA is a data law from California that regulates the way for-profit companies operating in California handle consumers’ personal information for commercial purposes. GDPR is a data law from the EU that regulates firms controlling and processing the data of EU citizens. If you want to be a global company, both are within your purview.
Governor Jerry Brown signed the CCPA into law on June 28, 2018, and set it to take effect on January 1, 2020.
The CCPA has its origins in the efforts of a real estate developer to introduce a new privacy law called the Consumer Right to Privacy Act of 2018. Supporters gathered the required signatures to get it on the ballot, but California legislators, working with worried businesses, replaced it with the CCPA, a less restrictive law.
The purpose of the CCPA is to give consumers more information and more control about the data that organizations gather from them. According to the CCPA, Californians have the right to know how companies will use, share, and sell their data. Consumers have the right to access that data and the right to demand businesses disclose that data. According to John Stephens at the American Bar Association, however, the CCPA still “sets the bar higher than ever before for U.S. companies regarding data privacy regulation.” The CCPA, the text of which directly cites the Cambridge Analytica scandal, wherein a data firm acquired millions of pieces of consumer data from Facebook, was born from controversy and remains controversial, especially among private businesses.
The origins of the CCPA date back a couple more years to 2016, when the EU introduced GDPR.
The European Parliament adopted the GDPR in April 2016. GDPR replaced the then-outdated Data Protection Directive, which was adopted in 1995—the pioneering days of the internet. The key difference, as law professor Andrew Rossow points out, is that a directive enables EU member states to customize the law to their citizens; a regulation requires “full adoption.”
Related read: Developers: Your GDPR Compliance Guidebook
The EU website provides a handy timeline that you can use to dig deeper, a portion of which is included below.
One of the consequences of GDPR? The banner that’s now ubiquitous on the internet asking you whether or not you want to accept cookies. And yes, when you visit this timeline, there is indeed a banner warning you about how and why the site is collecting cookies.
Together, these two regulations changed the landscape of global compliance and data security. Before, companies could in many ways “move fast and break things” (sorry, Facebook); now, they have to establish strict data privacy policies first.
Be forewarned that legal jargon lies ahead. To give you a rudder in these choppy seas, keep your eyes peeled for these three terms: personal data; pseudonymization; and controllers and processors.
Personal data: Personal data is, essentially, any information that you could associate with an individual. “May 7, 1973” is someone’s birthday, surely, but it’s not personal data because you can’t attach it to an individual. GDPR uses “personal data,” while CCPA uses the slightly different term “personal information,” but both terms carry similar meanings, and both are core to GDPR and CCPA compliance.
Pseudonymization: Pseudonymization, a mouthful of a term, refers to the way companies turn personal data into functionally anonymous data by removing or separating identifiers. Companies keep “May 7, 1973” in a vault separate from the person “Mary Beth.” You might know one but you cannot know the other, and you certainly can’t attach them.
Controllers and processors: Both CCPA and GDPR maintain a distinction between who controls the data and who processes the data. According to GDPR, a data controller determines the purpose and means of what the data processors process. According to CCPA, using different but functionally similar terms, a business determines the purpose and means of what a service provider processes. If the terms are hard to remember, just keep in mind the dyad: Each regulation distinguishes between who’s the boss of the data and who actually handles the processing of personal data.
These three terms will keep you focused when the legalese threatens to distract you. Personal data is what’s in play here; pseudonymization is what companies do to safeguard personal data; and controllers and processors are how the regulations distinguish between who owns data and who processes it.
The CCPA and GDPR fulfill similar purposes, and as such, bear many similarities. At first glance, you might think complying with one means complying with the other.
CCPA and GDPR, however, are complex regulations with many subtleties. You don’t need to be a lawyer or a compliance expert to keep them straight. Our guiding light here is the International Association of Privacy Professionals’ legal guide, which goes into great detail. We’ve highlighted seven main differences that will help you remember the differences.
CCPA regulates for-profit companies that do business in California and, in addition:
GDPR regulates data controllers and data processors in the EU that process personal data or data controllers and data processors outside the EU that process the data of EU citizens.
CCPA protects consumers, which the CCPA defines as California residents. Consumers include customers, employees, and business-to-business transactions. Additionally, the CCPA prohibits businesses from selling the personal information of consumers under 16, unless, for children aged 13-16, they provide consent and opt in.
GDPR protects “data subjects,” either EU citizens or residents, which GDPR defines as “an identified or identifiable natural person.” GDPR treats children similarly to CCPA, but puts the age of content at 16 to opt in to the sale of their personal information.
As we alluded to previously, CCPA and GDPR protect slightly different types of personal information.
CCPA protects personal information, which CCPA defines as information that you can associate with a particular consumer or household.
GDPR protects personal data, which GDPR defines as information related to a data subject.
CCPA allows businesses to collect, use, retain, and sell information from consumers—as long as it’s not associated to any particular person. That said, according to the International Association of Privacy Professionals, the CCPA “establishes a high bar for claiming data is deidentified or aggregated.”
GDPR, counter to CCPA, considers pseudonymous data to be personal data. GDPR only considers truly anonymous data to not count as personal data.
CCPA requires businesses to inform consumers about the categories of personal information collected, as well as the intended use of each category. Companies have to provide further notice if they want to collect additional information categories or use the information they gather for purposes unrelated to the original intent. Similar rules apply to third parties who buy and may want to re-sell personal data.
GDPR requires that data controllers provide consumers with information about how they are collecting and processing their personal data. Such notices must also detail whether or not the company is collecting data directly from the data subject or gathering data through a third party.
The CCPA grants consumers a right of action—the legal basis to sue—for very particular types of data breaches. Though companies have 30 days to fix a breach, consumers can seek damages that go as high as $750 per consumer per incident. Additionally, the California Attorney General may enact civil penalties against companies that violate the CCPA. Depending on whether non-compliance was an intentional violation or not, this can go as high as $7,500 per violation.
The GDPR grants a similar right of action to data subjects if a data controller or data processor breaches GDPR and causes damage. Additionally, the GDPR can impose expensive administrative fines. These fines can be as much as 20 million euros or 4% of a company’s annual global revenue.
The Future of Privacy forum details the rights across CCPA and GDPR; nine of the most important are highlighted here.
CCPA and GDPR agree on two rights: the right to data portability and the right to deletion.
The CCPA specifically covers three rights that the GDPR doesn’t:
Similarly, the GDPR covers four rights the CCPA doesn’t:
As you can see, the rights in particular of your potential and current customers differ across CCPA and GDPR. Refer to this handy infographic to summarize the differences.
Though CCPA and GDPR offer similar rights, they also differ in key ways, as you saw previously.
Laika, a startup providing compliance and audit management software, lays out three ways startups can use compliance for growth:
Enterprises need to know you’re compliant before they’ll sign a deal with you. Enterprises, by their nature, are large and more than likely operate in both California and the EU. A deal with an app that isn’t compliant could then threaten the enterprise—and that’s something they just won’t risk.
Compliance is one reason among many established enterprises will work with other established enterprises instead of startups—product quality be damned. You don’t want to be on the losing end of that deal.
You’re an internet company, and the opportunity in front of you is global. When you deliver your product online, scale is often merely a matter of additional digits in your AWS bill.
The existence of CCPA and GDPR mean, however, that the internet is no longer the Wild West. If you want to operate globally—and you do—then compliance needs to be a core part of your business strategy.
Find your early customers first, find product-market fit, build out your core team, iterate—and sooner rather than later, build out your compliance strategy. Better to have it now so you can close the next big deal, instead of leaving it to your competitors.