Leverage existing compliance efforts to meet new regulatory requirements during this time of global privacy revolution.
The European Union (EU) and its landmark General Data Protection Regulation (GDPR) is inspiring a global privacy revolution in many places, fostering new regulations to provide individuals with greater privacy rights and greater control over the personal data they share with organizations.
In the U.S., the California Consumer Privacy Act (CCPA) is the first state-level privacy law to follow GDPR and focuses on many of the same principles. Other U.S. states are watching this closely, as is the national debate about privacy rights and laws. Though CCPA is set to go into effect January 1, 2020, the 12-month look-back requirement means companies must maintain records of personal information collected a year prior to the act’s start date - or information companies collected January 1, 2019 onward.
In the first of this three-part blog series on CCPA, we discuss how GDPR’s and CCPA’s similar underlying privacy principles bond the two and especially help to accelerate CCPA readiness for those organizations that prepared globally for GDPR.
Overall, GDPR is considered to be broader than CCPA, which has a specific focus on privacy rights for Californian consumers whose personal information has been collected/processed by organizations. However, broadness and narrowness seem to alternate between the two. For example, GDPR defines personal data as “any information relating to an identified or identifiable natural person” while personal information under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.” Personal information may well be considered broader under CCPA with mentions to “indirect,” “links,” and “households,” which could reference family members living within the same household.
What constitutes an entity to be in scope? CCPA is more narrowly applied using criteria like: for-profit organizations with revenue greater than $25 million. GDPR poses a much broader criteria: an entity offering goods or services to data subjects in the EU. Furthermore, the CCPA presents more prescriptive nuances on principles than GDPR. Such differences include a cure period, at least two methods for consumer rights requests (a toll-free phone number and website address), a limitless amount of total fines, an antidiscrimination provision that allows for price and quality variations, a limited private right of action for data breaches, and a required “do not sell my personal information” Internet web page.
The common privacy principles allow for the fundamental synergies and alignment between the two. Similar to GDPR, CCPA requires organizations to have a detailed and more open understanding of the consumer’s personal information collected and the lifecycle (collection, use, transfer, storage) of that information across the business, including third parties (such as cloud system providers). This foundational understanding of the lifecycle of personal information facilitates data access and deletion requests, for GDPR or CCPA, allowing consumers, or data subjects, the ability to exercise their privacy rights and gain control of their personal information.
There are many areas of overlap and exclusions between the two: “Driving change” offers a detailed, side-by-side comparison of both, as well as foundational steps toward CCPA compliance.
Leading companies will leverage CCPA and GDPR measures to go beyond compliance. These companies will mature their privacy program postures and ultimately build consumer trust and loyalty. Our upcoming blog posts “How to conduct data inventory and data mapping” and “Managing consumer rights” will explore the practicalities of personal information collection and the four management stages of individual rights, respectively.
 Regulation (EU) 2016/679 of the European Parliament, April 2016, O.J. L 119.
 California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code § 1798.140(o)(1), 2018.