In 2016, Yahoo announced that a data breach resulted in the compromise of 500 million users’ names, email addresses, dates of birth, and telephone numbers. In 2017, Equifax, one of the largest credit bureaus in the United States, reported that 143 million consumers had a mixed bag of their personal information exposed: social security numbers, birth dates, addresses, driver’s license numbers and/or credit card information – take your pick. In 2018, two years after acquiring Starwood, Marriott discovered that cyber attackers had been squatting in the Starwood database since 2016, resulting in stolen data of another 500 million customers.
Fast forward in 2018 and this makes headlines: Google is fined $57 million for failing to comply with the European Union’s (EU) General Data Protection Regulation (GDPR).
Beginning with GDPR, which went into effect on May 25, 2018, legislative bodies finally started implementing security measures to protect consumers’ personal data. California leads the protecting-privacy-path for the United States – in June 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), which will go into effect in January 2020.
But what does this mean for California businesses? What are GDPR and CCPA and how do they compare? Here’s the need-to-know:
WHAT IS GDPR?
GDPR went into effect on May 25, 2018 and serves as one set of data protection rules for all companies operating in the EU, regardless of where the company is based. The goal of GDPR is two-fold: (1) to ensure that individuals have more control over their personal data; and (2) to provide a level playing field for businesses.
GDPR regulates the processing of personal data or information relating to individuals in the EU. Simply put, if a business anywhere in the world processes personal information of members of the EU, it is subject to GDPR. For purposes of GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’) . . . by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Practical examples of personal data include name, surname, home address, email address, identification card number, IP address, cookie ID, and any other information that could directly or indirectly identify a natural person.
“A [data] controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the [data] processor is an entity which processes personal data on behalf of the controller.” The data controller is usually the business that is collecting and processing the personal information, but the duty to comply with GDPR can also extend to tech companies hired by businesses to process the data.
WHAT IS CCPA?
CCPA goes into effect in January 2020. Being a state initiative, its applicability is narrower than GDPR. CCPA applies to any business in California that meets at least one of these requirements: (1) earns $25 million or more in a year in revenue; (2) buys, sells, or receives personal information of consumers, households, or devices for commercial purposes; or (3) derives 50% or more of annual revenue from selling consumer information.
Under CCPA, personal information has a more robust list of information that can be directly or indirectly linked to an individual than does GDPR, such as commercial information, geolocation data, professional or employment-related information, and education information.
While GDPR focuses on any entity or individual that processes information, CCPA concentrates on businesses that collect consumer information.
COMPARISON: GDPR v. CCPA
GDPR and CCPA are similar initiatives but have a few idiosyncrasies that businesses should be aware of to ensure compliance. This accompanying chart presents a brief comparison of the data privacy laws:
Download chart as pdf here.
Though GDPR and CCPA appear to have specific provisions and hefty fines for violations, we will not have the opportunity to witness how effective they are until disputes (not just fines) ensue. In the meantime, one thing is certain for businesses that collect personal information – data privacy legislation is finally here, and based on Google’s experience, it’s better to be in compliance sooner rather than later!
 GDPR ch.1, art.4(1).
 For purposes of this article and simplicity, “data subject” will be called consumer and “data controller” will be called business or organization.
For more information contact :