5.2. GDPR and CCPA
General Data Protection Regulation (GDPR) is a privacy and security law concerning the protection of personal data. Personal data are considered to be any information that can, directly or indirectly, lead to the identification of an individual (Goddard, 2017, p. 703). Personal data include information regarding the location, ethnicity, gender, biometric data, religious beliefs or web cookies. Pseudonymous data can also be included in personal data’s context, if it is easy to reveal an individual’s identity. GDPR was carried out and passed by the European Union (EU), however it imposes obligations onto organizations worldwide as long as they interact and collect data related to citizens in the EU (Wolford, 2019). In this way all EU residents are protected from the location of data processing.
Brief historical look
In case GDPR is violated, then fines are really high. There are two kinds of penalties. The first one is a fine of about 20 million euros or 4% of the global revenue, and the second is that people, whose data weren’t protected, have the right to ask for compensation (Wolford, 2019).
Principles of data protection (Wolford, 2019).
Processing of personal data should be carried out according to seven core principles:
- Transparency – Lawfulness – Fairness.
- Purpose limitation: Data should only be used for the purposes the subject has been informed about.
- Data minimization: You should collect only the data that is totally necessary for your purpose.
- Accuracy: Data must be kept accurate and up to date.
- Storage limitation: You can save the data for as long as your purpose requires.
- Integrity and confidentiality: Processing of data must be conducted in such a way, to ensure protection and confidentiality.
- Accountability: The person processing the data is in charge of demonstrating GDPR compliance with all the aforementioned principles.
It is mandatory that the data subjects give their consent, in order to allow the process of their data. But what does consent constitute?
- Consent should be freely given, be specific and unequivocal.
- Requests for consent should be clear, distinguishable and presented in simple words.
- Data subjects have the right to retract their consent any time they feel like.
- When it comes to children under age 13, parents’ permission is compulsory.
- Documentary evidence of consent needs to be saved.
The individual, who agrees to reveal personal data, also has privacy rights. They are listed below (Wolford, 2019):
- The right to be informed
- The right of access
- The right to correction
- The right to deletion
- The right to limit processing
- The right to data portability
- The right to express objections
- Rights in relation to automated decision making and profiling.
Figure 5.1. An example of how access to personal data is asked through the internet
The California Consumer Privacy Act (CCPA) reinforces privacy rights and consumer protections for California residents. It’s a California state law that was actually voted in June 2018 but didn’t go into effect until January 1st, 2020 (Cooman, 2020). According to CCPA personal data are considered to be any information that may lead to an individual’s identification (such as name, address, email, passport number, social security number etc), commercial information (such as products purchased), electronic network activities, audio or visual data and conclusions drawn from any of the aforementioned information to create a profile about a consumer reflecting his preferences.
Objectives of CCPA
- Own your personal data
- Control your personal data
- Protect your personal data
- Hold big companies liable
Figure 5.2. CCPA’s basic elements
Main differences between GDPR and CCPA
Although GDPR and CCPA share common points, they are not interchangeable. Their key differences relate to the territorial scope and application of the law, to penalties – in case of violation – to nature and collection limitations and to the fact that GDPR requires lawful basis for all processing of personal data (A., 2021). The aforementioned are indicated in the following picture (A., 2021).
2019 is the Year of . . . CCPA? [Infographic]. (2019). The National Law Review. https://www.natlawreview.com/article/2019-year-ccpa-infographic
A. (2021, January 7). CCPA vs. GDPR – differences and similarities. Data Privacy Manager. https://dataprivacymanager.net/ccpa-vs-gdpr/
Cooman, G. (2020, January 28). What is CCPA and why should it matter to you? Proxyclick. https://www.proxyclick.com/blog/what-is-ccpa-and-why-does-it-matter-to-you#DDP
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact. International Journal of Market Research, 59(6), 703–705. https://doi.org/10.2501/ijmr-2017-050
Wolford, B. (2019, February 13). What is GDPR, the EU’s new data protection law? GDPR.Eu. https://gdpr.eu/what-is-gdpr/