In May 2018, the European Union General Data Protection Regulation came into effect. It was a sweeping act that set a new standard for data privacy uniformly across all of its 27 member states. The GDPR was implemented to give users more control over how their personal data is being used. It applies not just to any business based in the EU, but to any business that collects personal information from EU residents. This means that any U.S.-based companies interacting with consumers from the EU are also subject to the GDPR.
Websites collect and store the personal data of their users all the time. This can be as simple as when you visit the site to read articles or access other resources posted on it. It can also be personal information you enter on the website, such as your name and e-mail address when you subscribe to a website newsletter, or sensitive information like your Social Security number (for U.S. citizens), or your payment card information which you enter when you make a purchase on the website. Most websites collect this data for their own purpose, a number of them make money by selling it to other companies. The GDPR was enacted to give users more control and knowledge over what is happening to their personal information once it’s collected.
In 2020, data privacy finally started to have a similar moment in the United States. It came from an individual state and not the federal government. The California Consumer Protection Act of 2018 (CCPA) came into force in January 2020 and became enforceable in July. The CCPA is clearly inspired by the GDPR, but it is very much its own piece of legislation. It was spurred on by the massive data breaches that have affected U.S. citizens recently, such as the ones experienced by Facebook, Equifax, and Sony. The CCPA gives California users the right to know which of their personal data is being collected and the ability to opt-out of it being sold.
It may be somewhat reductive to state that the CCPA is similar to the GDPR, just less strict and far-reaching. Most individuals’ requests to access their data under GDPR must be answered within 30 days, while under CCPA, businesses have 45 days to give right to the request. The GDPR is also more stringent in the obligations it imposes upon data controllers, stating website owners must have prior consent from users to sell their data, while the CCPA gives users the option to opt-out instead of requiring prior approval. This Blog is intended as a general look at differences between the two legislations – for a more specific look at the respective scope of the two acts, consult this article written by Stephan Grynwajc for the law firm Outside GC:
https://www.legaledge.co.uk/2020/06/gdpr-v-ccpa-privacy-legislation-cousins/
Importantly, California just approved a new ballot initiative entitled the California Privacy Rights Act (CPRA). The CPRA will replace the current CCPA when it comes into effect on January 1st, 2023. The CPRA is more strict and hues even closer to the GDPR standard. It even creates an independent enforcement agency who will ensure that the act is being followed. Although two years away from being passed into law, the CPRA was revealed to help businesses properly prepare to implement those rules by the time it is passed.
Any business that has an online presence and has customers in Europe or California needs to understand how and to what extent the GDPR, the CCPA, and tomorrow the CPRA may impact them. This work is not just simply about refraining from selling individuals’ personal data – it requires a complete overhaul of your IT systems and a shift in how you look at online privacy. For help getting your business up to legal stats, contact the Law Offices of S. Grynwajc, PLLC today. We are here to help you think globally and act locally.