CCPA & GDPR: The Importance of Data Protection Laws
If it were necessary to point out the main characteristics of modern times, certainly, the use of the internet would be among them. The predominance of online activities in the most different social practices has been changing the way we interact, study, do business and many other actions. With the world so connected, the possibilities for obtaining and processing information have been increased tremendously and many companies have realized the value that data has in ensuring competitive advantages.
Data makes it possible for companies to understand their current and potential customers, which in turn allows them to develop processes, products and services that are more aligned with the customer expectations. Hyper connectivity and technological solutions took the acquisition and use of user data to another level, generating a series of ethical dilemmas that we had not been concerned with before creating the need for means to protect us.
Transparency and responsibility are key concepts when it comes to data protection. In the case of transparency, it is the practice of not hiding anything. It means that companies that collect data from people need to make it very clear to everyone what use they will make of it. Based on a policy of transparency and privacy notification, the user must have control over what data is used.
As for responsibility, it is about making companies change their stance about the commitment to carry other people’s data. We can use as an example of responsibility – or rather, lack of responsibility – the case of Facebook- Cambridge Analytica data scandal. It is a private data analysis company that has developed an application for Facebook to collect information from users and misuse it in election campaigns. At that time, it was Facebook who collected the data, but a flaw in its privacy policy allowed it to be used for political purposes by another company.
In this context, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are examples of regulations apply to businesses that collect, use, or share consumer data form online and offline sources. The aim of the regulation is to guarantee strong protection for individual’s personal data. GDPR became effective since 25 May 2018 at the European Union, is one of the most comprehensive data protection laws in the world. CCPA, which went into effect on 1 January 2020, which is a comprehensive federal privacy law in the U.S., considered to be one of the most significant legislative privacy developments in the country. Similar to the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy.
Both laws give consumers rights over their data and enforce organizations to follow certain procedures while handling customer’s personal information, namely, being transparent and acting to the best interest of the people whose information they collect. However, GDPR imposes additional obligations, such as the requirement to ensure that personal data is protected as it crosses borders and the requirement that companies follow certain rules regarding notification to individuals and regulators when a data breach occurs. The GDPR applies to European residents, while the CCPA applies to California residents. The GDPR applies to the personal data of the data subjects, while the CCPA applies to the personal data of consumers and households. Also, the GDPR and CCPA have different breach notification requirements and penalties for non-compliance. Fines for GDPR non-compliance start at 10 million euros or 2% of the global annual revenue and can reach 20 million euros or 4% of the billing, always prevailing the largest amount. Fines for CCPA are $2,500 for each violation and $7,500 for each intentional violation. A complete guide of similarities and differences between these two laws can be seen at the “Comparing privacy laws: GDPR v. CCPA” done by Data Guidance available at the “Future of Privacy Forum” ( here to see).
What is also interesting to note about these laws is how they impact the world economically and socially. In the case of CDPR an article of August 2019, published at the Privacy Security Academy points out five major outcomes from the regulation:
- Increased trust in the larger firms, as the public believed that the large company has more resources to comply with the regulations.
- Led to the shutdown of small and medium companies due to the high cost of complying.
- Trust on online firms has fallen to its lowest point in a decade.
- Increased cyber risk around identity theft and fraud.
- Create the illusion of privacy as less than half of applicable firms comply because of the high cost and discretionary enforcement.
Despite the impacts, data protection is inevitably necessary for today’s world. According to Gartner Research, security and risk management leaders, including Chief Information and Security Officers (CISOs) and privacy professionals, must strengthen their efforts to recognize the maturity of protection regulations and ensure an operation friendly to the privacy of information. In its statement, the company points out that privacy is increasingly a critical issue for organizations and has been reinforced by the adoption of new work standards in the area. “Multiple countries are implementing regulations inspired by the GDPR principles, a movement that is likely to continue into the foreseeable future,” says Bart Willemsen, Senior Analyst at Gartner. Click here to know more about Gartner´s prediction of the Future of Privacy.
By:
Sreevani Konda, Data & Analytics Leader