The short answer is NO. Most Californian companies dealing with European customers must have already had to undergo the European Union’s General Data Protection Regulation (GDPR) compliance. However, due to the unique features of the California Consumer Privacy Act of 2018 (CCPA), compliance with the GDPR does not equal CCPA California Compliance by default.
Although, GDPR compliance does mean you would have less work to do. We set out here to consider their differences, notwithstanding the numerous similarities. Before considering these, you should first check our last post to know if your business falls under the Under CCPA California Compliance net.
Broader Privacy Disclosure Under CCPA California Compliance
Privacy policies under both GDPR and the CCPA California Compliance require descriptions of the purposes and uses of data collected, including the rights of data subjects and how they can exercise that right. The CCPA doesn’t stop there, businesses are also to disclose in their privacy policies whether they will be selling data collected and the categories of third parties obtaining their data through a sale.
“Do Not Sell My Personal Information” Under CCPA California Compliance
Data subjects have the right to opt-out of the sale of their data, where businesses have the intention to sell data obtained. As a result, under the CCPA California Compliance, businesses are required to include on their website homepage, a link to “Do Not Sell My Personal Information” that allows customers to opt-out from a sale.
Additional On-Demand Disclosure Rights Under CCPA California Compliance
Both the GDPR and the CCPA grant data subjects erasure and portability rights. For the CCPA, these rights only cover data collected within the last 12 months, while the GDPR has no duration limit. Under the CCPA before obliging with erasure and portability requests, businesses have the duty to verify the identity of the person requesting and 45 days within which to respond to the request. Data subjects can only make erasure and portability requests twice within 12 months. For GDPR, response time is one month, but no limits to the number of requests that can be made.
Nondiscrimination and Enforcement Under CCPA California Compliance
This provision, which is notably absent from the GDPR, is meant to protect data subjects and consumers who exercise their rights, from discrimination. Thus, just because a business is feeling antagonistic to a customer who exercised their CCPA rights, they cannot decide to deny the customer goods and services or discounts. This also includes offering low quality or substandard goods and services.
GDPR is enforced by the local Data Protection Authority while CCPA is enforced by the California Attorney General. GDPR allows for class actions, while individuals can bring actions to enforce their rights under the CCPA. For businesses in violations under CCPA California Compliance, the AG must give 30 days’ notice before instituting an action. The AG can recover fines of $2500 per violation and $7500 for willful violations, while individuals can recover about $100 – $750 per violation. Penalties for violations under the GDPR are higher, €20 million maximum or 4% of global revenue, whichever is higher.
It appears provisions under the CCPA are stricter than the GDPR.