More

    CCPA vs. GDPR: 10 Steps You Should Take Now to Get Ready for the…

    Data Privacy
    CCPA vs. GDPR: 10 Steps You Should Take Now to Get Ready for the…

    In today’s evolving landscape of data privacy, understanding the fundamental differences and prominent similarities between the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) is critical for businesses. If you’ve been knee-deep in GDPR compliance efforts, the good news is that much of that previous work can be a springboard to CCPA adherence. Below are ten manageable steps to navigate this process effectively.

    CCPA Enforcement Deadlines – A Moving Target

    Despite ongoing updates and potential amendments being discussed by California’s legislature, businesses had to align with CCPA standards starting January 1, 2020. Enforcement activities by the Attorney General cannot commence until six months post the final regulations publication or until July 1, 2020, whichever comes first. For organizations already focused on GDPR compliance, the effort entails considerable time and resources. Organizations should familiarize themselves with actionable steps to align with the evolving regulatory framework (see “California’s New Landmark Data Privacy Regulation and What Companies Need to Do to Comply” from July).

    The CCPA introduces stringent requirements comparable to those sought in the EU, notably regarding the rights of California residents concerning their personal data. Here are the essential steps businesses need to consider for effective compliance:

    Privacy Policies/Notices and Transparency

    1. Scope, Update, and Distribute Privacy Policy & Notices.
      The CCPA mandates clear transparency regarding the collections of personal data, its potential selling or sharing, and the individual rights related to access, portability, and deletion. Businesses must revamp their privacy policies accordingly.

      • Compared to GDPR: The GDPR demands broader disclosures than the CCPA.
      • If preparing for GDPR: Update to reference CCPA particulars like toll-free numbers and the specifics of HR data handling.
      • If a service provider: Updates needed are more limited and focused due to specific contractual stipulations.
    2. Assess whether personal information is sold or shared, and establish opt-in/opt-out methods.
      Under the CCPA, individuals must have the option to opt-out of information sharing. For minors, parental consent is required for data-sharing activities.

      • Compared to GDPR: While GDPR has no explicit ‘do not sell’ provision, it does grant individuals a right to object to data processing.
      • If preparing for GDPR: Adjust procedures for opt-in/opt-out channels as needed.
      • If a service provider: Work with business customers to ensure compliance.

    New Processes – Business and IT

    1. Data Mapping for Expanded Definition of Personal Information.
      It’s paramount to refine data classification and privacy compliance processes specifically for California residents, ensuring all types of personal data as outlined in the CCPA are identified.

      • Compared to GDPR: Similarly expansive, but CCPA includes household information.
      • If preparing for GDPR: Leverage existing mappings for California relevance.
      • If a service provider: Ensure proper identification of data flows.
    2. Identify third parties receiving California data.
      Tracking data flows to external parties is crucial, as is ensuring contracts are updated to reflect CCPA requirements.

      • Compared to GDPR: More specificity is required under CCPA disclosures.
      • If preparing for GDPR: Utilize existing processes to manage vendor relations.
      • If a service provider: Ensure compliance on subcontractor matters.

    Individual/Data Subject Rights

    1. Update data subject request procedures.
      The CCPA permits Californians to access, port, and request deletion of their personal data. Businesses should track internal systems that handle consumer information for fulfilling such requests.

      • Compared to GDPR: GDPR includes an additional right to correction.
      • If preparing for GDPR: Adapt GDPR processes for California residents.
      • If a service provider: Be ready to address customer requests.
    2. Incident Response Policy Update.
      The CCPA brings a private right of action for data breaches, emphasizing the need for effective incident response plans that accommodate the nuances of the CCPA.

      • Compared to GDPR: GDPR requires more stringent notification protocols but lacks a private right of action.
      • If preparing for GDPR: Include CCPA provisions in your incident response plans.
      • If a service provider: Factor in customer notification guidelines.
    3. Develop Pricing Guidance.
      CCPA addresses pricing practices regarding non-discrimination against individuals exercising their rights; businesses should document policies accordingly.

      • Compared to GDPR: This is a unique CCPA requirement.
      • If preparing for GDPR: Note that this is an additional action item for compliance.
      • If a service provider: This may not apply significantly.

    Additional Considerations (Optional)

    1. Define program governance responsibilities.
      Although not a specified CCPA requirement, appointing someone to oversee compliance is wise, especially for companies managing multiple regulations.

      • Compared to GDPR: GDPR mandates responsibility appointments in certain situations.
      • If preparing for GDPR: Consider appointing someone to manage both compliance realms.
      • If a service provider: Similar responsibilities apply.
    2. Deliver workforce training.
      A knowledgeable workforce is essential for adhering to compliance protocols. Tailor training modules to encompass California-specific privacy aspects.

      • Compared to GDPR: It’s part of DPO duties to foster employee awareness under GDPR.
      • If preparing for GDPR: Reutilize training materials for a California-oriented course.
      • If a service provider: Limited scope but critical for affected roles.
    3. Conduct training simulations.
      New data subject rights necessitate fresh training approaches; consider tabletop exercises for handling such requests and incident responses under various laws.

      • Compared to GDPR: Similar preparations are advised.
      • If preparing for GDPR: Update scenarios to factor in CCPA elements.
      • If a service provider: Training considerations largely mirror those for businesses.

    * Barbara Sondag is a senior privacy and cybersecurity advisor at Fenwick & West.

    Originally published in April 2019 by Wolters Kluwer (subscription required): “Fenwick & West – CCPA vs GDPR: Ten Steps to Take Now.”

    Latest articles

    Previous article
    Guidelines for Ethical and Reliable AI
    Next article
    Top Tools for Tracking AI Search Outcomes in 2026

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here

    Popular

    Popular articles

    Featured

    Popular categories

    Cybercrime101Corporate News93Generative AI93Operating Systems90Wearables90Consumer Tech88

    © Copyright - Tbh.technology