Continued from the part III – https://www.linkedin.com/in/charupel/detail/recent-activity/
The CCPA requires all businesses with customers in California to disclose personal information they store, the purpose of storing that information, and with whom that information is shared or to whom it is sold. The five new rights that have been awarded to Californians by CCPA are:
- A right to know what personal information is being collected about them;
- A right to know whether their personal information is sold or disclosed and to whom;
- A right to say no to the sale of personal information;
- A right to access their personal information; and
- A right to equal service and price, even if they exercise their privacy rights.
Many organizations are already implementing or reviewing their business practices, privacy data handling and collection practices to determine how this law will affect them. The organizations which are GDPR compliant or implementing GDPR find it more convenient to implement additional controls, as needed, to mitigate the associated risk.
Data Privacy Officers, Privacy Staff, Consultants, HR, Legal, etc. find it very useful to have a comparison handy between GDPR and CCPA to identify additional efforts required to implement CCPA.
The last blog detailed the CCPA – Personal Information Categories and included the comparison between the GDPR and CCPA for a few selective categories, such as who the law applies to, protects, with regards to protected information and security. Below is the continuation:
|Law applies to||Please refer to earlier blog: https://www.linkedin.com/in/charupel/detail/recent-activity/|
|Anonymous, Deidentified, Pseudonymous, or Aggregated Data||Pseudonymous data still allows for some form of re-identification (even indirect and remote). This concept is not formally defined in the current EU data protection legal framework. Please check for the latest. Anonymized data is no longer considered personal data and is thus outside the scope of EU data protection law.||The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated. However, the CCPA establishes a high bar for claiming data is deidentified or aggregated (Aggregation. In order not to be singled out, an individual is grouped with several other individuals that share some or all personal data).|
|Privacy Notice / Information Right||When corporation collects personal data, they currently have to give people certain information, such as corporation identity and how corporation intend to use their information. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.||Businesses must inform consumers about: The personal information categories collected. The intended use purposes for each category. Further notice is required to: Collect additional personal information categories.Use collected personal information for unrelated purposes. The CCPA requires that businesses provide specific information to consumers.|
|Opt-Out Right for Personal Information Sales||The GDPR permits data subjects, at any time, to: Opt-out of processing data for marketing purposes.Withdraw consent for processing activities. This allows data subjects to opt-out of third-party sales that support marketing purposes or rely on consent for their legal processing basis||Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses. Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.|
|Security||The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – Data Protection Impact Assessments – mandatory in certain circumstances. The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.||The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.|
|Children||The GDPR sets the age when a child can give their own consent to this processing at 16 (please check the minimum in the UK). If a child is younger, then you will need to get consent from a person holding ‘parental responsibility’. Children must receive an age appropriate privacy notice. Children’s personal data is subject to heightened security requirements.||The CCPA prohibits selling personal information of a consumer under 16 without consent. Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent. Also, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.|
Source: Thomson Reuters and e-InnoSec content