01Personal Information in the CCPA
Personal data in each of the privacy regulations differ slightly. The CCPA defines personal data as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 1798.140(o)(1)
Examples of personal data include direct and indirectly identifiable information such as:
- IP addresses
- Email addresses
- Browsing history
- Geolocation data
Even information that could draw inferences to create a profile for a consumer due to their preferences, characteristics, behavior and more are considered personal information.
02Personal Information in the GDPR
The GDPR gives the definition of personal data in Article 4 as: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR only applies to personal data gathered and processed by automated means and a manual filing system, or non-automated manner.
The CCPA is composed of ten consumer rights with six new rights added as amendments soon after the passing of the bill.
The rights can be categorized into four key parts that are protected under CCPA:
- Right to Disclosure
- Right to Deletion
- Right to Opt-Out
- Right to Nondiscrimination
Steps to comply with the CCPA
- Display notice of sale: Let your visitors know at or before the point of collection what types of data you’ll collect and what you’ll do with that data. The user should have the option to opt-out of the sale of their personal data at any time. Remain compliant with a CookiePro’s CCPA Opt-Out Builder, created to easily implement on your site and comply with the CCPA’s display notice of sale requirement.
- Track do not sell requests
- Categorize cookies to ensure that cookies that can provide a user’s identity have an opt-out option.
- CCPA compliant cookie banner
The GDPR protects its “users”, known as “data subjects”, by defining their rights.
Here are the rights outlined in the GDPR:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
In the GDPR, all consent must be gathered and recorded from data subjects. Additionally, the Court Justice of the European Union rules that the only valid consent model for the gathering of personal data is explicit consent. Explicit consent must be given by the user on a website’s consent banner. The consent banner cannot have pre-checked boxes giving consent on categories of cookies except for those deemed strictly necessary.
CookiePro offers Geolocation Rule capability, so you can display a GDPR-compliant opt-in cookie banner in the UK while maintaining an opt-0ut banner with the same template in the US. Sign up for CookiePro today to gain access to the tools you need to take steps to GDPR compliance!
05Enforcement of the CCPA
The office of the Attorney General of California has until July 2020 to specify exactly how the act will be enforced moving forward.
However, as it is currently written, the CCPA can be enforced by both the Attorney General for California and by citizens with a few stipulations. It is slightly more difficult for citizens to bring legal action against a company on their own, with the Attorney General having the ability to challenge a business much easier.
06Enforcement of the GDPR
The EU’s privacy regulation, the GDPR, is enforced through the Information Commissioner’s Office (ICO), a regulatory authority that is the leader in the enforcement of all of the UK’s privacy and data protection laws. They ensure companies are complying and issue penalties to companies who are found guilty of mishandling data or not reporting a data breach.
When the ICO has been informed of a data breach or other infringement to the law, the ICO investigates the data controller and data processor to find the extent of the infringement. They can carry out audits, obtain access to processor and controller to see what data is being held, and review certificates of the data controller and processor. After the investigation, the ICO can carry out the enforcement of the law via a penalty per infringement totaling over €20 million or up to 4% of the organization’s annual income.