CCPA vs. GDPR: An Overview on Similarities and Differences

Good morning and good afternoon, everyone. Thank you for joining us. I'm John Tolbert from KuppingerCole and I'm joined today by Matthias, a colleague of mine from your Cole. And we're gonna talk a little bit about an overview of the similarities and differences between the CCPA and GDPR.

Hello, this is speaking. So before we begin a little bit about us Cooper and Cole was founded in 2004. We're an independent Analyst firm with offices all around the globe. We offer vendor neutral guidance and technical expertise and thought leadership and a number of areas. And we support lots of different kinds of end user organizations in different industries, as well as system integrators and software vendors with both tactical and strategic advice. We specialize in information and cybersecurity.

I am identity and access management, identity governance, GRC, and really any topic around the digital transformation. We have three major business areas. First is research. We provide research on those cybersecurity information security and IM topic areas. We're very vendor neutral in our approach so that we can provide objective advice and we stay as up to date as possible in those fields. We also host events, conferences, webinars like this one or other special events.

And again, we cover those fields and keep up to date and provide the most leading edge information that we can to offer a future proof approach. These events are really good networking opportunities where you can come out and meet the experts. And then we have advisory services which are best in class. We're trusted advisory partners for businesses around the world. And by working together, we can make your business more successful and provide the best advice that we can. On the event side, we have quite a few events coming up. EIC is our flagship event. It occurs in may and Munich.

Then we also have blockchain. Enterprise stays a digital finance world, which will occur in September. Both of those are in Frankfurt. We have a pair of consumer identity world events. The first of which is in September in Seattle, followed by one in Amsterdam in October. Then we have our cyber next summit, which is about cybersecurity in Washington, DC in October, followed by the cyber security leadership summit and the cyber access summit, which run concurrently and will happen in November in Berlin. So about the webinar, everyone is muted. You don't have to mute or unmute yourself.

We'll handle that for you. We're also recording a webinar and the recording should be available either late today or tomorrow, and we'll take Q and a at the end. And if you look at the go to meeting control panel, you'll see a little blank for questions you can type in any questions you have at any time during the webinar and we'll address them at the end. So the agenda I'll start off and talk about CCPA. Matthias will jump in and do the comparison between CCPA and GDPR. And then again, we'll take the questions at the end.

So before we begin a little legal disclaimer, we're gonna talk about the technical side of CCPA and GDPR. We're not lawyers, we're not attorneys. We suggest that if you want detailed legal information, contact counsel, the real legal counsel. So to get started, CCPA stands for the California consumer privacy act. It was passed by the California legislature about eight months ago, and it will actually be available for enforcement starting on January 1st of next year. So there's a bit of a grace period.

The actual implementation and enforcement will begin between January 1st and July, first of next year. And probably the important penalty come into play after that. And there are penalties involved for both intentional or unintentional violations of the will, the right to learn certain bits of information, specifically, things like what are the categories of information the businesses are collecting or selling or disclosing about individuals as well as where is it going to whom is it being sold? They'll also be given the right to stop businesses from selling or disclosing that information.

And they will be allowed to Sue businesses for breaches, even if they can't actually prove, prove damages businesses have to meet specific criteria for this to be in effect. They must also not discriminate against consumers to exercise those rights. And this can include both online retailers or other kinds of businesses, as well as brick and mortar businesses.

That, and it's important to remember too, that this is just about the businesses that have information about California residents. So this is broader than just businesses that are headquartered in California. This is anybody who's got information about California residents. So the enforcement can also come as a means or three means of complaints filed by consumers as well as whistleblowers or public agencies that are charged with supporting and providing protection for consumers.

So the three major criteria that determine whether or not a company is gonna be subject to this, first of all, if they make more than 25 million in revenue, that would make them subject to it.

If they have the information on more than 50,000 California residents or households, and we'll take a look at the definition of that, this means not only individual residents, but you know, maybe in a slightly anonymized sense of household, a physical address also counts as an entity under the CCPA, or if a business obtains more than 50% of their annual revenue from selling information, those are the three major criteria to determine whether or not a company is gonna be subject to CCPA. So what do we mean by residents?

Well, the title tips, everyone off it starts with the consumers, but then also employees are theoretically part of this.

If you're a business that may not even be headquartered in California, but you have the information about 50,000 employees that are based in California, then that would count patients involved in medical systems, tenants, both residential, as well as business tenants, students, you know, some educational organizations will collect lots of informations about students that, you know, you may not be thinking of in terms of some sort of commercial or consumer sense, but 50,000 students in California would then put you subject to the same regulation.

And then again, residents, the interpretation of residents is, is interesting because it's somewhat loose in that. It's just a, someone who's residing in California on a non temporary basis. So in that case, somebody may be on a long term job assignment, maybe, you know, headquartered outside of California. But if they're there for, let's say six months or longer than for the purposes of the statute, they'd be considered a resident for that period of time. So what kinds of data are covered?

Well, this is different than GDPR. In some regards in Matthias will take a look at that in a moment.

But again, any information that relates to a particular consumer or household. So on the personal side, that can be things like addresses, internet activities, searches, purchases, things like that, as well as any device that gets tied to a specific user, and that can be smartphone or smartphones, tablets, computers, you know, OT devices, consumer IOT devices that may have an associated particular user ID on the household side that would include things like bills.

And an example I've seen is the water bill, you know, that comes to a house that's not necessarily registered with a single individual, but it can uniquely identify a property or a home IP addresses associated with, let's say, a home wifi router or purchases that may be made on behalf of a household. Again, these are bits of information that anything that can be used to uniquely identify a resident or household within the regulation, confers specific rights on the residents.

Firstly, you know, to know who, what, when, where information is being held about them. And then probably most importantly to whom it was sold. The real emphasis of the act is on being able to give users power over, what's gonna happen with their information. So being able to provide users with the information about what they have, you know, be thinking already in terms of making a, a catalog of all the information that you may hold on your California residents, so that they will be requesting to know what, what information is had and then also what's happening with it.

Then you'll also need to provide a facility to have them opt out of selling the data. Again, this is a little bit different in that their opt in, they may be opted in by default, but you've gotta provide them with a way to opt out of selling that information to third parties. Moreover, they can actually ask for that information to be deleted, but if someone decides they want to have their information deleted or they don't want their information sold to a third party, here's where the discrimination bit comes into play. You have to provide equal service and pricing.

Now I know that goes sort of against what a lot of the, the consumer loyalty programs are all about. Being able to offer discounts to people who give up lots of information about themselves. But this particular part of the statute says that if they choose not to share that information or even ask for it to, to be deleted, then you really can't charge them a higher rate for the same service on the enforcement side. So in the case where there may not be proof of damages, you have consumers have to provide a notice of intent to Sue 30 days.

This gives the businesses an opportunity to write a statement about how they're going to address it within those 30 days. I, if it's, if damages can be shown to have happened, then damages range from 100 to $750 or the actual demonstrated value, whichever is higher, but that is per resident per incident. So we've all seen massive numbers of users affected in data breaches. So think of the loss of millions of users, PII times 100 to 750 or even more dollars.

And you'll see that this could Mount up very, very quickly and be very punitive on the other side, if it shown that the violation was intentional, that is to say a business that makes a lot of its revenue from selling information, they've collected information, but not adhered to the user's wishes to not sell that that would be considered an intentional violation. And the penalty for that is 7,500 per incident per resident. So that gets even more expensive, even more quickly. So now I'd like to turn over to Matthias to talk about the differences and similarities. Okay. Thank you.

Hello and good morning. Good afternoon from my side as well. So to look at the differences between CCPA and GDPR, as I am, you can hear that from my talking I'm I'm European I'm I a German passport. So we have been looking at GDPR for quite some quite a while as John has as well, but he doesn't sound like that. And I I've put up, first of all, the, the GDPR data protection principles that were in were kept in mind when the GDPR was written.

And if you look at these bubbles around the center, so from lawfulness to purpose limitation, data and minimization up to accountability, these are the, the guiding lines when GDPR has been written and some of those are not covered within CCPA. And that is the first five where, where I look at that. So what's not explicitly within CCPA, which is not covered. So which areas are just untouched.

So first of all, there is no such thing as consent apart from this optin mechanism that or opt out mechanism that John mentioned, and there is an opt-in for, for minors that parents can execute for CCPA in, in Europe with a GDPR that has to be content given for each individual usage of, of data. So that, that also includes the purpose limitation on, on that side. So this is the opt out thing that John already mentioned, and that is only focused to sale or in general disclosure of personal information at, at CCPA, there is no requirement for data minimization.

So if they store data or if organizations can store data, we interpret that as, as, as layman to that, they can store anything that they can gather from you. There is no right fortification or correction, which is weird. So they can tell you that, that there is a information stored.

And, but, but you cannot be able to, you are not able to correct that there's no requirement for lawful processing, no comment on that. And there's no requirements for storage limitations in time or, or size. So there are some, some aspects which are fundamental parts of GDPR, which are not within CCPA, which makes in turn the implementation of compliance to CCPA, maybe a bit easier. So if we compare it on the basis of the data subject rights, I have just made up this, this, this short short table, and this check mark does not mean that the concepts are identical.

It's just that the, that there are similar concepts which cover the same area of data, subject rights, or consumer rights or resident rights. So, so if you look at the table, many things are the same being informed, having access to data, having data deleted and exported, which is included in CCPA in this access to data. So you can have a, an export in a machine readable form. It just like in GDPR, you can object opt out for, for the usage of the information, but not for storage. And you have the no discrimination, which is implicitly done in GDPR.

There's no real article about that, but it's implicit throughout, throughout the text in there. So what's not there it's correction of data restrict processing and no automated decision making. So it's really a bit less when it comes to explicit data, subject rights between EO, GDPR, and CCPA. Another comparison of, of other aspects, apart from the individual data subject rights, John already talked about fines penalties, and there was this huge number of 4% of annual turnover.

When we, when you look at GDPR annual turnover of an organizational group or 20 million Euro when it comes to whatever's higher. But, but John already mentioned these 2,500 to 7,500 per incident might add up very quickly to really large sums response time, quite comparable, but different 30 to 40 days.

And in, in real life, this should be something that should be done online. So no 40 days wait, waiting period. And for GDPR and no 30 days in CCPA content, we talked about that and definition of PII, they're very different or largely different, but nevertheless, it's much more what's typically covered before with other privacy related laws in the us.

And, and that, that's actually a good thing that the, the view is broader there. An interesting aspect that has been always looked at at GDPR, but which is also true for, for CCPA is that it's not only European organizations, but every organization that stores information about EU data subjects, that is your resident at the same holds true for, for CCPA. So businesses in and outside of California, are they, the regulation applies for, to them when they fall under one of these definitions that John mentioned earlier when it comes to size or revenue.

An interesting thing that maybe John and I can talk about later is the differentiation between data control and data processor, which is in which is a concept, which is built into GDPR in which is not there in CCPA. So if you are an organization and you have a cloud service provider or a managed service provider who process data on your behalf, GDPR makes very clear requirements.

What, in each of the individual partners in this contract have to do in case of a data breach when it comes to security and that is not covered by CCPA. And that is an important part that one wants to look at when it comes to implementing CCPA, protect protective data subjects, quite similar data subjects in the EU and California residents. This is what John already described. And an important part for, for European organizations is the, the appointment of a data protection officer. There are clear obligations to the GDPR and they often lead to saying, yes, you need one.

It's not in every case, but in many cases, a CPA does not have any obligations for appointing data protection officer. So that is one burden taken off. Although it's usually a good idea to have one, two things that are in GDPR, which are not in CCPA, but for a good reason, first of all, there is no nothing about data breach notification within the CCPA. This is for a good reason because this, there is another law for that. The data breach notification statute statute, and the same is true for requiring adequate security measures for protecting PII, which is in the law.

So this is nothing that should has had to be put into CCPA because it was already in existence. So what does that mean when organizations are, if, if your organization is AC actually applicable for CCPA, if you are, have to be compliant to CCPA, first of all, you have to know that CCPA is not a one-to-one copy of the EO GDPR. So just being a copycat and doing what everybody else did for a GDPR is not enough, nevertheless, many organizations in California and the us as mentioned before, need to act, if they're doing businesses with Californian residents and they fall under these requirements.

So more or less many organizations are now in a similar situation like EU companies were on May 25th, 2015 when GDPR was published, but not yet in, in, in full effect to put it the other way around, if CCPA is relevant for you, you should have started already. This is a, a hint on the, to the next slide where we'll talk about something that you should already be doing at least as a, an recommendation from, from an Analyst side.

But nevertheless, you, if you are, if you need to act because of the CCPA, you should do something like a, a readiness assessment, a gap analysis, and define required measure measures, and a milestone plan just to, to start with, with doing something. And the rest of this slide is our commercial break, because of course, with cooking a call, being a company, starting out in the EU and having lots of experiences with implementing GDPR and with having a team in, in the us, we, of course, in a perfect situation to assist California companies and us companies and implementing CCPA.

So we are doing lots of advisory work. We have areas of expertise, which cover these areas. And we have American team with John leading this team. And we think we can, we can assist you in doing that. And we can do that for end users for vendors, for cloud service providers and manage service providers. And this is the end of the commercial break. So let's go back to real recommendations that you can use and take away from this, from this webinar.

So, first of all, learnings from GDPR, how should you prepare for CCPA? This is very close to what, what everybody for the GDPR had to do. Inventory your data, start with systems that may contain personal data on those with pro governance. So really go and find the PII and manage it adequately, provide and maintain required evidence and documentation. And this is the hint that I mentioned before.

Even if CCPA does not become effective until 1st of January, 2020, then consumers will be able to request personal data for the preceding 12 months, which actually started by January 1st, 2019, which is 40 days ago. And so this data should already be collected and be prepared for somebody doing a data access requests on the 1st of January, 2020. So you should be acting right now.

Next step, provide consumers channels to contact your company, to exercise their rights. And this could be something like a toll free number, a website, a mail address, if it's really required like that way, ideally you should provide consumers with data dashboards to have them use this as a self service and that they just can exercise their rights just online. That should be something very, very sensible, final slide recommendations. This is something that we learned from GDPR, and we think that this applies also to, to CCPA as I start starting point think bigger.

And the first thing is even if you're compliant to GDPR, because you're already working with European customers and you've done everything that's required, and you're completely fine. That does not mean that you are compliant to CCPA because of the differences that we talked about before, for example, notifying consumers of the sale of the data and the right to opt out of such sales, which is nothing that is covered with GDPR. Although of course you are in much better situation.

If you already have acted towards GDPR requirements, but much more importantly, GDPR and CCPA will not be the only and final privacy regulations to be introduced three years ago. I've been talking only about GDPR today. We are talking about GDPR and CCPA and there will be more and there will be more because there are other laws already in existence. Singapore already has, has something. Brazil is on its way. And Canada actually has been a role model for, for GDPR as well.

So there will be more of this and you should be in a situation that you're not implement one regulation of the other, but that you have a, an overall approach of think bigger approach. So if you determine your own individual security, legal, and regulatory requirements and include GDPR and CCPA, if they apply to you, then you can really find your individual requirements that you need to fulfill. The third step is most probably the important, the most important one embrace customer trust and privacy as drivers for new and demanded business models.

I read that out because I think this is really of importance and the market is changing. Customers are changing. Many of them, they understand that trust and privacy are getting more important. Things are changing here. And if this is something that you can have as a, as a, as a pro as a plus for your organization, I think that is something that also sells goods and services. If you all put this together and establish a sound data, privacy strategy on top of all this, that is a great idea. And then define a milestone plan for a complete, a consistent implementation of this strategy.

Then go around just, we said, as we said on the slide before find and the PI and treat it accordingly and appropriately give the customer the, the, the consumer, the, the opportunity to do this online, very important, train your employees on how to handle the PII. Unfortunately, still the, the employees, people are still one weak link in this chain of processing personal data.

And yeah, you should have started before. So if you are really, if you have to do something, you should really quickly start to at least make sure that this happens appropriately. And that was my last slide. And that is the point where we can look at the, the questions that you sent. Thank you for listening to me. And I hope there are lots of questions already there.

John, you are handling the question. Yeah.

Can you, can you go back to the last slide? I wanted to add something there before we look at the questions.

So, you know, I think you've got a couple of excellent points here, you know, GDPR or CCPA, not exactly the same thing, but at bottom, bottom, middle there provide facilities for consumers to make requests and assert rates. Let's, let's talk just for a second about what this means in terms of technical capabilities. If you're an end user organization, let's say you're a retailer, and you know that you're gonna be subject to CCPA. Maybe you're already subject to GDPR. What does this really mean for you?

So consumer identity and access management systems have been one way that companies that have EU resident information have been handling this. And that is because they, many of the consumer identity and access management systems provide the user dashboards that Matthias mentioned, you know, a place for users to go and take a look at what information that you've got about them and then what they can do with it. I think one of the key differences here too, is, you know, at first glance you may look at this and think, well, GDPR is much more comprehensive.

It does, you know, it provides much stronger consumer protection. Well, one way that I see that's really different about this is CCPA reaches a little farther down the pipeline. GDPR gives you the opportunity to say, don't use my information, but CCPA says, I'm gonna show you all of the different ways that it could be used and I can object to individual uses of those two. So it's a little bit different in that regard.

And again, having some sort of consumer identity management system, if you're an end user organization, that would be very advantageous, I think, for you to be able to comply with that same thing with GRC or, or reg tech kinds of things, Matthias point about, you know, we've got GDPR, that's been in effect for going on a year. CCPA will take effect in January. Canada's already got PIP, PDA, and Singapore and Brazil.

This really shows you the need for reg tech or GRC identity governance so that you know, that you can comply with these different kinds of regulations if you're doing business globally. And then lastly, if you look at what's needed from a vendor perspective, if you're a vendor of software, let's say particularly identity management kinds of software, than as Matthias said, being able to have a GDPR dashboard will not exactly be the same as what you need for a CCPA dashboard since the kinds of information and the kinds of choices will be different.

There are rights that are in GDPR that wouldn't make sense. If you were showing that kind of a user dashboard screen to let's say a California resident.

So, you know, we we'd definitely stand ready to, to help both end user organizations as well as software vendors make the changes that are necessary to help comply with GDPR and CCPA. Okay. Thank you. Thank you for adding to that. So first question I see here, what is lawful processing that is not present in CCPA? Good question. It's the first answer. Do you want start out?

Yeah, sure. So, and feel free to jump in. So GDPR has the notion of lawful processing and, and this is where the notion of data processors and data controllers and distinctions between those two come into play. So there can be contractual reasons that information exchange between companies or organizations within Europe that, that say in essence, it's okay for this organization pass information to another one, cuz it's already been contractually agreed upon. Or there are other cases that that may be around health or, or national safety or things like that.

Government agencies that collect information. So there's, there's the need to have a lawful contract in place or explicit consent for the, the end user consumer.

And those, those ideas are not really embodied in CCPA. Exactly. And so that's also how I interpreted. And if you, if you make a purchase with an organization and this purchase information is then later on used for big data analytics, AI evaluations for, for statistic, for marketing, this is something that would not be covered in, in according to EU legislation as, as lawful, because it's, it's a different usage of the information in my interpretation. This is not, not covered with CCPA once the data is there, it can be used for yeah. For any purpose.

Next question is, is an incident the same as an individual record? Well, let's say in, in the case of a breach, I, I guess you'd consider each each record that's breached as part of an overall incident in the total, the number of records that had been lost. Right?

Yeah, I think that's it. And then last question I see here is how will CCPA impact the data privacy landscape? Yes. And from that point of view, but maybe I started, you are the American, you have a deeper insight, but I think it's, it's the first time or two years ago, if we were, when we were talking to American companies, they were always a bit smiling when they talked about European and especially about German data protection regulations. And this is the first time that I can see it coming up in a, in a comparable manner.

So I think this is a bit in infection starting out in, in Europe and with a GDPR. And I think that is something that is not really, it has made it's jump across the ocean.

And I, I expect that to grow over there as well. Let's see, we've had another question that's come in. Would you call GDPR more restrictive as compared to CCPA? In essence though, they are not one to one in case an org is compliant with GDPR, what additional things do they need for CCPA? Very quick answer. And please John assist me there as well in, in my opinion, yes.

As, as there are some aspects missing, as I, as I pointed out in my first slide, and there are some, some points where GDPR is much more restrictive, especially when it comes to consent and when it comes to allowing individual processing and limiting actually the usage of data. So I can say, yes, use the information for purchase, but don't use it for marketing. That's completely fine for GDPR. It is not for CCPA.

So in, from a, from a data protection, from a perspective, I think that is something that is still missing for CCPA, although it is a great first step with CCPA coming into effect. Yeah. I think again, if you've got the technical means to get that inventory of information that you have about the affected residents and then being able to display that and offer the right options, you know, the options that you have to offer to EU residents will be different from what you have to offer to California residents.

And then, you know, specifically, if you look at the, the lack of provision for correcting information, I think, you know, to me that looks like an oversight. I would expect that the, the lack of correction will have to be corrected itself at some point, because otherwise you'll see a flood of people asking to delete their data that they perceive to be incorrect.

So I, I think there's still time. There may be some fine tuning to the CCPA before it goes into effect.

But, and again, I, I, I GDPR on the one hand does appear to be more restrictive, but CCPA offers different kinds of rights that go a little bit farther into what the consumer may need to be able to control further on accesses and uses of their information. So being compliant with GDPR doesn't will not make you compliant to CCPA, same thing with user interfaces, for identity management or other CRM kinds of systems, you know, there'll need to be changes made to those kinds of systems to be able to support CCPA. Exactly. Yeah. So that's it for the questions. Yep. Okay. Then let's yeah.

Wrap things up for technical implementation purposes. Of course. Please get in touch with us for first chat and for, for assistance, maybe for legal advice, of course, contact your attorney, your lawyer, your legal department, the are the right people to talk to when it comes to looking at the laws and the regulations. But if you want to start out an implementation in the us for CCPA, why not talk to John? Thank you very much for your time. Thank you very much, John final words from your side. Yeah. Thanks Matthias. And thanks everyone for joining.

Thank you very much and have a great day, a great evening wherever you are.