CCPA 2.0 Gets Closer to Reality! But How Does it Compare to GDPR?
In this digital age, ownership of data is emerging as both a liability and a hot commodity. With governments and policymakers enforcing stringent regulation to protect PII and PI data, individuals are more conscious of privacy and their rights.
The California Consumer Privacy Act (CCPA) was created and passed by the California legislature in response to a California ballot initiative. The CCPA was designed to be less restrictive than the ballot initiative and was passed contingent on the fact that the ballot initiative was abandoned.
The California Privacy Rights Act (CPRA) is a new ballot initiative designed to improve upon the CCPA. It is designed to enhance – rather than replace – the CCPA and includes additional protections for California residents as well as some updates designed to correct issues with the original bill, such as exempting a larger number of small businesses from CCPA responsibilities and protecting the law from being weakened by the legislature.
Comparing GDPR and CPRA
The EU’s General Data Protection Regulation (GDPR) is the world’s most famous data protection law. It has been used as a reference for creating and evaluating a number of new data privacy laws, including the CPRA.
A primary goal of the GDPR, CCPA, and CPRA is to provide consumers with certain rights regarding their data. The CCPA and GDPR already had significant overlap in this area, but the CPRA added additional protections. Many of these rights overlap with the GDPR, but some are unique to one regulation or the other.
As shown above, the protections provided under the CPRA are largely equivalent to those under the GDPR. However, the GDPR has slightly more protection (requirements for explicit consent and legal basis for processing), while the CPRA includes provisions to make private browsing easier.
Data protection laws are designed to protect consumer privacy and the security of the data collected by an organization regarding a data subject. To ensure privacy, security, and enforce an individual’s rights, businesses have several obligations under the GDPR, CCPA, and CPRA.
As shown above, the CPRA primarily strengthens the protection of customers’ sensitive data collected and stored by an organization. New requirements are focused on maintaining records and completing regular risk assessments and cybersecurity audits for high-risk data.
Preparing for the CPRA
The CPRA is a long way from impacting an organization’s operations. Before it can go into effect, it must successfully be accepted for inclusion on the November 2020 ballot, win a majority vote before California voters, and undergo a significant ramp-up period designed to enable businesses to achieve compliance before enforcement begins.
That said, achieving compliance with CPRA and other data privacy laws can be a very involved process, so starting as soon as possible is important. The first (and most important) step in this process is identifying where customers’ data is located within your organization.
Learn more about how you can become CCPA compliance — and how to prepare for the CPRA. 1touch.io can help! — Schedule a demo today!