If you’re a large digital marketer, ad platform, or agency that reaches any consumer in the EU or California, you will need to soon comply with both GDPR which went into effect in May 2018 and the new California Consumer Privacy Act (also known as CCPA or CaCPA) which will go into effect January 2020. While GDPR is generally seen as more stringent than CaCPA, there are still some nuanced differences and compliance with one doesn’t mean compliance with the other.
In Part I of this series, Thunder summarized the key differences and similarities between the two sets of laws.
In this Part II of the series, Thunder has provided a detailed breakdown for digital marketers, agencies and ad platforms comparing GDPR and California Consumer Privacy Act (known as: CCPA or CaCPA for short) to make sure they are compliant with both:
Jurisdiction
GDPR: Applies to data collection of persons in the EU (whether the company is based there or not)
CaCPA: Applies to data collection of California residents (whether the company is based there or not)
Personal Data
GDPR: Any information relating to an identified or identifiable natural person.
CaCPA: Any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with particular consumer or household.” A “consumer” is a California resident as defined by tax code. The “personal data” definition is developed through examples, exclusions and cross-references to other laws. Data subject to HIPAA is exempted from CaCPA but data subject to FCRA, and GLBA is excluded only to the extent those statutes conflict with the CaCPA.
Data Subject
GDPR: An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
CaCPA: A California resident as defined under California tax law.
Data Controller
GDPR: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.
CaCPA: For-profit controllers that meet ONE of the following thresholds: (1) Annual gross revenue over $25M; (2) Buys/sells or receives/shares for “commercial purposes” the data of 50,000 California residents; or (3) Derives 50% of revenue from “selling” personal data of California residents. If a controller qualifies under the thresholds, parent companies and subsidiaries in the same corporate group operating under the same brand also qualify.
Processor
GDPR: A natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller. The GDPR also defines a “third party” as a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, is authorized to process personal data.
CaCPA: A “service provider” is a for profit entity that acts as a processor to a “business” and that receives the data for “business purposes” under a written contract containing certain provisions. The CaCPA uses the term “third party” to refer to entities that are neither business nor service providers.
Sensitive Data
GDPR: Per Article 9: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.
CaCPA: Sensitive data is not addressed.
Transfers of Personal Data
GDPR: Any transfer of personal data that are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the controller and processor comply with the conditions set forth in Articles 44-50. Transfers on the basis of an adequacy decision and methods such as Binding Corporate Rules, Contract Clauses, etc. or in the case of EU-US transfer, the Privacy Shield.
CaCPA: Cross-border data transfers are not restricted. All transfers to “service providers” require a written agreement containing certain provisions (that is, there is the CaCPA equivalent to Article 28 of the GDPR).
Data Portability
GDPR: Per Article 20, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.
CaCPA: There is a limited recognition of this right under the CaCPA. Cal. Civ. Code Section 1798.100 provides that data subjects that exercise their right to access, must receive the data “by mail or electronically and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transit this information to another entity without hindrance.” There is a related and somewhat contradictory provision on this under Cal. Civ. Code Sec. 1798.130(a)(2).
Consent
GDPR: Opt-in approach requiring informed, freely given, and unambiguous consent
CaCPA: Opt-out approach (for data being sold to 3rd-parties) that doesn’t require consent for adults; however users can ask that their data be deleted
Penalties
GDPR: Under Article 83: • Up to 10 000 000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body. • Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc. • Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements that are not subject to Article 83, and can take all measures necessary to ensure that they are implemented.
CaCPA: No private right of action for most provisions with the AG of California taking the role of DPA and being able to impose civil penalties up to $7,500 for each violation with no maximum cap. Violators may avoid prosecution by curing alleged violations within 30 days of notification. For certain data breaches there is private right of action with statutory damages set between $100 and $750 per data subject per incident with a requirement to notify the AG before filing a lawsuit and refraining from pursuing the action if the AG office prosecutes within six months of the notification.
Thunder’s Role
Thunder Experience Cloud enables the advertising ecosystem to balance consumer interests in privacy with commercial interests in data-driven advertising. Thunder helps ad platforms prevent data leakage, consumers protect privacy, and advertisers obtain transparency through its anonymized people-based measurement solution. Ask us how to protect consumer data while supporting data-driven advertising if you’re interested to learn more.
