CCPA vs GDPR – Consumer Requests

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:01
welcome everyone to module nine of 10
00:04
in this module. We will be discussing how you can leverage your previous efforts to comply with the other privacy laws of the world, including, most notably, the GDP are
00:14
I want to take a quick second to point out the GDP are is by no means the only other privacy law that exists outside the United States.
00:22
On your own time, I encourage you to look up the L G p D, which is the comprehensive privacy law of Brazil.
00:29
There's also an important exposure to American companies to Pippa,
00:33
which is the privacy law that applies to the Canadian market.
00:37
But I understand that the £800 gorilla in the room is the GDP are
00:42
and we are going to now be spending this entire module. Comparing the compliance requirements of the GDP are to the C C p. A. Because I recognize that most of you probably worked at a company that has probably pursued some sort of g d. P R effort,
00:55
and the main goal here is to ensure that you do not start from scratch
01:00
moving forward. This is where we are in our course outline
01:04
we are again in module nine.
01:07
One more model to go.
01:08
We will be reviewing the upcoming amendments and future changes to the C c p. A.
01:12
But at this point, you should have a very solid understanding of all the privacy obligations that apply to the C c. P. A.
01:19
I will be mentioning something from all of the eight. Modules were reviewed up until this point.
01:23
So that's why we needed to wait until module nine to be able to compare the CCP A to the GDP are
01:30
because we really need to understand what is required of the CCP A. Before we can really compare it to anything else.
01:38
Lesson 9.1.
01:41
We're going to focus in on the differences that apply to the consumer requests.
01:45
There are way more other differences that we will get to later in the module, but Lesson 9.1 is dedicated to the subject of consumer requests,
01:55
our learning goals and objectives. For less than 9.1,
01:57
we will review the differences in scope over the rights for the G, d. P R and C C. P. A. As I mentioned a moment ago,
02:04
will also note there are favorable deletion exceptions under the CCP A that are so important that they deserve their own subsection here in this lesson.
02:13
Then there's a couple miscellaneous items that I want to make sure that I bring to your attention, which highlight why the GDP are is actually so much more difficult to comply with than the C C. P. A.
02:23
Not, of course, to undercut anything we've been studying up until this point. Because, yes, the C C p. A. Is nevertheless quite difficult
02:31
if you think back to module one. When I was talking about a human right versus a civil right versus a consumer right,
02:38
you need to understand that the GDP, our views, rights as personal rights,
02:42
all the rights of an individual can enjoy under the GDP are is because that person resides in Europe,
02:47
and that's it.
02:49
But in the United States, all of the privacy rights are viewed through the lens of consumers or transactions or business.
02:55
Because of that, the scope of the personal rights in Europe are far larger, far more significant And there, I say,
03:02
far more cherished by the business community in the political landscape There.
03:08
The first three rights that you will see on the left side of your screen lineup directly with the first three rights on the right side of your screen that exist under California,
03:16
the right to be informed of how information is handled internally,
03:21
the right to access your own information
03:23
and the right to delete your own information.
03:27
Those three things line up,
03:29
but there is no right to opt out of sale under the GDP are
03:32
why?
03:34
Because the GDP are requires an opt in regime where you need to have a legal basis to preserve, to process personal information, personal data. Under the law,
03:45
we will get to that in less than 9.2. But be aware
03:47
if you have already stood up a GDR GPR compliance regime at your company,
03:53
you're not going to have already the ability to opt out of sale.
03:57
You're going to need to construct that
04:00
item number four on the consumer right side.
04:01
That is a gap you have now that you need to build even if you've already and this is an air quotes here decided to comply with the GDP are
04:12
moving forward.
04:13
The CCP A If you look at item number four on the left side of your screen
04:16
does not have a right to rectify your personal information.
04:19
You cannot fix it under the c c P. A.
04:23
Too bad, so sad. If you believe information is incorrect,
04:26
you can try to resolve that using other mechanisms. But
04:29
the C C P A. Will not help you.
04:31
You cannot restrict the way that your information is processed internally within the company
04:35
that is a right that exists under the GDP are
04:40
you cannot bring your information from one company to another or from one company to its competitors.
04:45
But if you see item number six there,
04:47
that right does exist under the GDP are
04:50
you cannot object to processing activities, but under the GDP are
04:56
you can.
04:57
There are certain methodologies when it comes to automated decision making.
05:00
Basically, when a computer algorithm or some sort of technology that uses machine learning or just automated functions to look at an individual's personal data and then make a decision that has a financial or legal impact on a person,
05:13
that is something that individuals in Europe can object to,
05:16
but not in the United States,
05:18
or certainly not using the C, c p A in the United States.
05:23
That's the scope of the differences.
05:25
Feel free to posit video now if you want to jot these down. But the big thing here is
05:29
don't forget the rights in California are consumer rights,
05:32
but the rights in Europe are personal
05:35
human rights.
05:39
Another big thing to remember
05:40
the GDP are the winner To respond to a consumer request is 30 days under the CCP A. You get 45 days an extra 15 days
05:49
if you are already going to build a regime in California or one that is meant to comply with the California market, and then you later in time, decide.
05:58
You know what business is growing.
06:00
Let's start marketing our goods and services into Europe.
06:02
You're gonna have a problem.
06:05
Europe requires a 30 day window instead of 45 days.
06:10
Please be aware of that.
06:12
If you go east bound to that market, you will need to shorten your window to satisfy. I won't use the word consumer requests anymore. So personal or data subject requests,
06:21
which we'll get to in a second.
06:27
All right,
06:28
there are way too many deletion exceptions under the CCP A to go through them all once more, but I encourage you here to posit video and jot down the key differences between the exceptions that exist under the GDP are versus those that exist under the C C. P. A.
06:42
The big thing to note here is that there are far more reasons why the CCP A an individual, will not be able to get their personal information deleted,
06:49
whereas under the GDP are
06:53
odds are you're going to be more successful from the perspective of the individual
06:57
from the perspective of the business. If you are in GDP, our land,
07:00
you're likely going to have to satisfy the request,
07:03
whereas under the C c p. A.
07:05
You have a lot more ways to say no
07:10
at the last one. The last reason.
07:12
Otherwise, use the consumer's personal information internally in a lawful manner that is compatible in which the context in which the consumer provided the information
07:20
remember back to the California hearings in the legislative branch objected, saying something along the lines off. You could drive a train through that,
07:29
And it's true
07:30
in Europe, the exceptions to deleting information are far more robust than they are in California.
07:35
another thing to note my friends.
07:38
There's far more awareness in Europe about the GDP are
07:42
if you ask anyone walking down the street, even in California, have you ever heard of the CCP? A. Most of the time, people are not going to say yes. But in Europe, most people are aware of the GDP are
07:53
I shouldn't say most, but at a minimum, people are aware that they do have data privacy rights.
07:59
Whether or not they know that there's a law called the GDP are,
08:01
that's a question mark.
08:03
It all depends where you are.
08:05
Ultimately, there is far more awareness because it's just culturally ingrained into the European Science Society and European businesses that individuals do have far more data subject rights in Europe than they do in the United States.
08:18
And don't forget there's far more European residents than there are those who live in California,
08:24
in fact, 10 times the number
08:26
to conclude this.
08:28
Please keep an eye on the fact that there are nine different GDP, our rights, depending on the way you slice it
08:33
versus Onley four that exist under the C c. P. A.
08:37
I've identified the five that exist under the GDP are that don't exist under the C c. P A.
08:41
Keep in mind that there are different response windows. And please don't underestimate the importance of people simply being aware they have rights in Europe
08:48
versus those in the United States who just sometimes don't know.
08:52
I'll see you in the next video.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By