CCPA vs GDPR – Legal Basis for Processing
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
welcome everyone to lessen 9.2
as we will be reviewing a legal basis of processing requirements that exist under the GDP are
a quick preview.
In order to collect personal data of a European resident, a company must first establish a legal basis before doing so
that rigidity does exist in smaller terms under the C, c p A. And we will compare those two requirements
the GDP, our requirements which the CCP A requirements in this lesson here. Now
let's get started
the learning goals and objectives for less than 9.2
first. As I mentioned a moment ago,
we will review the differences in the concepts that govern how information is collected and processed in Europe versus California.
This will hopefully make it clearer for you. What controls need to be placed on personal information in order to comply with the CCP A. By comparing it to how things are governed under the GDP are
then item number two.
Let's look for a moment at the left side of your screen
in order to collect personal information of a European resident.
You must establish a legal basis for doing so,
and there are six legal basis that you may select from
Keep in mind, my friends, there is a quiet one. Let's call it 1/7 1 at the bottom here that's not even listed.
And that option is
Don't collect the personal data.
If you cannot establish one of the six legal basis here,
then that is your invitation to perhaps put your pens down and not collect the personal data to begin with.
But let's look at item number one
under the GDP are you may collect the personal data of an individual if you obtain their consent.
There's other courses under the Sai Buri platform that go more into depth on this. But the quick 12th answer is consent has to be memorialized, and it has to be freely given.
It has to be freely revocable, and it cannot be used to collect the personal data of an employee on Lee for customers and other non employees.
If you obtain their consent, though, you can collect their personal data.
Item number two.
If you under the GDP are are performing a contract for that. The term is a data subject, but for that individual, I'm going to use the term individual here. Just toe. Keep things a little clearer.
If you're performing a contract for an individual,
you may collect their personal data.
If you have some sort of legal obligation that requires your company to collect that individual's personal data, you may do so under the GDP are
this typically comes up with national security or other legal compliance requirements.
Tax purposes? Third party audits. Things like that. If retention requirements to comply with whatever regulatory regime that exists outside of the GDP are
Items number four and five are, ah, little less popular and you're less likely to run into it. Work, but they are available under the GDP are
if processing of an individual's personal data is necessary in order to protect the vital interests of that data subject themselves.
This usually comes up in the context of Children or other vulnerable population groups.
Item number five.
If it's necessary for the performance of a task carried out in the public interest,
the hot one right now is researching potential cures to Cove in 19,
but there are other reasons why it might be important for a company to collect the personal data of individuals, and they can point back to the GDP are and say,
Hey, our collection of this personal data is actually important because we're helping carrying out some sort of public interest function.
If you see that, then you can collect personal data under the GDP are
item number six
If it's necessary for the purpose of the legitimate interests of the controller,
the controller is nothing more than the business or the company that's collecting the personal data.
That's a weird legal basis, and you must be careful
again. There are other courses under CyberRays library that will go more into depth on this. But basically, if the company cannot function without that personal data being collected than that, personal data may actually be collected in real world context.
you need to be careful,
and it's up to the business to establish that legitimate interest.
That's all the requirements that apply to the GDP are
now. If you're thinking back for a moment,
did Jason ever really mention that we need to establish a legal basis before collecting personal information of California residents
Theano, sir, is 98%. No.
You can collect personal information of residents of California freely.
There are no consent requirements.
You don't need to establish a legal basis.
You can simply continue collecting it as you always have.
The only obligation is that you must permit individuals to opt out of the sale of that personal information to third parties.
It's not an opt in regime. It's not a consent regime.
It's an opt out regime,
and it's only if it's an actual sale to a third party.
The one exception that 2% that I mentioned by association. A second go
is for Children.
You must obtain the opt in consent under the CCP A for Children under the age of 16.
Remember, if they are aged 13, 14 or 15, the child can provide their own, opt in consent on their own.
Otherwise, if they're younger than that,
you need to go to the guardian or parent.
That right there is the Onley space, where the CCP A mimics the GDP, are in the sense that you must establish a legal basis before collecting the personal information of a child in California.
Pause the video. There if you need to compare those two items. But the CCP A, as you can tell, is far less rigid than the GDP are.
As I mentioned a moment ago.
Children are the group of individuals that you really need to keep an eye on because they are likely to cause you a problem if you're not going to be ensuring that you're obtaining the opt in consent of the parent
or of the teenager.
And from what I've seen in comments from the California Attorney General and from what I've seen in class action suits following breaches of data that have already occurred in 2020
the California regulators are very concerned about the collection of the information of Children,
including and especially on Zoom.
If you just type in zoom CCP A, you are going to see there are class action suits that relate back to the collection off information of Children.
Please keep an eye on that.
The C, C, P, A and GDP are do have a similar approach
as it relates to Children.
Another important qualification here.
Cookies are far more favorable under the CCP A than they are under the GDP are
because think back for a moment,
you may freely collect personal information under the CCP A, whereas under the G, D, P R and other European privacy laws, which we won't get to in this video,
you need to establish a legal basis.
In practical terms, that means that under the GDP are cookies must already be turned off
if you visit a European website or more importantly, if you visit an American website while residing in Europe or while visiting Europe,
you're going to notice that most of the cookies are already turned off and it's up to the visitor of the website.
think back to this story when I was in the airport in Germany,
the cookies have to be turned on.
The data subject has to consent and opt in
by comparison under the CCP A you opt out.
Hopefully that makes the regime around cookies a little clearer for you
under the CCP A. You're opting out
under the GDP. Are your opting in
pretty straightforward lesson here, less than 9.2
Item number one
You must establish a legal basis for processing personal data under the GDP are
and that requirement
more or less does not exist under the C c p. A.
With the exception of Children,
please keep an eye on cookies.
Under the GDP are cookies have to be already turned off, but under the CCP A, they can already be turned on.
You just need to provide a mechanism to opt out.
That sums up lesson 9.2. I'll see you in the next lesson.