CCPA vs GDPR – Legal Basis for Processing

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

California Consumer Privacy Act (CCPA)

Course

Time

4 hours 41 minutes

Difficulty

Intermediate

Video Transcription

00:01

welcome everyone to lessen 9.2

00:04

as we will be reviewing a legal basis of processing requirements that exist under the GDP are

00:10

a quick preview.

00:12

In order to collect personal data of a European resident, a company must first establish a legal basis before doing so

00:19

that rigidity does exist in smaller terms under the C, c p A. And we will compare those two requirements

00:25

the GDP, our requirements which the CCP A requirements in this lesson here. Now

00:32

let's get started

00:33

the learning goals and objectives for less than 9.2

00:36

first. As I mentioned a moment ago,

00:39

we will review the differences in the concepts that govern how information is collected and processed in Europe versus California.

00:46

This will hopefully make it clearer for you. What controls need to be placed on personal information in order to comply with the CCP A. By comparing it to how things are governed under the GDP are

00:57

then item number two.

00:59

We will review the impact that these requirements have on the use of cookies and other ad technology.

01:06

Let's look for a moment at the left side of your screen

01:08

again

01:10

in order to collect personal information of a European resident.

01:12

You must establish a legal basis for doing so,

01:15

and there are six legal basis that you may select from

01:19

Keep in mind, my friends, there is a quiet one. Let's call it 1/7 1 at the bottom here that's not even listed.

01:26

And that option is

01:27

Don't collect the personal data.

01:30

If you cannot establish one of the six legal basis here,

01:34

then that is your invitation to perhaps put your pens down and not collect the personal data to begin with.

01:38

But let's look at item number one

01:42

under the GDP are you may collect the personal data of an individual if you obtain their consent.

01:49

There's other courses under the Sai Buri platform that go more into depth on this. But the quick 12th answer is consent has to be memorialized, and it has to be freely given.

02:00

It has to be freely revocable, and it cannot be used to collect the personal data of an employee on Lee for customers and other non employees.

02:08

If you obtain their consent, though, you can collect their personal data.

02:14

Item number two.

02:15

If you under the GDP are are performing a contract for that. The term is a data subject, but for that individual, I'm going to use the term individual here. Just toe. Keep things a little clearer.

02:25

If you're performing a contract for an individual,

02:29

you may collect their personal data.

02:31

If you have some sort of legal obligation that requires your company to collect that individual's personal data, you may do so under the GDP are

02:39

this typically comes up with national security or other legal compliance requirements.

02:45

Tax purposes? Third party audits. Things like that. If retention requirements to comply with whatever regulatory regime that exists outside of the GDP are

02:55

Items number four and five are, ah, little less popular and you're less likely to run into it. Work, but they are available under the GDP are

03:04

if processing of an individual's personal data is necessary in order to protect the vital interests of that data subject themselves.

03:13

This usually comes up in the context of Children or other vulnerable population groups.

03:19

Item number five.

03:21

If it's necessary for the performance of a task carried out in the public interest,

03:25

the hot one right now is researching potential cures to Cove in 19,

03:30

but there are other reasons why it might be important for a company to collect the personal data of individuals, and they can point back to the GDP are and say,

03:37

Hey, our collection of this personal data is actually important because we're helping carrying out some sort of public interest function.

03:45

If you see that, then you can collect personal data under the GDP are

03:51

item number six

03:53

If it's necessary for the purpose of the legitimate interests of the controller,

03:58

the controller is nothing more than the business or the company that's collecting the personal data.

04:01

That's a weird legal basis, and you must be careful

04:05

again. There are other courses under CyberRays library that will go more into depth on this. But basically, if the company cannot function without that personal data being collected than that, personal data may actually be collected in real world context.

04:19

But

04:20

you need to be careful,

04:21

and it's up to the business to establish that legitimate interest.

04:27

That's all the requirements that apply to the GDP are

04:30

now. If you're thinking back for a moment,

04:32

did Jason ever really mention that we need to establish a legal basis before collecting personal information of California residents

04:41

Theano, sir, is 98%. No.

04:44

You can collect personal information of residents of California freely.

04:46

There are no consent requirements.

04:49

You don't need to establish a legal basis.

04:51

You can simply continue collecting it as you always have.

04:56

The only obligation is that you must permit individuals to opt out of the sale of that personal information to third parties.

05:03

It's not an opt in regime. It's not a consent regime.

05:06

It's an opt out regime,

05:09

and it's only if it's an actual sale to a third party.

05:14

The one exception that 2% that I mentioned by association. A second go

05:18

is for Children.

05:20

You must obtain the opt in consent under the CCP A for Children under the age of 16.

05:26

Remember, if they are aged 13, 14 or 15, the child can provide their own, opt in consent on their own.

05:32

Otherwise, if they're younger than that,

05:34

you need to go to the guardian or parent.

05:38

That right there is the Onley space, where the CCP A mimics the GDP, are in the sense that you must establish a legal basis before collecting the personal information of a child in California.

05:47

Pause the video. There if you need to compare those two items. But the CCP A, as you can tell, is far less rigid than the GDP are.

05:57

As I mentioned a moment ago.

05:59

Children are the group of individuals that you really need to keep an eye on because they are likely to cause you a problem if you're not going to be ensuring that you're obtaining the opt in consent of the parent

06:09

or of the teenager.

06:11

And from what I've seen in comments from the California Attorney General and from what I've seen in class action suits following breaches of data that have already occurred in 2020

06:19

the California regulators are very concerned about the collection of the information of Children,

06:25

including and especially on Zoom.

06:28

If you just type in zoom CCP A, you are going to see there are class action suits that relate back to the collection off information of Children.

06:36

Please keep an eye on that.

06:38

The C, C, P, A and GDP are do have a similar approach

06:42

as it relates to Children.

06:45

Another important qualification here.

06:46

Cookies are far more favorable under the CCP A than they are under the GDP are

06:51

because think back for a moment,

06:55

you may freely collect personal information under the CCP A, whereas under the G, D, P R and other European privacy laws, which we won't get to in this video,

07:03

you need to establish a legal basis.

07:06

In practical terms, that means that under the GDP are cookies must already be turned off

07:13

if you visit a European website or more importantly, if you visit an American website while residing in Europe or while visiting Europe,

07:20

you're going to notice that most of the cookies are already turned off and it's up to the visitor of the website.

07:26

You yourself

07:27

think back to this story when I was in the airport in Germany,