CCPA vs GDPR – Miscellaneous
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
welcome everyone to lessen 9.3.
There are a couple of differences between the C, C P A and the GDP are that do not fit nicely in the categories of legal basis of processing or the scope of consumer rights.
Therefore, I decided to create an additional lessen the miscellaneous differences between the two regimes to help drive your understanding of the CCP A a little bit better and also be able to differentiate the obligations you have. If your company is subject to the California consumer rights as well as the GDP are,
let's jump right into it.
The learning goals and objectives For this lesson, it's going to be a series of rapid fire fun facts
Objective number one.
We're going to talk about some of the differences between the history of the CCP A versus the GPR.
The differences between how the two regimes are enforced and some general industry trends and then also highlight a couple of unique obligations that exist under the GDP are but do not exist under the c c. P. A.
Keeping in mind that your company very well likely might have already performed some sort of GDP. Our compliance effort that will not apply to the c c p. A.
I want you to be alerted to that when it comes up at work.
The biggest difference in my personal opinion between the g d p r and the C C P. A. Is how they came about.
This is so fundamental to the actual obligations that the GDP are ended up establishing versus those of the C C p A.
The GDP are is the by product of two years of negotiations between representatives of all 27 members of the European Union in Brussels.
They were quite literally huddled up in a conference room for 24 months, pounding out which provision would be included in the GDP are
and those which would not.
We ended up seeing very well thought and mature frameworks that ended up becoming part of the G d. P. R. Because they were the byproduct of extended negotiations and, more importantly, because Europe simply had a much longer history of dealing with data privacy,
it's more ingrained in their legal culture as well as their political landscape.
The C C p A. On the other hand,
it was drafted in two weeks by the California Legislature.
As I mentioned to you, they took it out of the ballot initiative and, in general, the California Legislature's as well as frankly, the United States in general, with the exception of some of the sectoral laws,
is very new to privacy.
We see the difference in the obligations that companies are subject to because of simply how those laws came to be.
Let's move forward from that.
There are also massive differences in between how the GDP are is enforced versus the C C P. A. Is enforced.
Let's actually tackle the CCP a first.
As you remember in a previous module,
the C C P. A. Is Onley enforced by one agency,
the California attorney general, which is very new to privacy. It's poorly funded.
With all due respect to the California Legislature's.
They did not put in mechanisms to fund the California attorney general as they sought to enforce potential CCP, a non compliance obligations.
And in general there is a perspective that the court system in the United States is going to be able to handle most CCP issues,
particularly as it relates to breaches.
That concept doesn't really exist in Europe,
On the other hand, there are 27 highly mature, well funded supervisory authorities. Look no further than the information commissioner's office, the CEO in the United Kingdom,
the C N I. L. The Commission Nationale de Long for Matic, a daily buffet are France.
Those two agencies have been active for decades and enforcing privacy rights of European citizens well before the GDP are ever came to be.
That's a massive difference in terms of how seriously the your opinion, political and business frameworks take. The G d. P. R versus California.
We are, but in chapter one of a long journey,
whereas in the European Union this is very well developed.
The GDP are
it's got to be noted.
It was first, and that is also a key difference.
Because most multinational organizations I'm talking about the big companies with global footprints have already performed A GDP are build out,
which basically means the C C. P. A. Is second to the party,
and as a consequence of that,
if you work for a large company,
they are likely to view the CCP A as an add on for a second level effort
or even in business terms a second s o w statement of work.
The GDP are, however, will always be the starting line. The framework from which other data privacy obligations will thereafter flow.
It's not just by the way European residents and business operations in Europe that drive this.
There are other countries outside of the United States that are now positioning themselves to fall in line with the European standard.
under the rules of the GDP, are AH country will be viewed as as adequate for the receipt of personal data of European residents.
If the protections that exist in that country are consistent with the protections that exist in Europe,
that's called an adequacy decision.
Feel free to look it up.
There are very important players in the global economy that are aggressively pursuing adequacy decisions like Japan and South Korea as well as Brazil,
which passed its own version of the GDP are it's called the GPD.
Basically, all that is to say
the GDP are is quickly becoming the global standard outside of the 50 United States.
Nobody and I really do mean no country is looking to the c c. P A. For inspiration.
Potentially, the other 49 US states. But
it's still been two years and no other US state as of this recording has passed a comprehensive privacy law.
So that really is a key difference. Right there is that the world is moving to the GDP are standard, not the U. S. Standard.
It also needs to be noted that the GDP are is far more feared.
There is a fantastic website. It's called enforcement tracker dot com.
You can follow the GDP are finds that come out
generally there is one issued every week or so, but sometimes they happen. They come in spurts.
Since the GDP are has gone live in May of 2018, there have been 395 fines
August of 2020. It can be updated with the fall. Number is actually later in time, but the total value of fines there that is accurate. I just checked it.
€255 million in fines stemming under the GDP are,
and it's hard to keep track of every single fine and as of August as of November,
it doesn't really matter.
The point here is my friends, that the GDP are is responsible for serious fines.
Again, remember, up to 4% of global revenue could be the hammer,
the C C p A. On the other hand,
the jury's still out.
There haven't been any fines yet issued by the California attorney general again, as of this recording,
the total value of fines is zero.
The only thing that's really sitting out there is that there are 14 CCP a lawsuits that are going but again, that's only because of data breaches.
There's another 78 lawsuits sitting out there that have the CCP is a sub component. But
that's not the main point of the claim
to bring this home.
We're about running here on time, but the GDP are absolutely has extra obligations that companies do need to keep track of
data minimization requirements.
You need to restrict the amount of information that your company collects unless there's a need to do so.
The GDP are requires that companies performed privacy impact assessments.
Basically, it's identifying the rights and protections of individuals whose information is collected.
C C p A. Doesn't care it all about that.
Not enough time to break down all six additional GDP, our obligations. But just keep a note. It's a heavier lift to comply with the GDP. Are
feel free to posit video there. If you wanna look at that more
the history of the CCP versus the GDP are
we see very clearly that industries have shifted to the GDP are standard.
Because it's scarier and they're significantly more robust obligations.
That concludes the difference between the C C P A and the GDP are
I'll see you in the next video?