Getting Ready for CCPA: How it Differs from GDPR and Strategies for Compliance

Started by an increase in consumer data breaches and growing data privacy concerns in the United States, the state of California passed the California Consumer Privacy Act (CCPA) which will go into effect on January 1, 2020. This new privacy legislation is slated to be one of the toughest data privacy laws in the US and reflects a global trend of the growing importance for brands to invest in data governance, security, orchestration and automation.

Regulatory compliance is now equating to the quality of a company’s brand.

Most brands are quickly trying to ramp up and understand how to comply with CCPA but are left wondering what CCPA means for them, what the differences are between CCPA and GDPR and what key initial steps towards compliance they need to be taking.

The CCPA reinforces the modern theme that operating a real-time, secure, and auditable platform for collecting, enriching and activating customer data has become mandatory – not only for compliance objectives but also for new revenue and customer loyalty goals.

Ted Sfikas, Director of Solutions Consultants, NA & LATAM at Tealium, and Maltie Maraj, Senior Counsel at Tealium, recently presented a webinar on “Getting Ready for CCPA: How it Differs from GDPR and Strategies for Compliance.”

The speakers took a deep dive into the differences between CCPA and GDPR (timestamps of key topics in this webinar can be found below in green) and delivered key takeaways like:

Who is Affected (7:42)

GDPR

• Every entity that processes EU personal data is in scope of GDPR regulation
• GDPR includes concepts of a data controller, data processor and the data subject

CCPA

• The CCPA covers every organization that does business in California and processes California’s consumers’ personal information or discloses it for valuable consideration or that collects and sells consumer personal information

• The CCPA applies only to CA residents, even if they are traveling outside the state when companies disclose their personal information

Personal Data Opt-Out vs. Consent Roles (12:20)

GDPR

• Under GDPR regulation consent must be freely given, informed and received prior to any data collection
• Collecting sensitive data requires a higher level of protection under GDPR

CCPA

• The CCPA defines personal data broader than GDPR and includes technology identifiers like pixels, web browsing history and Gait patterns
• If a consumer opts-out under CCPA, businesses cannot ask again for 12 months

Right to Erasure and Right to Access (26:58)

GDPR

• Data controllers must respond to data access requests within 30 days and reveal any automated decision making or profiling technology under GDPR regulations

CCPA

• In the CCPA businesses only have to delete the data received directly from the consumer, not data that comes from other sources – but the business must also disclose the source of which the data was received and the categories that the data falls under
• Businesses must respond to data access requests within 45 days under CCPA and also must comply with Erasure requests, so long as the 9 exemption areas for deletion do not apply

In this webinar, we also review how sophisticated martech tools can help you get visibility into your customer data flow, establish a data governance practice and create a strategic plan for compliance for data privacy laws.

To get more key insights and takeaways on ‘Getting Ready for CCPA: How it Differs from GDPR and Strategies for Compliance’ watch the on-demand webinar and learn:

• The differences between GDPR and CCPA (2:42)
• What specific rights each regulation focuses on (7:42)
• How crucial it is to have your customer data governed in an automated fashion to ensure compliance with both laws (45:10)
• The legal and technologist approach to ensuring compliance with both (throughout)
• And so much more!

Watch the on-demand webinar and start getting ready for CCPA compliance today!