Snippet: Most of us don’t think twice about sharing basic information like our name and what we do for a living when introducing ourselves to someone for the first time. Would you just as happily share your social security number, financial data, or medical records?

Most of us don’t think twice about sharing basic information like our name and what we do for a living when introducing ourselves to someone for the first time. Would you just as happily share your social security number, financial data, or medical records? I’d say probably not. But in the digital space, this is what’s happening to all of us, all the time.

And bad things happen when the wrong people have access to your personal information – information you didn’t know was being stored, and definitely wouldn’t want shared or sold.

We’ve written about the “weaponization of data” – a term first coined by Apple CEO Tim Cook – and why your data is one of the most important assets companies have. They store and share consumers’ personal information for their substantial gain, often at the expense of your privacy rights, and with no meaningful penalties for violating your trust. And together with several prominent companies having been caught playing fast and loose with consumer data, it has spurred a global trend pushing companies towards greater accountability regarding protecting consumer data.

On 25 May 2018, the General Data Protection Regulation (GDPR) – perhaps one of the most comprehensive data protection laws in the world to date – came into effect. While the GDPR was enacted to govern how data is collected and used in the European Union (EU), its effects extend well beyond the EU borders, and applies to any company that collects personal data or behavioral information from anyone in an EU country.

The California Consumer Privacy Act (CCPA) is testimony to the GDPR’s far-reaching influence, and its role in shifting consumer and government focus to protecting data privacy. Any Californian now has the right to find out what a company knows about them, request it to be deleted, and stop the company from selling it. While the law came into effect on 1 January, the State won’t start enforcing it until 1 July 2020.

Like the GDPR, the CCPA will have widespread effects, not only across state lines (given California’s importance as a market), but also across country borders. Both pieces of legislation were founded in the same spirit: to encourage transparency, to require businesses to report data breaches to those affected, and to better secure and protect an individual’s personal information. There are however, some distinct differences, and compliance with one does not mean compliance with the other.

Size does matter

The GDPR applies to all organizations regardless of size, while the CCPA lets small businesses below a certain threshold off the hook. The CCPA applies to any company that has California-based customers, and meets any of these criteria:

  • Has at least $25 million in annual gross revenue
  • Has personal information on at least 50,000 people, households or devices
  • Earns at least half its money selling California consumers’ personal information

The amount and type of data affected by the legislations also differs. As a minimum requirement, the GDPR applies to all European data. Individual EU countries have their own – often more restrictive –requirements. Conversely, the CCPA applies only to California data that is not already covered by federal law (such as the Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley Act). 

Getting personal

Another significant difference between the two is how they define personal information. According to the GDPR, personal information is information that could potentially identify a specific individual such as name, address, telephone number, and social security number. The CCPA is far more definitive and extends the definition to include product purchase history, social media activity, IP addresses, and household information.

Under the CCPA, companies must provide a clear “Do not sell my personal information” link on their home pages. By contrast, the GDPR involves more interaction by the customer, for example, companies offering various opt-out rights, each of which requires individual action. 

It’s all about the money

Now for the nitty gritty – how much does non-compliance cost? Under GDPR, the fines can reach €20 million or 4% of annual global revenue, whichever is greatest. For each intentional violation under the CCPA, a company can be fined up to $7,500. So, an intentional breach of 100,000 people’s data could cost a company $750 million in fines, plus compensation for the victims. 

(You can access a more complete comparison between the GDPR and CCPA here: https://www.bakerlaw.com/webfiles/Privacy/2018/Articles/CCPA-GDPR-Chart.pdf.)

What’s next?

The GDPR and CCPA indicate how valuable data has become, suggesting that this is unlikely to be the last privacy policy we see as other states and governments begin to take data privacy seriously. India is considering legislation, and the United Kingdom may need to develop its own policy once it leaves the EU. In the US, many states have already passed legislation that targets specifics such as an industry or type of data. The new momentum we are seeing at the state level is the commitment to develop a far more comprehensive approach to regulating privacy. Overall, more data regulations (hopefully) mean better data protection, but these laws can only be effective if they are enforced, and therein lies the challenge.

However, while seemingly an administrative and financial burden, compliance with data privacy laws does have an upside. It proves to customers that they can trust an organization, and trust is an intrinsic part of building a relationship with consumers. 

For financial institutions, customers that associate their bank with protecting their personal information by asking them to authenticate themselves when logging into their digital platforms and performing sensitive transactions feel protected and in control. This leads them to transact more, and opt into more services, leaving everyone feeling safe and satisfied.

 

Subscribe to our blog.


Alpa Somaiya

SENIOR COPYWRITER/EDITOR

From science to health research to fintech, Alpa is a self-confessed jack-of-a-few trades. When not despairing about the use of the Oxford comma, she enthusiastically collates, translates and disseminates information for your reading pleasure, and with the hope that we all learn a little something along the way.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.