Category GDPR

The Road to GDPR & CCPA/CPRA Compliance: Not Exactly One and the Same

There’s no doubt that the EU General Data Protection Regulation (GDPR), which took effect in May of 2018, set into motion a growing awareness of how companies around the world handle consumer privacy data. GDPR set the stage for the introduction of global data privacy regulations as evidenced by the California Consumer Privacy Act (CCPA) that was signed into law on the heels of GDPR and went into effect on January 1, 2020. And already, CCPA protections will soon be expanded when it’s superseded on January 1, 2023 by the recently approved California Privacy Rights Act (CPRA).

The first law of its kind in the United States, CCPA/CPRA is often equated to GDPR. But while they both aim to give consumers control over how their personal information is collected, used, and shared, there are several differences between these two regulations that impact who is affected, what companies need to do to comply, and the risks associated with noncompliance. 

If your business is global and online, there’s a good chance that you’re subject to both CCPA/CPRA and GDPR, and just because you comply with one, doesn’t necessarily mean you comply with both. Let’s take a look at the top 5 areas where the two regulations differ.

Who and What Information is Protected?

CCPA/CPRA was established specifically to protect the rights of California residents, which the law defines as “a natural person who is a California resident” living in the state for any reason other than temporary or transitory purposes, as well as anyone living outside of the state who is considered a legal California resident. The law is aimed at consumers of household goods and services, employees and anyone involved in business-to-business transactions. In contrast, GDPR states that is protects ANY living identified or identifiable natural person, and that person does not need to be considered a resident of the EU or located within the EU. This is a much broader scope aimed more at companies offering goods and services in the EU rather than those only doing business with EU citizens.

CCPA/CPRA and GDPR both have broad definitions as to what constitutes personal data, which includes any information that can identify a consumer such as name, IP address, email, social security number, online cookie identifiers, etc. While similar in scope, CCPA/CPRA is more specific in clarifying the various categories of personal information and also clearly states that it includes anything that can be linked to a household as well as a consumer. GDPR does not specifically address households, but enforcement under GDPR’s governing authority has shown the law to include households since in reality, any information that can identify a household can also identify a consumer. 

It was previously thought that the two regulations varied greatly when it came to sensitive information since CCPA did not originally fully address this category. However, CPRA now clearly addresses such information as geolocation, biometric data, health information, race or ethnic origin, sexual orientation and the likes. With that change, the only real significant difference in terms of what information is protected is that GDPR covers publicly available data while CCPA/CPRA does not. 

Who Has to Comply?

According to CCPA/CPRA, any for-profit entity doing business in California that meets any one of the following thresholds is required to comply:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA come 2023)
  • Earning more than half of your annual revenue from selling personal information

Under this definition, your business does not need to be physically located in California, or even in the U.S. for that matter. The revenue threshold of $25 million also applies to ALL revenue, not just revenue attributed to California residents. Additionally, the definition of “selling personal information” is not confined to the classic sense of the word but rather includes disseminating or disclosing information in any way (click here for more on what constitutes a sale under CCPA/CPRA).

Unlike CCPA/CPRA, GDPR does not define specific thresholds but applies to ALL companies that offer goods or services in the EU, or that monitors the behavior of persons in the EU, irrespective of the company’s location. This essentially means that even if your company has minimal presence in the region with no established EU location, if you do any business in the EU, you need to comply. And don’t assume that you’re safe just because you aren’t selling into EU markets—if your website is accessible from the EU, you may be collecting data about Europeans, even if you never receive a single euro from those digital visitors.

What Rights Do You Need to Provide?

Under the right to be informed, CCPA/CPRA and GDPR both require businesses to provide information in advance about the personal data it collects and how it will be used via a privacy notice. Both regulations also establish the right of access, allowing consumers to know what personal information an organization holds. Right of access also requires you to provide the means for consumers to request access, disclose all categories of personal data and deliver the information to the consumer. There are some differences on the timing—the right to access under CCPA/CPRA applies only to information collected in the 12 months prior to the request with a deadline of 45 days to respond, while GDPR applies to all information with one month to respond. Both regulations do allow for extensions with notice. 

CCPA/CPRA and GDPR opt-out rights are similar in their overriding objective, but there is a substantial difference. CCPA/CPRA requires the right to opt out of the sale of personal information to third parties and requires a clear and conspicuous “Do Not Sell My Personal Information” link on a website’s homepage. GDPR isn’t quite as absolute, providing consumers with the right to opt-out of “processing data for marketing purposes” and withdraw consent to process personal data, as well as giving businesses an exception if they can demonstrate compelling legitimate grounds. 

While both regulations also give consumers the right to have their personal information deleted, one key difference is that GDPR also gives consumers the right to request that an organization corrects any inaccurate or incomplete personal information. CCPA/CPRA does not cover any rights of rectification.

 How Do You Ensure Security of Privacy Data?

CCPA/CPRA and GDPR are similar in that businesses need to ensure an appropriate level of security for privacy information, but while GDPR requires technical and organization measures to comply (i.e., encryption), CCPA/CPRA shifts this requirement more to consumer rights. Under CCPA/CPRA, consumers have a right to action for unauthorized access and exfiltration, theft, or disclosure of personal information as a result of a business’s inability to maintain appropriate security measures. 

What Are the Risks of Noncompliance? 

Penalties for noncompliance of CCPA/CPRA and GDPR both aim to hit where it hurts—your bottom line. Depending on the severity of the violation, GDPR fines can be up to 4% of annual global revenue or 20 million euros ($24 million USD), whichever is higher. CCPA/CPRA places their penalty fee on individual violations—$2500 per violation, with $7500 per violation for those concerning minors. 

CCPA/CPRA has no ceiling on the number of violations, so depending on your annual revenue, penalties can add up beyond those of GDPR. An online retailer doing business with a million Californians could quickly find themselves faced with $2.5 billion USD in fines if a data breach or other violation hits the company’s entire data set of customers. 

Meeting your obligations under both GDPR and CCPA/CPRA can seem daunting—especially given the differences between the two and the seemingly ever-changing rules. Get in touch today to learn how Ketch can help make your company fully GDPR and CCPA/CPRA compliant.


Do You Have a “Legitimate Interest” in the Data You Collect?

Under the GDPR, consent isn’t the only lawful basis for data processing

The European Union’s General Data Protection Regulation (GDPR) says that in order to collect and process personal data, an organization must have a “lawful basis” to do so. There are six specific ways that organizations can achieve that, and most are relatively straightforward: you’re in the clear if a data subject explicitly consents to a given use of their data, for instance, or if there’s an legal requirement for you to collect and process data in a certain way. 

But there’s one lawful basis that’s simultaneously widely used and poorly understood: the “legitimate interest” basis for data usage. According to the GDPR, data processing is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” — unless those legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject.” 

On the one hand, the GDPR clearly suggests that organizations can lawfully use personal data if they really need to. But it also clearly says that the “legitimate interest” basis for data processing can be canceled out by the countervailing interests of the data subject. That’s a tricky needle to thread: how can organizations decide whether their interests are “legitimate,” and how are they supposed to figure out whether their interests are “overridden” by those of the data subject?

The three-part test

The GDPR doesn’t clearly explain what constitutes a “legitimate interest,” so this is something organizations have to figure out for themselves on a case-by-case basis. The GDPR offers some examples of legitimate interests, such as use of client or employee data, fraud prevention, marketing, or identifying security breaches. Still, there are no hard-and-fast rules on which organizations can rely to ensure they’re covered by a “legitimate interest” basis for data processing.

Because of that, it’s helpful to think of the “legitimate interest” basis as a process rather than simply a set of fixed criteria. To meet your obligations, you need to be able to show that you’ve weighed your own “legitimate interest” against the interests of data subjects. The British Information Commissioner’s Office suggests using a three-part test to figure out whether your “legitimate interest” claim holds water:

  1. First, your data processing should have a clear purpose that serves either your organization’s interests or those of a third party. The key here is to be specific: your purpose can’t simply be to process data as an end in its own right, but should be a clear goal that delivers evident benefits to your organization. For instance, a company might have a clear interest in checking that it isn’t being defrauded, or in identifying potential security threats. 

  1. Next, your data processing should be necessary to achieve that goal. That doesn’t mean it’s the only way to achieve a certain goal, but it does mean that your data processing should be targeted and proportionate to your stated ends. If you’re trying to tackle fraud, for instance, you should only be processing data that’s directly related to that goal.  

  1. Finally, your data processing should be balanced against the interests and rights of the data subject. It’s important to show that you’ve carefully considered your data subjects’ rights, and that you’re doing your best to minimize any potential impact on them. This is especially important if you’re handling data pertaining to children, who are singled out for special protection under the GDPR.

Such tests are in some ways more art than science. Still, conducting and documenting a formal evaluative process is vital to show that you’re properly weighing your own legitimate interests against those of your data subjects. 

Expectations and objections

Besides the three-part test, there are two other important factors to consider. 

First, it’s generally acceptable to process data in ways that users should reasonably expect. This doesn’t mean that a specific user has to actually expect their data to be processed in a certain way — just that a reasonable person would likely make that assumption.

This gives organizations some leeway to process data for expected purposes such as fraud prevention or other routine operations. It’s also worth noting that if you communicate your practices to your users, they will be more likely to expect their data to be processed accordingly. A clear, detailed data privacy policy goes a long way toward supporting a “legitimate interest” basis for data processing.

Second, remember that the GDPR gives data subjects the right to object to the use of their data. That’s especially important for data processed under a “legitimate interest” rationale, when there can be grounds for differing opinions about whether data use is justified. 

If a user objects to your use of their data, the onus is on your organization to demonstrate not just that you have a legitimate interest, but a compelling interest to continue processing that data. That’s a high bar to clear, especially since you could face steep fines if you improperly persist in using personal data following an objection. 

Most objections result in organizations either halting data usage or deleting a user’s data. If such objections become widespread, you may need to explore using a different lawful basis to justify your data processing. 

A tech solution

So is a “legitimate interest” basis right for your organization? Well, it’s certainly worth considering if you want to use data in a way that brings a clear benefit to your organization, doesn’t carry significant risk of infringing on data subjects’ privacy rights, and that data subjects should reasonably expect to occur. 

Still, a “legitimate interest” rationale for data processing comes with a unique set of complexities, including documentation requirements and the need to respond quickly and effectively to objections raised by data subjects. 

At Ketch, we specialize in helping organizations to formulate data policies that can be applied instantly across your entire data ecosystem, providing trackable real-time data privacy and compliance capabilities without the need to rewrite code or rebuild your tech stack. If you’re considering using a “legitimate interest” basis for GDPR compliance, get in touch today, and find out how Ketch can take your organization’s data processing to the next level.

The Top 5 GDPR Compliance Mistakes and How to Avoid Them

The European Union’s General Data Protection Regulation (GDPR) is a complex and sweeping data protection law that has left companies all over the world scrambling to rethink their data handling processes.  Unfortunately, ensuring full compliance with the 88-page regulation isn’t easy. In fact, many companies are still making mistakes — and with penalties maxing out at 4% of annual global turnover, in addition to potential damages payable to affected users, slipping up can be costly.

Here are 5 of the biggest errors we see companies making as they figure out how to handle their obligations under the GDPR:

1. Assuming the GDPR doesn’t apply to you

As you’d expect virtually all companies with operations in the European Economic Area are required to comply with the GDPR. But that doesn’t mean you’re off the hook if you’re based elsewhere in the world. Under the terms of the GDPR, companies that collect or process data for the purposes of doing business with European customers must comply with the regulation. An occasional European visitor to your company’s website won’t necessarily trigger the GDPR. But if you’re soliciting business from Europeans, such as by advertising in Europe or including prices in euros, then you’re likely to fall under the regulation. 

2. Misunderstanding the scope of the statute. 

It’s easy to assume that as long as you’re getting users’ consent before you collect their personal data, you’ve insulated yourself against any potential problems. Unfortunately, though, the GDPR is much more far-reaching than that, and collecting consent is only the beginning. The GDPR actually secures 8 key rights for data subjects, including the right to amend or revoke consent; the right to obtain copies of or to amend any collected data; and the right to have their data “forgotten” or completely deleted, or to object to the ways in which it’s being processed. 

For most companies, that can’t be managed simply by asking permission to set various types of cookies to log consent. Instead, you’ll need a systematic approach that lets you track a user’s personal data throughout your system, and ensure it’s never used for purposes to which a user objects. You’ll also need to be able to extract data from your system, explain where and how it is used, or discontinue processing that data on demand. For companies affected by the GDPR, static cookie-based strategies simply aren’t good enough.

3. Counting on partners doing their jobs right.

In the modern world, dataflows don’t end neatly at the boundary of your organization — they spill over to third parties and outside partners. The GDPR makes clear that data controllers aren’t responsible solely for their own handling of a user’s data — they’re also directly liable for any errors or missteps made by other processors, such as downstream partners and vendors, who use the data.

In other words, it’s no longer enough to simply put policies in place to manage your own handling of personal data. You also need to ensure that you’re promptly and reliably communicating with partners about how data can be processed. If your user revokes consent, that signal needs to propagate promptly across your entire data ecosystem, including any third parties who’ve accessed the data, in order to shield you from potential liability for GDPR noncompliance. 

4. Expecting IT pros to be policy experts (and vice versa)

GDPR compliance requires both policy chops (to figure out how personal data should be handled) and IT savvy (to figure out how to implement that across your data ecosystem). Too often policy experts feel obliged to weigh in on IT implementations, or IT teams have to parse the nuances of the statute when writing code. That can lead to mistakes as people step outside their areas of expertise, or slow the pace of innovation as projects are increasingly run by committee and require multiple stages of legal and technical approval.

The key for successful GDPR compliance is to develop an approach that allows legal teams to define acceptable forms of data usage, then rapidly and frictionlessly translate those perspectives into actionable guidance for IT teams. In an ideal world, your legal teams should never need to read a line of code, and your IT specialists should never need to wade into the dense legal language of the GDPR itself.

5. Dealing with the GDPR in isolation

The GDPR has changed the face of global data privacy regulation; increasingly, in the post-Snowden world, regulators are looking to create muscular regulatory frameworks that place significant new burdens on data controllers and processors. But here’s the rub: while many of the frameworks now being implemented share the same goals, they impose unique and varying obligations upon organizations. 

It isn’t enough to simply upgrade your data-handling infrastructure to ensure GDPR compliance. Instead, organizations need to create flexible and responsive systems that can rapidly adapt to new regulations and requirements as they are introduced. From new data laws in California and Brazil to sweeping privacy measures in India and China, organizations need to plan for the future, and put infrastructure in place to help them remain compliant with a fluid and constantly changing global regulatory landscape.

All of these mistakes are easy to make. Fortunately, they’re also easy to avoid. The key is to take the GDPR seriously, and not to try to handle everything internally. Whether it’s mastering the policy nuances or figuring out how to translate them into workable IT and data-handling infrastructure, it pays to partner with a specialist. 

That’s where Ketch comes in. Our founding team’s background in advertising and marketing technologies and data infrastructure gives us a deep understanding of the ways that data flows through modern businesses. We also understand the challenges that companies face as they try to adapt those dataflows to the requirements of the GDPR without disrupting their daily operations. 

Using our technology and our in-house expertise, we can translate your specific requirements and obligations under the GDPR into customized, crystal-clear data-management policies. Crucially, we also automate the process of querying datasets subject to those policies — so your coders and developers can implement call-outs to automatically check whether a specific action is permissible for a specific item of personal data. 

With Ketch, your IT teams don’t have to fret about the nuances of privacy laws, and your legal teams don’t lose sleep over specific implementations. And because permissions are handled centrally, you can be confident that any changes will propagate instantly across your entire data ecosystem, including outside partners, to ensure continuous GDPR compliance. 

That adds up to a frictionless and robust toolkit for companies affected by the GDPR. So stop fretting about making costly mistakes — and get in touch with Ketch to find out how we can streamline your data compliance.