The General Data Protection Regulation, or GDPR, is a regulation in EU law intended to protect consumer privacy, and to regulate the ways in which third parties collect, store, use, and trade in consumer personally identifiable information, or PII. Technically a European rule, it applies to any entity that collects, or processes data in the EU, or collects or processes the data of an individual who is, themselves, in the EU. As such, it is almost impossible for any online service to avoid being in some way affected.
Businesses covered by the GDPR may only process consumer PII under the following six conditions:
The data subject has provided express consent to their information being processed
The data subject’s information is needed to meet a contractual obligation for or with that individual
The data processor has an overriding legal obligation to process that data
In order to protect the privacy of the data subject or another specific individual
In order to comply with the needs of an official authority, or in the public interest
When the data processor can demonstrate that their needs outweigh the right of the data subject to privacy
GDPR entitles all covered individuals to
The right to transparency: data collectors and processors must clearly state what they are collecting, why, and provide an opt-in option to permit their activity
The right to access: individuals must be able to find out what information is being held, and how it is being used, by any covered entity
The right to rectification and erasure: the individual must be able to correct stored errors, and to demand erasure of stored information
The right to object: unless the data collector or processor can show a legally-compelling reason to do otherwise, they may not collect or process information if the individual refuses them permission to do so
Organizations that run afoul of GDPR may face penalties ranging from periodic audits to multi-million dollar fines. At the high end of the scale, fines may be levied equal to EUR 20M, or 4% of the prior year’s global revenues, whichever is higher. At the time of writing, the highest fine levied thus far was for EUR18M (approximately $20M) in connection with the sale of personal profiles by the Austria Post.
GDPR came into effect nearly two years prior to CPPA, which had broadly similar goals, but with a greater focus on consumer rights. They differ, however, in a number of ways, not least in that CCPA is still a work in progress (with additional regulations anticipated through 2030), while GDPR is effectively complete as is. Additional considerations include:
Both require slightly different data mapping and data flow mapping processes
Privacy policies created to meet GDPR requirements will likely require additional updates to meet CCPA parameters
Written contracts with services providers that meet GDPR requirements may need updating to include non-discrimination language to comply with CCPA
Both sets of regulations offer relatively short time periods to fix violations, although the CCPA offers a more generous window at 30 days versus the GDPR’s seven days. However, CCPA allows individuals to file suit against companies, to form class action lawsuits, and to access what could, potentially, be significant civil penalties.