Differences from GDPR

- [Instructor] You might be wondering, what are the differences between GDPR and CCPA anyway? Let's review the four main differences. The key difference between GDPR and CCPA is around the intent of privacy. Basically, GDPR is forward-looking and CCPA is backward-looking. GDPR requires any use of data to have prior consent, whereas CCPA is about creating visibility and the ability to opt-out. Think about it as a door with a lock. With GDPR, the door is shut by default. This ensures that users must first unlock the door to allow data to be used. With CCPA, the default allows collection of data, the door's already open. It's up to the consumer to shut the door and lock others out. There are a few other differences as well. Information is defined differently in the two laws. GDPR defines personal data as any information relating to an identified or identifiable natural person. CCPA goes a step further in defining personal information to include a particular consumer or a household. This categorization of household data in CCPA makes it stand out as additional scope to cover. Think of it like this. Both laws cover the privacy of John Smith. Maybe I know his name and date of birth so I can identify him specifically within my data. Differently, maybe I have an email address of smithclan@email.com and I have a physical address. I may not know it's John Smith, but I know it's someone that lives at the Smith household. That is covered by CCPA. Another difference between GDPR and CCPA is who is protected. GDPR protects data subjects, which can be any person, and not only European Union residents or citizens. CCPA gives rights to certain consumers who must be residents of California to be protected. Finally, the scope of who must comply is defined differently as well. GDPR uses the term data controller which applies to any entity that processes data. There are no restrictions on size, location, or other thresholds. CCPA defines businesses as for-profit with specific revenues and volumes of data collected which excludes lots of companies from its scope. As you can see from the examples, GDPR is a much broader omnibus regulation protecting more people from more data processing practices than CCPA. GDPR is preemptive. CCPA is a more specific law that gives California residents the ability to stop certain businesses from selling their collected data. CCPA is reactive. Although different in some respects, both laws give people additional rights to protect their privacy. Typically, it's not either/or, and you can choose to do both. And truthfully, if you choose to comply with the more stringent components and cover yourself for both regulations, you show that you care about your consumers and you can create a competitive advantage.