CCPA and GDPR
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) legal frameworks with different scopes, definitions, and requirements. Business that operate under both compliance regulations can and will have different compliance obligations to meet. Call us for a compliance health check and evaluate your level of risk.
• Under GDPR, companies must evaluate complete a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Under CCPA additional data mapping is likely to be important to reflect the different requirements.
• Requirements under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems can at times be applied to the CCPA consumer requests, although businesses will need to have a method of reconciling the different definitions of personal information and rules on verification of consumer requests.
• Under GDPR, companies must disclose data privacy practices in a privacy policy. CCPA also requires companies to disclose specific business practices in a comprehensive privacy policy. Many California companies that operate commercial websites and online services must post a privacy policy under the California Online Privacy Protection Policy, or CalOPPA, and will need to update this policy for CCPA.
• Under GDPR, companies must draft and execute written contracts with its service providers (“processors”). Companies may need to review these contracts to reflect requirements under CCPA.