In Part I of this series, we reviewed the differences between how the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) define personal data and personal information, as well as the consumer rights each guarantees. In this article, we will explain the differences between how the CCPA and the GDPR are allowed to use Personal Identifiable Information (PII).
This legislation gives California based businesses much wider latitude for using consumer information and data in a way that is legal. But they must provide written notification to customers as to how their personal information and data is specifically being used. Once again, the right to opt out must be spelled out very clearly, especially in contact forms that are used in both websites and mobile apps.
Unlike the CCPA, the GDPR very clearly spells out how PII datasets can be used. There are six established rules for this, and at least one of them must be met before any kind of usage is deemed to be lawful:
- More Stringent Consent: EU citizens can opt out quite easily, but in order for their confidential information to be used, they must also give explicit approval to the business, in a manner known as “Opting In.”
- The Contract: In order to use the data, a contract must be formed first between the business and the consumer, or at least be in the stages of formation.
- Controls: The right set of controls must be implemented and carefully scrutinized before any personal data can be distributed. Further, these controls are subject to an audit by the appropriate regulatory agencies.
- Healthcare: Personal information/data can be used, no matter what, if it is used to save the life an individual. This is directly applicable to Emergency Room situations.
- Public Usage: If the PII datasets of consumers are going to be used for the commonwealth of the public at large, then this must be directly stipulated to those groups of individuals that will be impacted in this regard.
- Mission Critical Operations: If the processing and usage of PII datasets are needed to support the most important processes of the business, then it can proceed, provided that written notification is provided to the consumers. This is deemed to be a somewhat murky area of the GDPR, and technically, it is known as “Exploring Further.”
We have now covered the major differences between the GDPR and CCPA. There are also some subtle differences between these two pieces of legislation, which will be reviewed in a future article.