With the recent passages of the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), many people use the names of these two key pieces of legislation together, as if they literally mean the same thing. However, while both have been crafted and designed to protect Personal Identifiable Information (PII) datasets, there are some notable differences between them.
PII Versus Personal Data
The CCPA has been designed to protect the personal information of American consumers, while the GDPR has been crafted to specially protect the personal data of individuals in the European Union (EU) and any other consumer that transacts commerce with a business with offices in the EU.
Personal information can be defined as follows:
- Full legal names, email addresses, driver’s licenses, Social Security Cards, passports, etc. In other words, anything that can identity a certain individual based upon a mixture of both letters and/or numbers.
- It is also extended to include:
*The browsing history and current online activity of consumers;
*Any form of dynamic activity that takes place between a contact form on a website and mobile apps;
*Social media information, especially if it can be used to build a profile about an individual.
Personal data is defined as:
- Any specific piece of data that can directly identify a person. It is important to note that there has to be a direct correlation; this definition does not include any inferences between data sets that can be used to identify someone.
In contrast, the GDPR is much more heavily focused on regulating entities known as Data Controllers, as they actually manage and process the personal information and data.
The Rights That Are Afforded To Individuals
While both the CCPA and the GDPR have established a common set of rights that are granted to consumers, there are also noticeable differences between the two of them.
- Opting Out: Consumers located in California can request their PII data sets not be used, sold, or distributed in any fashion to external third parties.
- Non-Retaliation: If a consumer wishes to challenge a business as to how their personal information and data is being handled, the business cannot treat that person differently than other customers. For example, that business must still allow the consumer to buy or use their products and/or services, charge them the same price as they would others, and provide the same quality of service as they do to other customers who have not challenged them.
- The Use of Attorneys: Just like the right to having an attorney in a trial, a consumer has the right to hire a lawyer (or any other designated appointee) to represent them in the questioning, dispute, or contestation as to how their PII datasets are being stored, processed, and used.
- Any Use of Incentive Tactics: If any sort of financial motive (beyond selling the information) was used in order to sell your PII dataset(s) to an external, third party, that business in question must notify you immediately in writing.
- The Ability to Correct Mistakes: EU consumers have the right to ask the business to correct their personal information and data if it is found to be in error. In return, that business must then make the changes immediately, and provide the consumer with written proof that they have done so.
- Control over processing of personal data. While the CCPA allows California consumers to prohibit the selling of their personal data, it is rather murky in that it does not allow them to stop the actual processing of it. By contrast, the GDPR clearly spells out that EU consumers can restrict the actual processing of their data.
- The Profiling of Consumers: Any automated tool (such as Artificial Intelligence and/or Machine Learning) that is used to build and create a profile an individual is strictly prohibited.
It’s clear that the GDPR and CCPA handle personal data and personal information in different ways, and each affords consumers a different set of rights. Our next article will explore the different ways GDPR and CCPA allow consumers’ personal information and data to be used.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.