At first glance, the EU General Data Protection Regulation and California Consumer Privacy Act are different in many ways, including for things such as basic principles, retention, specific rights and requirements. When considering practicalities, however, there are many areas for alignment, and it might come in handy for various reasons. First of all, there are situations in which some companies needs to follow both laws for the same processing activity. There will be also situations in which this is a matter of choice, either to make the process more simple, and with this to save costs, or because decoupling your business operations based on geographies involved is not really a feasible option.
Implementing a simple, step-by-step model, based on the life cycle of data, remains a key to making such process operational.
Key steps for a unified GDPR and CCPA process
Of course, there are many well established models for a data life cycle and data management. While all of them are extremely valuable and can be used one way or another, there are some steps or stages that seem to correspond most with the objectives and requirements of both laws.
First of all, define a business case for using personal information.
It should be quite obvious, but, unfortunately, is still sometimes considered as an afterthought. With a defined business purpose, it all starts and ends for any processing activity and proper justification for collecting and using specific types of data can be achieved. This is also the moment to ask the business people if there are ways to achieve the same business objectives without any personal information, which should always be a preferred option.
Second, consider specific requirements and risks based on the types of data and intended use. If you plan to process the GDPR special categories of data, characteristics of protected classifications under California or federal law, or any other data that is particularly sensitive, conduct an additional legal analysis. This is also the stage when you should consider conducting a data protection impact assessment, even when it is not strictly required in the given circumstances.
Make sure your projected activities are state of art, proportional and truly professional. This entails using only information and means of processing that are appropriate for intended goals, secure and in line with consumer expectations. It is very unlikely authorities will consider any company being compliant if what it does makes no good sense, as well as when methods are obsolete or ineffective. If you have already conducted a data protection impact assessment, it will need to be linked to the business process and updated as the process evolves throughout the time.
Be transparent about the processing activity, which includes having appropriate notices. This also requires providing sufficient ways for consumers to exercise their rights and communicate in a secure way, including with a toll-free telephone number and electronically.
Layered notices may be especially useful and appropriate so that basic information is specifically brought to attention of the consumers, a "do not sell" link and contact details are clearly visible and any potentially unexpected purposes or consequences are explicitly communicated. More detailed information, satisfying specific regulatory requirements, including local ones, when appropriate, could be available with a second layer. Augmenting such communication with videos is recommended, while options to access the content by persons with disabilities should be considered a necessity.
Subsequently, utilize the data in accordance with the notice, which includes but is not limited to pursuing the stated purposes, updating the data as and when needed, respecting consumer rights, sharing data only with providers that are subject to sufficient contractual and security requirements, and, when transferring data to independent third parties, respecting the consumer choices (opt-ins and opt-outs as appropriate).
When in doubt, it is advised to go for more stringent requirements, e.g., one month as per the GDPR instead of 45 days as per the CCPA to follow a consumer request.
Make sure you review and delete personal information with regular intervals and in line with the notice and consumer choices as appropriate. If the data is not needed by the company or there aren't prevailing legal grounds to keep them for compliance reasons or when needed by consumer herself, there is no point in storing the data.
It is recommended that such reviews are conducted at least once every 12 months. This will also facilitate your disclosure and reporting requirements under the CCPA, as well as following the GDPR principles, such as storage limitation. Last but not least, it will reduce risks and overall compliance efforts, while at the same time, increase relevance and value of business data that is up to date and of reasonable amount. Both under the GDPR and CCPA, data anonymization can be utilized instead of deletion.
Lastly, keep appropriate records and statistics. This is not only relevant because of direct requirements under the GDPR and CCPA, but also, indirectly, you are responsible to constantly analyze and improve your compliance and privacy posture, and it is only possible with appropriate and timely information to fuel your organizational efforts.
Main considerations for opt-in and opt-out
Opt-in and opt-out requirements seem to differ a lot for the GDPR and CCPA, and, hence, significantly more work could be needed to implement them with exact wording of both laws in mind. If, however, the very rationale behind these concepts is taken into consideration, cautious standardization efforts could be pursued. First of all, opt-in should be considered both under the GDPR and CCPA as clear, affirmative action, amounting to an informed consent. Secondly, the CCPA opt-out and right to object under the GDPR have a lot in common. They may also be linked to data deletion, as and when the person objects to further usage of her data. Such right to say no is not an absolute right, and the business could still argue that the data or activity is necessary, unless for situations when the law says it is an unconditional right (such as with direct marketing under the GDPR and for selling data to third parties under the CCPA). Using data for new and unrelated purposes than initially collected would normally require opt-in instead.
With all these areas for alignment, such standardization would clearly require providing consumers with more rights and with following more stringent rules by default. This could be beneficial for simplifying the process, but also if this is a conscious policy to provide consumers with enhanced control over their data in order to instigate more trust and establish better relationships.
Whether this is a necessity or simply a matter of choice, to implement such a unified data management model to cover both the GDPR and CCPA requirements, it will only be doable with clear steps or stages being defined and documented from the outset. With a properly implemented framework, you will be able to still maximize the value and utility of data, but, obviously, you will not be able to minimize the compliance requirements. One example is with storage limitation. While the CCPA is not as clear as the GDPR that the data that is not needed should be deleted even without a specific consumer request, and, thus, companies could retain such data, regular review and deletion of data is required for any unified data management process. At the same time, it will greatly contribute to maintain high-quality and utility of data and to minimize compliance and security burdens with having less data to protect and potentially less exposure in case of e-discovery orders.
Photo by Bill Oxford on Unsplash