CCPA vs. GDPR vs. LGDP: The Marketer's Guide
The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018, restricting data collection practices and usage. This groundbreaking legislation was followed by the California Consumer Privacy Act (CCPA) in January 2020.
Finally, the Lei Geral de Proteção de Dados (LGPD) or General Data Protection Law was passed on February 15, 2020. It represents Brazil's version of the GDPR.
When it comes to the CCPA vs. GDPR vs. LGDP, they all share the same primary objective, protecting consumer's data. Nonetheless, these regulations also come with unique provisions, requiring special attention from marketers.
Working for a GDPR-compliant company makes the transition smoother when it comes to CCPA and LGDP compliance. Nevertheless, the devil's in the details.
Moreover, if your organization is amongst the 50 percent of companies who remain non-compliant, it's time to roll up your sleeves. You've got work to do.
Here's what you need to know about privacy laws to ensure your brand stays in compliance.
CCPA vs. GDPR vs. LGDP
Let's start by taking a look at the scope of these privacy data regulations. For the GDPR, restrictions apply to any company that collects information about European Union residents, even if the company doesn't maintain a physical address in Europe.
In other words, it's not where the company is located but rather where its prospects and customers are.
The same applies to the CCPA, too. If your brand collects information about Californian consumers or meets the following criteria, you must comply:
At least 50 percent of the company's annual revenue comes from selling personal information
The company gets information from more than 50,000 data sources or consumers each year
The company's yearly revenue exceeds $25 million
Does your organization meet these requirements? Currently, about half a million American companies do.
As for the LGDP, it impacts companies offering services and goods to residents of Brazil. The LGDP has made sweeping changes to Brazil's existing data protection regime. Like the GDPR, it also applies to companies without a physical address in Brazil. Again, it all comes down to whom you're collecting data from and where they reside.
There's a fair amount of overlap when it comes to the GDPR, CCPA, and LGDP. They also contain critical differences that you need to be aware of, however.
American Companies and Online Privacy Laws
Some companies have managed to squeak past GDPR compliance by doing minimal business in the EU and refusing web traffic from European IP addresses. Avoiding the CCPA is a far different proposition for American companies.
After all, California ranks as the fifth-largest economy in the world. It would significantly hamper American companies to avoid business dealings in the "Golden State." Refusing traffic from California IP addresses is also out of the question.
Fortunately, there are some critical differences between the type of data that the GDPR and LGDP target as opposed to the CCPA. These differences could help your brand in the long run.
The Type of Data Regulated by the GDPR and the CCPA
The GDPR's scope encompasses all European Union residents, indiscriminately restricting types of data collected and processed about them. This jurisdiction applies whether you're talking about first-, second-, or third-party data.
When companies collect information by going directly to consumers, and those consumers volunteer it, it falls under the umbrella of zero-party data. This type of information is also referred to as declared data and remains exempt from the new privacy regulations.
The same goes for the CCPA and the LGDP, which regulate all personal data controlled and processed by entities. These restrictions apply across industry sectors and have extraterritorial applications.
The Main Objectives of the "GDPR California"
CCPA's main objective remains limiting the sale of personal information. These types of transactions allow companies to profit from private user data without any compensation provided to consumers.
If you're in the business of selling second- and third-party data, the CCPA will negatively impact you. What's more, if you're a marketer who relies heavily on second- and third-party data, then you'll need to transition to other marketing strategies.
What's the bottom line for all marketers? The necessity of shifting away from what you may have been doing towards the collection of zero-party data. Zero-party or declared data is of a higher quality and greater usefulness to your marketing campaigns, too.
Why? Because unlike second- or third-party data, which doesn't complete the picture and often forces marketers to make assumptions, declared data comes straight from the horse's mouth. It provides you with a better snapshot of who your customers are.
In other words, the "California GDPR" will force your brand to reprioritize its marketing efforts in ways that are ultimately more reliable and successful. It's a win-win for you and your brand.
Data Erasure and Consumer Rights
The GDPR and the CCPA both feature "right to deletion" provisions. These provisions are also informally known as the "right to be forgotten." These protections provide consumers with the right to request their personal information be deleted under specific circumstances.
What are some reasons for deletion? Many aren't readily applicable to the marketing-related justifications a company may have for using and storing data.
Fortunately, when it comes to managing these deletion requests, an existing GDPR compliance program is compatible with the CCPA's requirements with a few minor adjustments.
Other Key Differences Between the GDPR and the CCPA
Besides their differing focuses on data, other critical differences between the GDPR, CCPA, and LGDP include their frameworks. Ultimately, the GDPR and LGDP are both based on opt-in frameworks. Residents of the EU and Brazil must fill out an opt-in consent form.
The CCPA, however, assumes consent for users 16 years of age and older. It requires businesses to offer an opt-out link when people visit their website. This notice lets consumers restrict a company's ability to sell their information to a third party.
The provisions regarding data don't stop there, however. There are also specific regulations in place when it comes to providing access to personal data. As it stands, businesses must provide access to what's been collected over the past year.
They also must clearly distinguish between data that was sold or transferred. Consumers have the right to opt-out of consent if an acquisition or a merger "materially alters" how consumer information gets used.
That way, consumers don't agree with the use of their data in one way, only to have it sold and used in a way that corrupts the spirit of their original consent.
Consequences of the GDPR, CCPA, and LGDP
What effects will non-compliant companies face under the provisions of the GDPR, CCPA, and LGDP? Some researchers believe there will be a surge in litigation related to consumer data privacy laws.
Why? Because unlike the GDPR, which has a four percent cap on global revenue for regulatory penalties, the CCPA includes no limits when it comes to the fines that could be imposed against a company by the California Attorney General.
The LGDP also has litigation limitations. Non-compliance with the LGDP can lead to fines of up to two percent of the company's gross Brazilian revenues or 50 million reais (about $13 million) per violation.
As a result, the CCPA's capacity to damage companies monetarily dramatically exceeds that of the GDPR or LGDP. That said, fines associated with infractions of any of these laws are nothing to laugh at.
It's worth noting that the United States has a more active regulatory oversight mechanism in place than the European Union or Brazil. As a result, many experts feel that the CCPA will trigger more legal action against non-compliant companies than the fall out from the GDPR or LGDP.
There are also differences when it comes to how the GDPR, CCPA, and LGDP get enforced. The GDPR relies on a variety of different bodies for oversight. As a result, this oversight is generally less active.
As for the CCPA, all oversight is centralized with the California Attorney General. Coupled with the lack of a cap on potential fines, the CCPA's enforcement could prove stricter and more robustly enforced.
Following the passage of the LGDP, Brazil provisionally created the Brazilian National Data Protection Authority. This organization will enforce the LGDP and has extended the compliance period to August 2020.
Complying with Data Privacy Regulations
What are some steps that you can take to ensure compliance with each of these data privacy regulations? Let's explore these restrictions and what complying looks like.
Complying with the GDPR
The first step to GDPR compliance is having access to all of your data sources. No matter the technology, you must investigate and audit what personal data you're currently storing across your company's data landscape.
Once you have this access, you'll need to inspect these sources to identify the types of personal data they encompass.
If your company has buried personal data in semistructured fields, you'll need to extract, categorize, and catalog it. How? By elements such as social security numbers, email addresses, and names.
After you've established a personal data inventory and governance model, set up the correct level of data protection. To comply with the GDPR, this involves three techniques:
Pseudonymization
Anonymization
Encryption
How do you know which of these techniques to apply to which data? The answer to this question depends on the user's rights and the usage context.
The easiest way to comply with the GDPR? By pressing the delete button. In other words, only keep the data you need to run critical enterprise processes
Last but not least, you'll need to produce reports that show regulators what personal information you have and its location. You also need to demonstrate that you properly manage and secure it.
Complying with the CCPA
If your company has been lax when it comes to GDPR compliance, then you'll need to do some serious work to catch up with the CCPA.
Based on what experts believe the consequences of CCPA enforcement will be, it's in your company's best interests to get with the game.
Like the GDPR, you'll need to determine where your consumer data is coming from and stored. You'll also need to identify who handles this consumer data.
Depending on your brand's business model, the people involved in handling consumer data likely include a team of representatives from your marketing, customer service, sales, and research and engineering departments.
You'll also need to revise your online privacy notice as well as document all of the "reasonable security" measures that you take to preserve data privacy.
You should also make sure all of your employees receive training in CCPA compliance. Why? Because it can impact a variety of departments from IT to customer service and underwriting.
Complying with the LGDP
As for compliance with the LGDP? Start by identifying the agents involved, including the owner, the controller, and the operator.
Next, you'll need to identify essential data and ensure data collection consent. From there, you must ensure supplier compliance. You'll also need to appoint a Data Protection Officer (DPO) responsible for the control and management of this data.
Despite the similarities and differences with each of these three privacy laws, one thing's for sure. Legal support is critical to navigating the restrictions and requirements of all three. A legal expert will ensure you observe every detail. They'll also help you identify possible failures in your current processes or data management.
Navigating GDPR, CCPA, and LGDP Regulations
When it comes to CCPA vs. GDPR vs. LGDP, many of the necessary steps of compliance are similar. Nonetheless, you'll need expert legal assistance to navigate the complexities of each set of laws. After all, you don't want to face the financial penalties associated with non-compliance.
This moment also marks the perfect time to explore a different marketing approach, one founded in the use of zero-party or declared data.
Want to find out more about interactive marketing and declared data? Subscribe now to start receiving cutting edge digital marketing content straight to your inbox.
Or, let's hop on the phone to discuss how Ion Interactive can ramp up your conversion rates while complying with data privacy laws. Let's chat!