tiero - Fotolia

In comparing GDPR and CCPA, lessons in compliance emerge

In anticipation of the CCPA Jan. 1, 2020, implementation date, business leaders should understand the parallels between GDPR and CCPA to learn from the EU's GDPR rollout period.

Customer experience today depends on compliant, transparent data collection and handling. However, as the Jan. 1 deadline looms for the California Consumer Privacy Act, organizations face new compliance challenges. For example, confusion remains about who is responsible for CCPA compliance, who is subject to the law and even the language of the law itself.

Fortunately, companies aren't entering a CCPA world blindly. The 2018 deployment of GDPR had a number of successes and failures to help companies approach CCPA compliance. Preference and consent management platforms, such as Privacy Manager from Faktor, recently acquired by LiveRamp, also enable organizations to manage the complexities of compliance.

Headquartered in Amsterdam, Faktor's founder, Tim Geenen, witnessed the transition of GDPR from a unique perspective as his company's consent management platform is designed to facilitate compliance with regional privacy laws. Having worked in programmatic advertising for 12 years, he knows a compliant organization is a more secure organization.

Here, Geenen discusses lessons learned from the GDPR transition to apply to a CCPA rollout and explains why data privacy legislation is the new normal.

Editor's note: This transcript has been edited for length and clarity.

What are some of the differences between GDPR vs. CCPA?

Tim GeenenTim Geenen

Tim Geenen: If an organization has achieved GDPR compliance, it has done a lot of heavy lifting already, making it easier to become CCPA-compliant.

The main difference between GDPR and CCPA is that GDPR requires a subject's permission for collecting data. Under CCPA, it is about not selling personal data. While the word sell has not been broadly classified, any transfer of personal data onto a third-party platform classifies as a sale. Organizations maybe have been through these exercises before -- classifications with your partner, like contract negotiation, for example -- that makes it easier. But note that GDPR vs. CCPA deployment mechanisms are different.

What is the significance of data protection laws, such as GDPR and CCPA?

Geenen: I believe in the premise that privacy legislation leads to better, cleaner data. Regulation provides consumers with more transparency and choice about their data. That's going to be twofold. There will now be legal requirements on the books to protect consumer data. Additionally, it produces new expectations of consumers. They want to engage with brands and publishers in a way where they are part of that value exchange, where there is transparency about the data -- who is collecting data, why it's being collected and where it is being sent or used. When users adopt new expectations, they may ask questions about opting in or out and whether or not they can use a service without sharing their data.

Regulations will continue to be introduced, and data protection and privacy laws will be the new normal. Brands and publishers need to better communicate what that value exchange is -- for example, how access to content is not for free. You either pay for it with money or data. Once users are aware of this value exchange, it can empower people to start actively managing their own data and their own segments. [This is what I mean when I say,] 'Regulation makes the data cleaner.'

CCPA goes into effect on Jan. 1, 2020, and 86% of companies in the U.S. are still not prepared. Did you see similar hesitation by companies to get out in front of GDPR before the start date?

Geenen: Honestly, I saw the exact same thing. I think a lot of companies have just become aware recently that they need to do something [in anticipation of Jan. 1]. As guidelines become clearer, they're starting to prepare now, but they're late. I still see cases in Europe where companies haven't done anything [up until this point] about GDPR and are only now taking steps towards compliance -- this is almost two years since the rollout.

The CCPA guidelines were released just two months before the start date. It's going to be a challenge for organizations because the implementation guidelines have not been finalized yet. This new law could use a longer runway. But I do want to highlight that, even though there was a three-year runway with GDPR, it was underutilized.

Do you predict fines from GDPR noncompliance will scare companies subject to CCPA straight, or do they have to learn the hard way?

An individual's privacy is considered a fundamental human right.
Tim GeenenGeneral manager of Faktor, LiveRamp

Geenen: I don't think they are scaring anyone straight. The GDPR fines handed out are still obscure. Obviously, Google and Facebook were subject to fines, but those cases were also about previous privacy laws. In the U.S., there are different expectations. I worry about things like class-action lawsuits. Organizations need to consider how consumers will deal with their newly acquired rights under CCPA. This is complicated because not everyone has the same understanding of the law. For example, one of the differences between GDPR and CCPA is the definition of personal information. Even when CCPA defines personal information in its language, it still leaves room for multiple interpretations.

What advice would you give to organizations in their CCPA transition?

Geenen: I believe data protection and privacy regulation are the new normal -- an individual's privacy is considered a fundamental human right. Our clients that were subject to GDPR got wiser about the compliance process as they got more insights and made changes to reflect what they were learning. It starts with communicating the value exchange. Organizations should make sure they are transparent with customers about why they use data and what they do with it.

Categorizing what data the organization already has is a wise first step towards compliance. It's also a step that can lead to many surprises. Up until GDPR, it was largely unknown which third parties were on the average website, for example. Companies subject to regulations such as GDPR had to start taking an inventory of who was on their website, what they do, which ones add value and which do not.

Can you talk about one of the GDPR implementation challenges organizations faced that might inform business leaders in anticipation of CCPA?

Geenen: One aspect often overlooked is that, when it comes to privacy, there is no one clear owner. It's very much a horizontal thing within companies -- there may be six, seven or up to eight different departments involved that have not worked together in the compliance process. One key takeaway should be to designate someone responsible for data privacy at the company level to streamline the process.

Who should be responsible for communicating what compliance means to business leaders?

Geenen: When I read GDPR for the first time, I thought it was very explicit. I took it to mean it was similar to a product requirement specification. Then, we spoke with clients that had a different understanding of those sentences. I was very confused about it, but it was also the best learning that we could have had in the beginning -- that interpretations vary.

The same thing is happening with CCPA. Currently, guidelines from the attorney general, for example, have not been provided. Clarifications are necessary, but the question remains: Who should provide them? I think we're not that far yet. As an industry, I think all of us will benefit from clear interpretations.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG