CCPA, GDPR, data privacy, and you

Dec 31, 2019  - written by  in Domain names

The California Consumer Privacy Act (CCPA), adopted in June, 2018 goes into effect on January 1, 2020 and will extend data privacy rights to Californians. But with California’s economy larger than the UK’s, it’s impact might extend to the entire United States or beyond.

The CCPA extends six rights to consumers in California and has been nicknamed California’s GDPR (the EU’s General Data Protection Regulation implemented in May 2018). It certainly resembles Europe’s landmark privacy regulation, but GDPR goes beyond CCPA in a few key ways that make it significantly better at protecting users’ privacy.

For our part, Gandi has always been committed to supporting users’ privacy. Since we’re also based in France, Gandi users around the globe have benefited from the specific rights GDPR extends to users as well.

Here’s everything you need to know about data privacy rights, CCPA, GDPR, Gandi, and you.

CCPA vs. GDPR

There are many ways in which CCPA and GDPR are alike but there are also several differences between the two. Let’s take a look at a few of the key provisions of each and see where they overlap and where they differ.

Who they protect

While both CCPA and GDPR share an aim to protect internet users (as opposed to corporations), the way they differ in how they define who is protected reveals a lot about the underlying philosophy of each.

While GDPR protects “data subjects,” who are all people regardless of residency or citizenship, CCPA limits itself to “consumers,” specifically, California residents.

Who they regulate

Likewise, while GDPR regulates businesses, public bodies and institutions, and not-for-profit organizations—basically anyone and everyone who ever collects personal data—CCPA only regulates for-profit entities doing business in California that meet certain thresholds, like collecting the data of 50,000 people or more. Businesses also have to have annual gross revenues above $25 million and earn half of its annual revenue from selling consumers’ personal information.

So while GDPR is applicable to any situation where your personal data might be collected, CCPA defines a much narrower scope.

What they protect

GDPR and CCPA are mostly in agreement about what “personal data” is covered and what isn’t. What’s of particular importance here is that personal data needs to be able to be used to identify a single person or household. However, under both GDPR and CCPA, companies are free to collect anonymized or de-personalized data as well as aggregate consumer data.

What rights users have

Under both GDPR and CCPA, users have particular rights. These can be broadly categorized into the following:

  • Right of erasure
  • Right to be informed
  • Right to object/right to opt-out
  • Right of access
  • Right not to be subject to discrimination for exercising rights

The right of erasure covers a user’s right to demand their data to be removed from a database. The version of this right in CCPA is very similar to the one in GDPR. The main difference is that CCPA specifically carves out exceptions for things like detecting security incidents and identifying bugs, and the timeline in which businesses must comply is 45 days instead of 1 month (each deadline can be extended by 45 days and 2 months, respectively).

The right to be informed refers to the right of a user to know certain information about how their data will be used at the point where it’s collected as well as upon request. While GDPR and CCPA are pretty consistent on this first point, GDPR requires much more fine-grained information be released upon request than CCPA does.

The right to object or the right to opt-out allows a user to choose not to have data collected about them. While GDPR broadly allows users to opt out of any kind of data collection, CCPA’s right to opt-out only applies to data that would be used for business purposes.

The right of access is the right for individual users to request information about what personal data has been collected and the data collected itself. Both mandate that the categories of personal data collected, the sources, the purposes, and the other recipients of the data be disclosed, only CCPA limits the scope of this information to the previous 12 months, where no such limit exists for GDPR.

Finally, the right not to be the subject of discrimination for exercising rights doesn’t explicitly exist in GDPR and is a unique feature of CCPA. CCPA requires that businesses not charge higher prices or provide lower quality services to consumers who opt out of data collection. Likewise, GDPR has provisions to ensure users are treated fairly, and that consent be freely given without negative consequences for withdrawing consent, even if it doesn’t include this right explicitly.

Enforcement

Many of the differences in the enforcement mechanisms between GDPR and CCPA likely owe to differences in regulatory regimes between the United States and Europe, but notably, the monetary penalties for violations of GDPR can be significantly higher than under CCPA, while CCPA infringements are fined on a case by case basis (with a large number of individuals impacted by a single policy failure, the total penalties may in fact run just as high as under GDPR). GDPR can penalize a data controller up to €20 million or, in the case of a company, up to 4% of its annual worldwide turnover depending on the severity of the infringement while CCPA specifies $7500 per infringement.

Gandi and your data privacy

Because Gandi doesn’t meet the requirements to be regulated by CCPA, we are not required to comply with any of the provisions of the CCPA. However, since we do collect and process data in the European Union, we are required to comply with the GDPR.

This European law sets high standards of user data protection that we strive to comply with.

Check out our privacy policy for more information.

If you want to exercise your rights under GDPR, you may do so on our online form.

As a final note, long before GDPR or CCPA came along, we’ve been committed to data privacy. One notable example is our inclusion of an opt-out option for the resale of WHOIS data. ICANN requires registrars to resell WHOIS data to any third party who requests it, but since they also allow individual users to opt out of this, for years we opted our users out by default, making this option opt-in only.