Software Disclosure Requirements: CCPA and GDPR

It’s time to start caring. First introduced as law back in 1995, GDPR (General Data Protection Regulation) became enforceable in 2018. Most small businesses were not too concerned with GDPR and compliance, as they were not doing business within Europe. However, California brought the data compliance game straight to the US. So, what will that mean for you and your business software?

What Is GDPR & CCPA Compliance?

Both GDPR and the CCPA (California Consumer Privacy Act, along with its update, the California Privacy Rights Act (CPRA) -- see below) aim to protect consumers’ data and privacy by regulating how businesses protect that data and privacy.

Here is what you need to know about GDPR:

• Take full inventory of what data you’ll be storing and how you’ll be storing it.
• Create a privacy policy (here’s ours) and get your customers/users to acknowledge that policy.
• Implement data security measures as required by GDPR.
• Train your company to react to breaches within 72 hours.
• Feel free to read the full 88-page regulation here.

And for CCPA:

• Consumers have the right to know what data is being stored.
• They have a right to delete their personal information.
• They have a right to opt out of the sale of their personal information.
• They have a right to non-discrimination.
• It includes penalties for not protecting data, which makes this a cybersecurity regulation as well.
• Just like with GDPR, businesses must share their privacy policy with their customers.
• Here is the official CCPA documentation.

How does CCPA differ from GDPR?

Both the CCPA and GDPR cover notifying customers of a data breach, instituting privacy policies, providing access to and control of personal data, and empowering consumers to take action to protect their data.

• In addition to the similarities, here are a few differences:
• GDPR has provisions for data that crosses international borders.
• The CCPA covers the sale of personal information.
• GDPR is more involved in data processor regulations.
• The CCPA protects again discrimination.

What About CPRA?

The California Privacy Rights Act (CPRA) is basically an update to the CCPA that came as a ballot measure from the California voters. The parts related to the CCPA become official on January 1st, 2023. The primary outcome of the law is the creation of the California Consumer Protection Agency, which will have the authority to regulate consumer protections and enforce the CCPA, even though it is the California Attorney General who has ultimate enforcement duties.

Do We Need To Comply With CCPA?

The CCPA is required of any company doing business with California residents and has at least $25 million in annual sales. However, it also applies to any business storing data on at least 50,000 people or that earns more than 50% of revenue from selling personal data.

Even if your business is well below those numbers, we suggest building your software and technology -- and training your team -- to comply. These regulations set out some best practices when it comes to data protection and cybersecurity, and we believe that companies of any size need to protect their customers’ data.

What It All Means For Your Business

If you’re at all concerned about complying with either CCPA or GDPR, let us help you understand what you need to know to protect your customers and your business.

Contact us to schedule a review of your technology.