The EU’s GDPR law has been stirring up one hell of a data privacy pot since May, 2018. Arguably the most important data privacy regulation ever created, GDPR aims to protect consumer data from misuse. And for now, it looks like GDPR is working out just fine. Google was recently slapped with a hefty $57 million fine by the French CNIL; data protection authority. This is far more than the $400,000 fine that a Portuguese hospital encountered back in October, 2018.

Clearly, the EU is trying to send a message here. A message to companies that are trying to find workaround despite EU making it crystal clear that “cheating” won’t be tolerated. And as it happens, the EU’s GDPR law has inspired many other countries to follow suit. Namely, the US state California is rolling out CCPA (California Consumer Privacy Act) on January 1st, 2020. And in Japan, the country is working on the Act on the Protection of Personal Information.

Indeed, the data privacy laws worldwide are changing fast. Many oppose the new laws, while many seem adamant that this is a good change. Whatever the case, such laws are impossible to ignore once put it place, and that’s a fact.

A primer on GDPR.

In simple terms, GDPR enforces for companies to collect userconsent to process, store, or share their data. Each request for user consent must be thoroughly crafted, with strict attention to detail. In other words, you must explain in a simple manner how you plan to use users’ data, how long you plan to use and store it for.

On top of that, GDPR requires that companies keep consent data as up-to-date as possible. If the user data has changed, then consent needs to be reaffirmed in the same fashion. Likewise, if you change even the smallest of detail regarding user data, your consent request must reflect those changes.

Last but not least, a user can request to pull out from their consent, which means you must honor the request the first chance you get. And not complying doesn’t seem like an option. GDPR, as a law, has the power to impose severe penalty charges, sometimes up to 2% of your annual revenue, and up to 4% if you do not receive user consent but still store their data.

Big changes, and a lot of work.

Don’t get it mistaken. GDPR is affecting the fundamentals of data privacy, and how data is being processed for EU citizens. Anyone who owns a website — and has people visiting the site — must comply, and the WordPress community are amongst those most affected by the changes.

WordPress collects and stores data in dozens of different ways, and twice as many ways if you count in the custom plugins that people are using outside of their default installation. GDPR requires that site owners produce strict privacy policies, ensure cookie compliance, and let users remove their data upon request. And more. Frankly, that’s an absurd amount of tasks to deal with individually. Fortunately, a lot of WordPress developers and theme designers have stepped up to help and streamline the GDPR compliance process.

At Undsgn, we work hard not only to give our users’ access to GDPR Privacy Tools, but also put in a lot of work to make Uncode, our flagship theme, one of the most GDPR-compliant theme on the market. We build our themes, and the respective GDPR implementation, so you can enjoy a peace of mind every day of the week.

What is CCPA?

The California Consumer Privacy Act (CCPA) is introducing a new layer of rights for consumers. And imposing certain ‘limitations’ for companies and organizations who handle the data of consumers. Although similar in nature to the likes of GDPR, the CCPA law has some stark differences in contrast to the former bill. Most notably, CCPA does not target every single business unlike GDPR which targets all organizations that handle user data.

CCPA aims to emphasize three distinct areas of data protection, and those are: how user control their personal data, how companies protect user data, and what kind of information companies can gain about their users. Further, CCPA introduces unique concepts for what we understand as user rights, or what counts as personal data. More on this later.

The last couple of years have been relentless in terms of security breaches for large-scale brands and organizations. If we look back at data breaches as recently as 2017/2018 — you have the likes of Equifax, Quora, Marriott Hotels, and Uber all getting their data breached. That’s more than a billion users’ affected in less than two full years. From this perspective, it makes complete sense that laws such as GDPR and CCPA would be introduced. Companies need to be held responsible for mishandling consumer data, and consumers should be given the permission to opt out of data storage whenever they desire.

Is the Internet going to turn into one big popup in the coming years as more countries want to enforce their own privacy rules? Only time will tell. For now, let’s look at the main differences between CCPA vs. GDPR to truly understand how CCPA is going to impact both companies and users.

CCPA vs. GDPR: The Main Differences

One thing is for certain, both regulations want to protect user data and give users the means to choose whether they wish to be tracked or not. In spite of that, the following comparison will highlight how less of a strict the CCPA implementation is going to be in comparison to GDPR.

Let’s take a closer look.

Who needs to comply?

In the EU, all business owners must comply with GDPR as long as they collect and/or process data from an EU user base. This is a strict implementation and leaves no corner unturned. When it comes to CCPA, the rules seem much more lax:

  • It affects only companies with annual revenue of $25MM+.
  • If you collect the data of less than 50,000 users, then you don’t have to comply.
  • If the sales of user data account to over 50% of your revenue, you must comply.

By the looks of it, CCPA is directly trying to target large corporations and businesses that manage large amounts of users.

What about penalties?

The penalties for breaking CCPA rules are far more relaxed than those of GDPR. As it stands right now, you can’t get sanctioned if you don’t comply. And individual violations can rake up a maximum of a $7,500 fine per each violation. Further, CCPA violations are taken into the account only once there has been a confirmed data breach. This, of course, is an extremely relaxed form of enforcement. E.g. GDPR can apply violations even when it thinks that someone is behaving in shady manner. Last but not least, consumers may sue a business if they have not properly followed through with CCPA compliance.

Right to be forgotten.

Everyone should have the right to have their user information removed permanently. Both regulations are tackling this issues different. For starters, CCPA will only process deletion requests based on data that has been collected directly from the user. GDPR on the other hand honors deletion requests to all data, including data that’s coming from third-party resources.

The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad. However, the CCPA also allows a business to refuse the request on much broader grounds than the GDPR.

And there’s a lot more that you need to consider.

Comprehensive resources: Learn about CCPA in-depth

Since CCPA does not become active until January 1st, 2020 — there is a lot more time to prepare, study, and understand the regulation. More information, and surely new rules, is to become public throughout the entire 2019. For now, use the comprehensive resources to get up to speed fully:

It’s clear that there is no turning back from this. And for now, all we can do is make small and incremental preparations. In the next couple of years, we might see countries in parts of Asia and South America take part in similar efforts to provide effective data protection for all Internet users. Not to mention, the US might draft a regulation that’s nationwide and not just one single state.

How can you prepare for your WordPress website for CCPA?

If you went through the process of setting up your site for GDPR compliance, then rest assured that the same process will apply to CCPA. Some developers are already working on plugins to provide CCPA compliance early on. Our approach at Undsgn is very similar. We did a phenomenal job at ensuring that Uncode was fully compatible with GDPR. Further, we gave Uncode users a way to be in charge of GDPR with tools like Consent Logic.

With the Consent Logic you can include or exclude Visual Composer rows based on the user’s consent. This is convenient if you use extra modules or plugins that send or collect data.

It is our guarantee to our users that Uncode will be fully compliant with any CCPA requirements. Our goal is to make sure that all of our users have the ability to meet requirements imposed by the law.

Closing statement

Let’s see where the tides of data privacy take us in the coming years. At the moment, it’s looking like companies are being forced into being more careful with their consumer data. And it serves them right!