Cloud Data Privacy Roadmap Part 3: Comparing & Contrasting Some Data Privacy Laws
We can demonstrate the complexity of protecting sensitive data by comparing three jurisdictional privacy laws: The European Union General Data Privacy Regulation (GDPR) that went into effect in May 2018, the California Consumer Privacy Act (CCPA) that came into effect in January 2020, and the Virginia Consumer Data Protection Act (VCDPA), which goes into effect January 2023. Table 1 provides a general overview and comparison of these three laws.
| GDPR | CCPA | VCDPA | |
| Data subject | The regulation covers protection of personal data associated with an individual that is referred to as the “data subject” that is a resident of the European Union. | The regulation covers protection of personal data associated with an individual that is referred to as the “consumer” that is a California resident. | The regulation covers protection of personal data associated with an individual that is referred to as the “consumer” that is a Virginia resident. |
| Obligor | Data controller and data processor. | CCPA refers to “businesses” that determine the purposes of processing and “service providers” that handle personal information on behalf of the businesses. | Data controller and data processor. |
| Data subject rights | The right to be made aware of the purposes of data collection and data processing. The categories of personal data that is being collected and managed. The identity of other parties to whom the data may be transferred and the justifications for transferring the data. The period for which the data will be maintained and stored. The right to have data corrected. The right to have data removed. The knowledge of the source of the data if the data was not received from the data subject. Whether the data will be used for processing and what processing it will be used for (including profiling). The right to receive a copy of the data being maintained by the data controller. The right to transfer acquired data to another controller. |
The right to know what data is collected. The right to be made aware of the purposes of data collection and data processing and awareness of the categories of personal data that is being collected and managed. The right to opt out of the sale of personal information. The right to have data deleted. The right to non-discrimination and equal service despite exercising CCPA rights. The right to be informed of the rights. |
The right to know whether a controller is processing personal data. The right to correct inaccuracies. The right to receive a copy of the data being maintained by the data controller. The right to have data deleted. The right to opt out of the processing of personal information for targeted marketing, sale, or profiling. The right to non-discrimination and equal service despite exercising VDCPA rights. |
| Types of protected data | Information that is related to an identified or identifiable person. Also includes biometric data, genetic data, as well as data about health status, political opinions, race, ethnicity, religious beliefs, sexual orientation, union membership. | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA also enumerates numerous types of data including real name, alias, mailing address, unique personal identifier, online ID, IP address, email address, account name, social security number, driver’s license number, passport number, or other types of identifiers. CCPA also includes inferences drawn from information, such as a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | Any information that is linked or reasonably linkable to an identified or identifiable natural person. |
| Type of exempted data | Personal data that has been pseudonymized (i.e., processed in a way that the personal data cannot be attributed to the data subject without additional information, such as a decryption key) is still considered personal data, but it reduces the risks of exposing personal data and helps the data controllers/processors comply with the regulation. | First, CCPA only covers data associated with residents of California. Second, there are additional data types exempted from coverage, such as some employment information, communications between businesses, data covered under federal laws, warranty and recall information, and personal information collected and used outside of the state of California. | VDCPA only covers data associated with residents of Virginia. VDCPA does not apply to Commonwealth bodies (e.g., agencies, boards, authorities, etc.). VDCPA does not apply to data covered under federal laws nor to some employment information. |
| Covered acts | Collecting, processing, and automated processing to profile the data subject (e.g., using analyses to make inferences about personal aspects of the data subject). | Processes that are performed on personal data, as well as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” | Targeted advertising (displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. Profiling (any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements). |
| Mode | Opt-in | Opt-out | Opt-out |
| Obligations to the data subject | The data controller must be transparent about data usage, specify the purposes for which the data was collected, minimize data collection, assess the level of risk of data exposure associated with processing, implement data security and data protections, and notify data subjects in the event of a breach. | The data controller must be transparent about data usage, specify the purposes for which the data was collected, secure consent, and maintain records. | The data controller must be transparent about data usage, specify the purposes for which the data was collected, secure consent, assess the level of risk of data exposure associated with processing, implement data security, and maintain records. |
| Exempt scenarios | Processing necessary for the performance of a contract, compliance with a legal obligation, protecting the vital interests of a data subject (or other individual), performance of a task carried out in the public interest. | There are 9 enumerated situations in which a business or service provider is not required to comply with a consumer’s request to delete personal information, including (but not limited to) completing the transaction for which the personal information was collected, to detect malicious, deceptive, fraudulent, or illegal activity, to engage in public or peer-reviewed research, or to comply with a legal obligation. | VDCPA cannot restrict the controller or processor from complying with deferral, state, or local laws and regulations, respond to inquiries, investigations, or summonses by other governmental jurisdictions, investigate, prepare for, or defend legal claims, provide a product or service requested by a consumer, protect the life or physical safety of other individuals, detect malicious, deceptive, fraudulent, or illegal activity, to engage in public or peer-reviewed research, or to assist another controller or processor in complying with these obligations. |
Table 1: A comparison of three different data privacy laws.
A perusal of this table shows some differences between these three data privacy laws. For example:
- Different levels of precision in definition allows for different interpretations impacting compliance, such as determining which data characteristics are or are not considered to be “personal.”
- Different rights assured to the data subjects in different scenarios such as business context or physical location.
- Different obligations assigned to the data controllers and data processors are also triggered by different circumstances.
And while the differences between the different laws may seem small, these differences may exacerbate challenges in implementing data privacy and security across the hybrid data landscape. You must also remain aware of the fluidity of the legislation process, in which existing laws can be amended or modified over time. For example, the California Privacy Rights Act, or CPRA, was approved in November of 2020 and amends and expands CCPA. For example CPRA adds two new consumer rights: the right to correct inaccurate information and the right to limit use and disclosure of personal information. Changes in existing laws implies a need to continuously remain aware of public policy initiatives and assessment of the implications of changes to existing laws.
