We have been discussing the similarities and differences between the CCPA and GDPR. In our first article, we compared the applicability of the regulations and the basis for processing personal data. In the second article, we examined individuals' rights with respect to their personal data. In this third article, we will examine what information an organization or business must disclose to individuals about their personal data and about their rights with respect to that personal information.

Transparency about Personal Information, its Use, and Persons' Rights

Both the GDPR and CCPA require that businesses/organizations be transparent with data subjects/consumers about their personal information and its use.

Under the CCPA, businesses need to be clear about what personal information they collect, the purposes for which they use it, whether the personal information is sold or shared, and how long they intend to keep each category of personal information. A business provides this information in a notice when or before the personal information is collected. For example, a business would have a link to the notice on the business's webpage where a customer enters their personal information. This notice must list the categories of personal information the business will collect about consumers and the purposes for which it is used. The business cannot collect other categories of personal information or use the information for additional purposes without notifying the consumers. The notice must also include a link to the business's privacy policy.

Businesses collecting consumers' personal information also need to inform customers of their rights under the CCPA. This information is provided in the business's privacy policy. The business must notify consumers of their right to know the personal information the business collects, to delete their information, and to opt-out of the sale of personal information. The business must also inform the consumer of their right to non-discrimination. This right means a business cannot discriminate against a consumer (e.g., deny goods or services to the consumer, charge different prices, or provide a different quality of goods or services) if the consumer exercises their rights with respect to their personal information. For further details on consumers' rights under the CCPA, see article two in this series.

The GDPR also requires that a data controller provide data subjects with certain information when collecting their personal data. The information must be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (GDRP Article 12(1)). The information to be provided in this privacy notice includes the identity of the data controller, the purposes and legal grounds for processing, how long the personal data will be stored, and whether or not it will be transferred to a third country (and if so, the safeguards that will be followed to protect the data if it is not being transferred to a country with an adequate level of protection). If the personal data is not being provided by the data subjects, but rather the data controller receives the personal data from another party, the data controller must also inform data subjects of the types of personal data being processed. For further details on what information to provide data subjects under the GDPR see this article.

Just as a business must inform consumers of their rights with respect to their personal information under the CCPA, a data controller must also inform data subjects of their rights with respect to their personal data under the GDPR. This information is provided in the same privacy notice discussed above in which the data controller informs data subjects of its identity and the purposes and legal grounds for processing personal data, among other information. In the privacy notice, the data controller must inform data subjects of their right to request that the data controller provide access to, correct, or erase their personal data, and data portability, as well as the data subjects' right to object to or restrict the processing of their data. If the personal data is being collected and processed based on data subjects' consent, the data controller must also inform data subjects of their right to withdraw such consent. (For further details on data subjects' rights under the GDPR, see Part 2 of this series)

Conclusion

The CCPA and GDPR both aim to increase consumers'/data subject's knowledge about the use of their personal information and their rights with respect to that personal data. Under the CCPA, information about its use is provided in a notice at or before collection of the personal data, and the consumer's rights with respect to the data are detailed in a business's privacy policy. Under the GDPR, a data controller informs data subjects of both the use of their personal data and their rights with respect to that data in a privacy notice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.