blog: Don Marti


Example of where GDPR compliance doesn't get you CCPA compliance

07 July 2020

You can't just cut and paste a set of existing GDPR compliance tools and processes (or a subset of what you do for GDPR) and get to CCPA compliance.

One area where CCPA and GDPR are substantially different is identity verification. (This is something that published articles on CCPA compliance often get wrong. Check with your lawyer.)

GDPR: where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

CCPA regulations: A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.

If someone sends a GDPR Article 21 objection, the recipient is allowed to ask them for additional info to verify themselves, and doesn't have to explain why. But if someone sends a CCPA opt-out, the recipient has to act on it unless they have a good-faith, reasonable, and documented belief that it's actually fraudulent.

And, on denying an opt-out, the recipient must provide an explanation of why they believe the request to be fraudulent. This writing assignment for the recipient is in CCPA but not GDPR.

(This only applies to out outs. The recipient can verify identity if someone asks for right to know and/or right to delete.)

Also, the CCPA opt-out doesn't have to come directly from the natural person. It can be from an authorized agent or a browser setting. The recipient still has to have that good-faith, reasonable, and documented belief in order to deny it, and they still have the writing assignment.

How publishers can reset to serve a cookie-less digital marketplace

Deep Dive: How publishers must adapt to the new normal

W3C Ad Tech Members Panicked About Slow Progress For Third-Party Cookie Alternative

The Wall Street Journal, Barron’s Group Emphasize First-Party Data to Advertisers

New data shows publisher revenue impact of cutting 3rd party trackers

Bruce Schneier says we need to embrace inefficiency to save our economy

After 7-year wait, South Africa's Data Protection Act enters into force


The new CCPA draft regulations: Identity verification

Andrew Yang's Data Dividend Isn't Radical, It's Useless

How to Remove YouTube Tracking

CCPA Compliance: Facebook Announces ‘Limited Data Use’ Feature