Example of where GDPR compliance doesn't get you CCPA compliance
07 July 2020
You can't just cut and paste a set of existing GDPR compliance tools and processes (or a subset of what you do for GDPR) and get to CCPA compliance.
One area where CCPA and GDPR are substantially different is identity verification. (This is something that published articles on CCPA compliance often get wrong. Check with your lawyer.)
where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.
If someone sends a GDPR Article 21 objection,
the recipient is allowed to ask them for additional info to
verify themselves, and doesn't have to explain why.
But if someone sends a CCPA opt-out, the recipient has to act
on it unless they have a
good-faith, reasonable, and
documented belief that it's actually fraudulent.
And, on denying an opt-out, the recipient must provide an explanation of why they believe the request to be fraudulent. This writing assignment for the recipient is in CCPA but not GDPR.
(This only applies to out outs. The recipient can verify identity if someone asks for right to know and/or right to delete.)
Also, the CCPA opt-out doesn't have to come directly
from the natural person. It can be from an authorized
agent or a browser setting. The recipient still has
to have that
good-faith, reasonable, and documented
belief in order to deny it, and they still have
the writing assignment.