Example of where GDPR compliance doesn't get you CCPA compliance
07 July 2020
You can't just cut and paste a set of existing GDPR compliance tools and processes (or a subset of what you do for GDPR) and get to CCPA compliance.
One area where CCPA and GDPR are substantially different is identity verification. (This is something that published articles on CCPA compliance often get wrong. Check with your lawyer.)
GDPR: where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
CCPA regulations: A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.
If someone sends a GDPR Article 21 objection,
the recipient is allowed to ask them for additional info to
verify themselves, and doesn't have to explain why.
But if someone sends a CCPA opt-out, the recipient has to act
on it unless they have a good-faith, reasonable, and
documented belief
that it's actually fraudulent.
And, on denying an opt-out, the recipient must provide an explanation of why they believe the request to be fraudulent. This writing assignment for the recipient is in CCPA but not GDPR.
(This only applies to out outs. The recipient can verify identity if someone asks for right to know and/or right to delete.)
Also, the CCPA opt-out doesn't have to come directly
from the natural person. It can be from an authorized
agent or a browser setting. The recipient still has
to have that good-faith, reasonable, and documented
belief
in order to deny it, and they still have
the writing assignment.
Bonus links
How publishers can reset to serve a cookie-less digital marketplace
Deep Dive: How publishers must adapt to the new normal
W3C Ad Tech Members Panicked About Slow Progress For Third-Party Cookie Alternative
The Wall Street Journal, Barron’s Group Emphasize First-Party Data to Advertisers
New data shows publisher revenue impact of cutting 3rd party trackers
Bruce Schneier says we need to embrace inefficiency to save our economy
After 7-year wait, South Africa's Data Protection Act enters into force
The new CCPA draft regulations: Identity verification
Andrew Yang's Data Dividend Isn't Radical, It's Useless
How to Remove YouTube Tracking
CCPA Compliance: Facebook Announces ‘Limited Data Use’ Feature
