We have been discussing the similarities and differences between the CCPA and GDPR. In our first article, we compared the applicability of the regulations and the basis for processing personal data. In the second article, we examined individuals' rights with respect to their personal data. In this third article, we will examine what information an organization or business must disclose to individuals about their personal data and about their rights with respect to that personal information.
Transparency about Personal Information, its Use, and Persons' Rights
Both the GDPR and CCPA require that businesses/organizations be transparent with data subjects/consumers about their personal information and its use.
The GDPR also requires that a data controller provide data subjects with certain information when collecting their personal data. The information must be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (GDRP Article 12(1)). The information to be provided in this privacy notice includes the identity of the data controller, the purposes and legal grounds for processing, how long the personal data will be stored, and whether or not it will be transferred to a third country (and if so, the safeguards that will be followed to protect the data if it is not being transferred to a country with an adequate level of protection). If the personal data is not being provided by the data subjects, but rather the data controller receives the personal data from another party, the data controller must also inform data subjects of the types of personal data being processed. For further details on what information to provide data subjects under the GDPR see this article.
Just as a business must inform consumers of their rights with respect to their personal information under the CCPA, a data controller must also inform data subjects of their rights with respect to their personal data under the GDPR. This information is provided in the same privacy notice discussed above in which the data controller informs data subjects of its identity and the purposes and legal grounds for processing personal data, among other information. In the privacy notice, the data controller must inform data subjects of their right to request that the data controller provide access to, correct, or erase their personal data, and data portability, as well as the data subjects' right to object to or restrict the processing of their data. If the personal data is being collected and processed based on data subjects' consent, the data controller must also inform data subjects of their right to withdraw such consent. (For further details on data subjects' rights under the GDPR, see Part 2 of this series)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.