GDPR/CCPA Compliance
The GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is about creating transparency in California's huge data economy and rights to its consumers.
The GDPR took effect on May 25, 2018. You might recall receiving an onslaught of emails with your favorite websites updating their terms & conditions. The advent of pop-up windows for cookie policies started popping up on your favorite websites after that date. All of this is attributed to the passing of the GDPR.
GDPR controls how websites, companies and organizations are allowed to handle personal data, which is anything from names, e-mail addresses, location data, browser history and many other things.
The GDPR applies to natural persons, whatever their nationality or place of residence, whose personal data is processed and whose behavior is surveyed while within the EU. The breadth of this legislation means that nearly every online service worldwide is impacted. The sweeping regulation has already resulted in significant changes for US users as companies begin to adapt and has even ensnared major US corporations such as Facebook and Google into disputes with EU governing bodies about their data privacy practices.
The GDPR (General Data Protection Regulation) intends to create a homogenous data protection legal framework across the European Union States with the intent to give back control of personal data to individuals. The GDPR is a landmark law, which imposes strict rules on those hosting and processing personal data, anywhere in the world. The regulation seeks data protection and privacy for all individuals within the European Union. The central premise of the GDPR stipulates how companies manage, use, and share personal data.
The GDPR’s penalties are severe and have two tiers of burdensome fines. The maximum fines per violation are set at up to 4% of a company’s annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to 2% of a company’s annual global revenue or 10 million Euros, whichever is larger. These huge penalties signal how serious the EU is taking the scope of data privacy.
It is noteworthy that the EU’s GDPR is just the start to a global push to protect personal data online, and we are already seeing other governments follow suit with laws of the same ilk. In the United States, California, arguably the nation’s most progressive state, has followed the EU’s lead and passed its own analogue to the GDPR. The California State Assembly passed the California Consumer Privacy Act (CCPA) in 2018. This law, while not as expansive in scope as the EU’s GDPR, goes into effect in 2020 and will definitely set the tone for the rest of the United States to take the protection of personal data privacy and its security more seriously.
With this said, it is imperative that all hospitality businesses ensure that they are adhering to the GDPR and are even looking forward to compliance to the CCPA.