The GDPR & The CCPA a Quick Look with a Forensic Twist

Written by Amber Schroader

January 12, 2021

With the recent passages of these two key pieces of legislation, many people use the terms of the CCPA and the GDPR together, as if they literally mean the same thing. However, while the two have been crafted and designed to protect Personal Identifiable Information (PII) datasets, the two also have some notable differences between them.

PII Versus Personal Data

The CCPA has been designed to protect the personal information of American consumers, while the GDPR has been crafted to specially protect the personal data of individuals in the European Union (EU) and any other consumer that transacts commerce with a business with offices in the EU.

Personal information can be defined as follows:

  • Legal full names, Email Addresses, Driver’s Licenses, Social Security Cards, Passports, etc. In other words, anything that can identify a certain individual based upon a mixture of both letters and/or numbers.
  • It is also extended to include:

*The browsing history and current web-based activity of consumers;

*Internet Cookies;

*Any form of dynamic activity that takes place between a web form and mobile apps;

*Social Media information, especially if it can be used to build a profile about an individual.

Personal data is defined as:

  • Any specific piece of data that can directly identify a person. It is important to note that there has to be a direct correlation, this definition does not include any inferences between data sets that can be used to identify someone.

In this regard, the CCPA only has a foothold on regulating businesses that meet certain revenue qualifications. In contrast, the GDPR is much more heavily focused on regulating entities that are known as Data Controllers, as those actually manage and process personal information and data.

The Rights That Are Afforded To Individuals

While both the CCPA and the GDPR have established a common set of rights that are granted to consumers, there are also noticeable differences between the two of them as well, which are:

The CCPA

  • Opting Out: Consumers located in California can request their PII data sets not be used, sold, or distributed in any fashion to external third parties.
  •  Non-Retaliation: If a consumer wishes to challenge a business as to how their personal information and data is being handled, they cannot treat that person differently than other customers. For example, that business must still allow the consumer their products and/or services, charge them at the same price as they would others, and provide the same quality of service to other customers who have not challenged them.
  •  The Use of Attorneys: Just like the right to having an attorney in a trial, a consumer has the right to hire a lawyer (or any other designated appointee) to represent them in the questioning, dispute, or contestation as to how their PII datasets are being stored, processed, and used.
  •  Any Use of Incentive Tactics: If any sort of financial motive was used in order to sell your PII dataset(s) to an external, third party, that business in question must notify you immediately in writing.

The GDPR

  •  The Ability to Correct Mistakes: EU consumers have the right to ask the business to correct their personal information and data if it is found to be in error. In return, that entity must then make the changes immediately, and provide proof of that in writing to the consumer.
  •  While the CCPA allows California consumers to prohibit the selling of their personal data, it is rather murky if it also allows them to stop the actual processing of it. In contrast, the GDPR directly spells out that EU consumers can restrict the actual processing of that data.
  •  The Profiling of Consumers: Any automated tool that is used (such as Artificial Intelligence and/or Machine Learning) to build and create a profile of an individual is strictly prohibited.

The Usage Of Data

There are also differences in how personal data can be used:

The CCPA

This legislation allows for a much wider latitude for California based businesses to use consumer information and data in a way that is legal. But they must provide written notification to customers as to how this is specifically being used. Once again, the right to opt out must be spelled out very clearly, especially contact forms that are used in both websites and mobile apps.

The GDPR

Unlike the CCPA, the GDPR very clearly spells out how the PII datasets can be used. There are six established rules for this, and at least one of them must be met before any kind of usage is deemed to be lawful:

  • More Stringent Consent: EU citizens can opt-out quite easily, but in order for their confidential information to be used, they must also give explicit approval to the business, in a manner known as “Opting In”.
  •  The Contract: In order to use the data, a contract must be formed first between the business and the consumer, or at least be in the stages of formation.
  •  Controls: The right set of controls must be implemented and carefully scrutinized first before any personal data can be distributed. Further, these controls are subject to an audit by the appropriate regulatory agencies.
  •  Healthcare: Personal information/data can be used, no matter what, if it is used to save the life of an individual. This is directly applicable to Emergency Room situations.
  •  Public Usage: If the PII datasets of consumers are going to be used for the commonwealth of the public at large, then this must be directly stipulated to those groups of individuals that will be impacted in this regard.
  •  Mission Critical Operations: If the processing and usage of PII datasets are needed to support the most important processes of the business, then it can proceed, provided that written notification is provided to the consumers. This is deemed to be more of a murky area of the GDPR, and technically, it is known as “Exploring Further”.

When looking at compliance digital forensics and data management become a cornerstone with the comprehensive ability to understand data that comes only with digital forensic tools. Paraben’s flagship product, Electronic Evidence Examiner, will allow your organization to maintain CCPD and GDPR compliance by proactively scanning the datasets of both your employees and your customers if you are ever audited.   Taking your digital forensic tool and using it for compliance shows a very proactive stance with regards to protecting the datasets of both your employees and customers in case you are ever audited. Additionally, in the unfortunate case you are impacted by a cyberattack, having Electronic Evidence Examiner will also allow you to collect latent pieces of evidence with no delays, and thus, deploy remediation actions quickly.

Forensic-Impact Articles

Waze Data in Smartphones

Waze Data in Smartphones

According to Wikipedia Waze is: Waze is a GPS navigation software app and a subsidiary of Google. It works on smartphones and tablet computers that have GPS support. It provides turn-by-turn navigation information and user-submitted travel times and route details...

iOS Backup vs iCloud          How can you compare?

iOS Backup vs iCloud How can you compare?

When you process an iOS device there are multiple locations that will provide you the data you are looking for. It is important to understand where you can see the differences in those data sources. Depending on your process checklist you might choose a different data...

TikTok Smartphone Evidence

TikTok Smartphone Evidence

We have been using the windows of our smartphones for many years to explore the world of social media. One of the most popular areas for exploration over the last few years has been in the newer social media platform of TikTok. TikTok currently has over 2 billion...