If your website collects or can collect information from users, you may be subject to the GDPR and the CCPA. These laws may apply to any website that collects or processes personal information from EU or California residents, and the penalties for non-compliance can be severe.

The California Consumer Privacy Act ("CCPA") took effect January 1, 2020, and the EU General Data Protection Regulation ("GDPR") has been in full swing since 2018. There is no better time to take a look at your site’s Terms of Service and Privacy Policy to determine your compliance. Here are three things you should know.

1. Do I need to be GDPR compliant?

If you offer services in the EU or regularly track information about anyone living in the EU, including through websites and mobile applications, you are subject to the GDPR. The GDPR also applies if EU customers are directly targeted through advertising or the use of an EU member nation currency. That means, if you are operating in the EU in any form (even online), you must do so in accordance with the GDPR. If your site is potentially of interest to EU citizens, the safest course is to make it GDPR compliant.

GDPR compliance is particularly important if you process information that falls within the “Special Categories of Data” referred to in Section 9 of the GDPR. These special categories of sensitive data include health data, data revealing ethnic origin, political opinions, and biometric data. If you are processing any of these special categories, you are responsible for a heightened compliance level.

The possible repercussions of not complying with the GDPR are fines of up to €20 million or 4% of worldwide turnover, whichever is greater. Complying with the requirements of GDPR is not optional, and people cannot waive their rights to protection under GDPR. The only way to avoid the GDPR is to avoid targeting or collecting data from users in the EU.

2. Do I also need to comply with the CCPA?

The CCPA applies to businesses operating in California, regardless of where the business is located. This may include collecting personal information about California residents and customers. As such, if any of your potential users, customers or clients are located in California, the best practice is to ensure your site is CCPA compliant.

The CCPA and GDPR are not identical, though they share certain core tenants. Both require that users have the right to access and delete their personal information and transparency about how information is used.

Unlike the CCPA, the GDPR requires a "legal basis" for data collection. The CCPA and GDPR also define important terms differently, including personal information and the types of information protected. The CCPA surpasses the GDPR by requiring that a privacy policy provide updated data sharing information reflecting the company's previous 12 months of information sharing. The CCPA also grants users an absolute right to opt-out of the sale of their personal information and requires the addition of opt-out links on websites and mobile applications.

The two laws also take different approaches to the protection of information about children. The CCPA addresses the sale of children's information but not the processing, requiring an opt-in approach for parents providing consent for kids under 14, and allowing teens 13-15 to provide their own consent. The GDPR sets the age of consent for data processing to 16, although EU member states may set the age as low as 13.

3. Do I need a Data Protection Officer?

If your business processes sensitive data on a large scale or engages in systematic monitoring of people, you may be required by the GDPR to appoint a Data Protection Officer ("DPO"). The DPO may be a staff member of your organization or may be contracted externally. The DPO's role is to advise the organization on data protection obligations, monitor internal compliance, and act as a contact point for data subjects and the supervisory authority. The DPO must have expertise in the field of data protection. The EU, unfortunately, does not define what this expertise means, but suggests the level of knowledge "should be determined…according to the data processing operations carried out and the protection required for the personal data processed.”

* * *

Changing privacy laws within the United States and abroad have created complexities and risks for companies, both small and large. If you are collecting information about people, it is best to speak to an attorney to ensure that your privacy policies and terms of service meet these requirements.