GDPR and CCPA in 2021

October 29, 2021

Business Environment

GDPR and CCPA are probably two initialisms you’ve seen a lot over the past few years, but what exactly do they mean? How does this apply to you and your company?

For a lot of companies, it means adding one of those pesky pop-ups on their site asking consumers if it’s okay to “track their cookies”.

For Example:

footer banner displaying cookies and privacy policy compliance information

GDPR and CCPA are both privacy laws that were enacted in an effort to protect consumer privacy and data online. While they are quite different in their requirements and definitions, they both play a major role in ecommerce.

We’ll break down the main differences and what requirements your business will have to meet in order to comply.

protecting customers personal data recipe for success

CCPA vs. GDPR

California Consumer Privacy Act (CCPA)
The CCPA applies to for-profit businesses that do business in California. These regulations, in place by the CCPA, give consumers more control over their personal information while providing guidance on implementations for a business. The CCPA applies to businesses who meet the following criteria:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.
    gdpr checklist graphic
    General Data Protection Regulation (GDPR)

The GDPR protects data belonging to EU residents and citizens. The law applies to organizations that handle data whether they are EU-based organizations or not. It binds organizations to strict rules about securing and using personal data they may collect.

See the scope of the law in the regulations below:

1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 1.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 1.This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

If you are required to comply, take a look at the Compliance Checklist for next steps in planning your business decisions.

E-Commerce Impact: How does this affect me?

Well, this depends on your business. Unfortunately, Razoyo is a development agency, and not a legal agency. You will need to consult a lawyer or legal team well-versed in these policies in order to tell you which regulations you need to comply with and which ones you are exempt from.

The 1st step is finding out if either one of the GDPR and CCPA guidelines applies to your company.

Blocking

Did you know that if your business does not actively do business in the EU and you aren’t interested in processing data from EU citizens, you can actually block access to the EU? By using Cloudflare, Sucuri, or another web-based firewall, you can easily configure certain countries to be blocked. If you are not using something like these services, your web server can be configured. Even though this may be more time-consuming, it could be worth the one-time cost rather than paying a monthly subscription.

Collecting Data

You and your team will need to determine if your company meets the legal requirements for the CCPA or GDPR and if you are exempt to the requirements. However, if you are not exempt, the next step is to figure out solutions to comply. The majority of this will have to do with your business and practices. You will then need to find an approach for handling user data in a way that complies with the policies.

Protecting Customer Data Across Ecommerce Platforms

Magento 2

There are a couple extensions that can help you manage customer data and display the appropriate information on the site. Here is Adobe’s guide to the CCPA. To be CCPA compliant there are three extensions that may be helpful:

https://amasty.com/california-consumer-privacy-act-for-magento-2.html
https://plumrocket.com/magento-ccpa/ccpa-rights
https://mirasvit.com/magento-2-gdpr.html (GDPR & CCPA)

And some for the GDPR compliance:

https://docs.magento.com/user-guide/stores/compliance-gdpr.html
https://marketplace.magento.com/sparsh-magento-2-gdpr-extension.html
https://www.mageplaza.com/magento-2-gdpr-extension/
https://mirasvit.com/magento-2-gdpr.html (GDPR & CCPA)
https://amasty.com/gdpr-for-magento-2.html

OroCommerce

Achieving compliance with OroCommerce is a little easier since Oro 4.2 Consent Management is conveniently built right into the platform. You can find out how to configure everything as well as setup pages right within their documentation.

BigCommerce

BigCommerce gives you the tools similar to Oro within their documentation: https://support.bigcommerce.com/s/article/Implementing-CCPA-with-BigCommerce?language=en_US The main aspects are determining your new business practices. You can then create a web page with a contact form to collect takedown requests.

Conclusion

While the GDPR and CCPA may be confusing, we hope this guide has helped clarify the basics between the two. If you’re pretty sure either of these could apply to you and your business, it is a good idea to familiarize yourself with the current law.

Do you need help making sure your site is compliant?

Be sure to contact us if you would like help evaluating your site’s compliance status or need help implementing your compliance plan.

Subscribe to our newsletter for regular community updates, case studies, and more.