+8 votes
by (330 points)

2 Answers

+2 votes

Some important considerations:

  1. Data collection - the most important consideration of all. map out and document all data collection, processing, storage, and data processing lifecycle. Ensure security throughout the user lifecycle. 
  2. Vendors - Use established, well-known third-party tools that follow the top industry standards. Nothing shady.
  3. User consent - Obtain informed and unambiguous consent for the collection and use of personal data for the specific purposes for which you are collecting it. No grey areas.
  4. Necessity - Strive to use only what is absolutely necessary, Don't over-collect data just because you can.
  5. User communication - Manage and respond to users’ requests, especially consent withdrawal.
  6. Privacy policy - make sure it contains all disclosures required under the GDPR/CCPA .

All these are a must if you really want to cover yourself from all angles. 

by (680 points)
Thanks for the detailed answer!
How do you get the user consent for CCPA? With a popup the first time the user is launching the app? Do you also need to allow the user to opt-out (for instance in the app settings)?
There is no consent needed for CCPA. There is also no need for a popup - even if you 'sell' data under the CCPA.  The law prescribes a prominent 'Do Not Sell My Personal Information' link on your website or app at the point of data collection. Most website have misconstrued this as a cookie consent, or apps with a CMP consent interface - where neither are legally accurate. To be compliant with the CCPA - you can certainly show an opt-out popup - but it must be specified as a 'Do Not Sell My Personal Information' reference, not just consent for cookies or 'Tracking' (in that sense - even the Apple ATT consent is technically not compliant with the CCPA).
0 votes

In practical terms of implementation, if a company is already compliant with GDPR, they are almost certainly compliant with CCPA, since GDPR is more strict. So to answer the question: the most important consideration when making an app compliant with both sets of regulations is to focus on making it compliant with GDPR, which virtually guarantees compliance with CCPA. Here's an article I wrote about GDPR compliance for mobile apps: What does GDPR mean for mobile?

The main considerations are:

  • Allowing users to make informed consent to have their data collected and shared;
  • Allowing users to delete their data, see what data is being collected about them, and to move their data from your service to another in a format that is considered standard;
  • Not sharing or collecting data beyond 1) some reasonable standard and 2) the scope that is laid out in consent;
  • Allowing users to opt-out of data collection.

In terms of differences between the regulations:

One comparison between GDPR and CCPA is that the GDPR is a door that prevents data from being collected ("privacy by default") whereas CCPA is a window that allows a person to understand what data about them is being collected. The biggest difference this creates in terms of practical compliance is that the right of prior consent that exists in GDPR and compels a company to gain consent from a user before collecting PII doesn't exist in the CCPA, and the right to opt-out that exists in the CCPA and compels a company to allow a user to opt out of data collection doesn't exist in the GDPR (because the user would have needed to give prior consent).

Note that both sets of regulations provide the right to access and the right to deletion / erasure (delete is the CCPA term but the rights are functionally identical).There are some other differences around applicability (CCPA only applies to companies of a fairly substantial size) and protections (CCPA only protects legal residents of California).

This article from the FPF provides a nice overview of the similarities and differences between the CCPA and the GDPR.

by (15.2k points)
While the laws are quite similar in definining personal information/personal data and offering rights to access/deletion, they materially differ on the consent/opt-out issues. GDPR (with the other ePrivacy DIrective) prescribes consent for 'tracking', whereas the CCPA is really only an optout if the company is defined as 'selling' information - which is much more narrow than the EU concepts of tracking or 'onward transfer' of data. The CCPA compliance obligations are very specific to 'Do Not Sell My Personal Information' - so most of the cookie consent/app CMP consents, are technically not compliant with the CCPA (nor is the Apple ATT consent). If you 'sell' information, you must specify that prescribed opt-out method from the law on your website/app.