Posted on: 08/08/2019


The reality today is that different jurisdictions around the globe are at different stages of data protection regulation. We have already talked about GDPR in Europe but the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to:

  • offering goods or services to EU citizens (irrespective of whether payment is required)
  • the monitoring of behavior that takes place within the EU.

Non-EU businesses processing the data of EU citizens also must appoint a representative in the EU.[i]

When you start to look beyond the EU and the impact that GDPR has had in the Americas and Asia, has the impact been any different?

The ASEAN Framework on personal data protection in South Asia, the extended scope of China’s new privacy regulation, and the California Consumer Privacy Act (CCPA) in the US are all great examples of the influence GDPR is having around the world and the added complexity global organizations need to contend with where different regions start to implement new global laws and rights for their people.


“With regulations already in place across Europe, and several U.S. states taking the matter into their own hands, with potentially 50 states enacting individual data privacy laws, one can imagine the burden organizations will endure to comply with them,” said Michael Magrath, director of global regulations and standards at OneSpan. “Overarching federal legislation will help address these concerns and make life easier and more secure for consumers and organizations alike.”[ii]

In America, California is currently the most significant state for data privacy - mainly because it’s where numerous technology companies that will be widely affected by new regulations are based. News in this area is however constantly moving and changing, and several U.S. states have CCPA-inspired legislation of their own. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements and many more look likely to follow.

The California law was passed on 28th June 2018 and goes into effect on January 1, 2020. It appears to have some similarities to GDPR along with some fundamental differences as well. Realistically however, companies needed to have had control of the data utilized by their businesses by the start of 2019, since GDPR is already in place and the CCPA gives applicable consumers the right to request all the data a company has collected on them over the previous twelve months.[iii]

So, what are the core differences between GDPR and CCPA?

Territorial & material scope

The CCPA scope is somewhat more specific than GDPR and only applies to those organisations who ‘do business in the State of California’ regardless of where they are physically located. It is further limited to businesses that process the personal data of Californian residents (which is broadly defined  by the personal income tax code of the state) and applies only to businesses that are ‘for profit’ and:

  • have at least $25 million in annual revenue
  • alone or in combination buys, receives, sells or shares the personal information of at least 50,000 people on a yearly basis or
  • collect more than half of their revenue from the sale of personal data.

This is a noticeable difference to GDPR since it applies to ALL organisations that process personal data, regardless of revenue.[iv]

Definition and scope of personal data

The CCPA defines personal data more broadly than GDPR by including such things as IP addresses, cookies and pixel tags.

It then also holds specific exemptions to certain types of data which are not covered by the act such as medical and protected health information. [v]


GDPR fines are based on the offending company’s total global revenue, while the California Consumer Privacy Act (CCPA) fines offenders based on the number of records affected by a breach or a privacy policy violation (up to $7,500 per compromised record).[vi]

Breach notification

GDPR grants a narrower window because a company has just 72 hours to determine and report scope of a breach. California, in contrast, gives businesses 30 days.[vii]

Consent & consumer rights

European users must opt in to share their data under GDPR, while California allows companies to opt people in by default while giving them the option to opt out under the CCPA.[viii]

But California's law then goes further in two significant respects.

  1. Consumers can sue companies if the policy guidelines are violated, even if there is no actual data breach.
  2. As well as consumers being able demand to see all the information about them a company has, they can also under CCPA demand a full list of all the third parties their data is shared with too (a point of consideration as to whether the sharing is for business or commercial purposes)[ix]

Despite it being the first state data protection law in the US which is a milestone, the CCPA is actually very different to GDPR in its applicability and will certainly require relevant companies to invest in CCPA compliance whether they are compliant with GDPR already or not.

However, different states across the region are starting to enact their own individual laws with lawmakers in Washington, D.C., working to pass a federal data privacy bill ahead of the 2020 elections. A federal law on data privacy would help the United States catch up with the European Union and perhaps reduce the complexity of very specific state laws that in time, can only get more detailed and complex – and on that basis risk becoming impossible for organisations operating globally to comply with.[x]

Regardless of what we can foresee, all U.S. companies should be reviewing what types of data they collect, how they collect it, what they do with it, and how its protected. Ensuring that they always have control and access to meet demands of consumers and regulators, alike.

Voice data is no different and can be overlooked, despite representing a major untapped opportunity for organizations. Due to advances in AI and ML, voice-based interaction has now progressed beyond compliance with regulations such as GDPR or CCPA and is being used to address automation, security, fraud and enhance employee engagement and the customer experience.

Organizations are now considering how best to define, build and support their voice and AI strategies but if one thing is certain it’s that it is essential that they have secure access to and control of captured voice data, and call recording software that provides the tools to support this.

Fundamentally GDPR and CCPA indicate that simply maintaining reasonable data security will no longer be adequate. Organizations must instead determine how to align their business goals and product design with the privacy rights of individuals all around the globe to remain compliant and competitive.

Get in touch with us today to find out more about how to take steps to gain data sovereignty and value from your voice data using Red Box’s free and open APIs and our extensive partner ecosystem.












View all