The GDPR and the CCPA regulations have lots in common. At their core, they both aim to guarantee reliable protection for individuals regarding their data. And, both apply to businesses that collect, use, or share personal information.
But, despite inherent similarities, the two differ significantly in key areas, including legal definitions, enforcement, and the rights afforded consumers. Only by understanding the differences can we achieve blanket compliance and protect ourselves from the threat of massive fines and legal action.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq, better known as the CCPA, is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information of California residents.
Under the CCPA, which came into effect on January 1, 2020, Californians can demand to see all of the personal data a company has collected on them over the previous 12 months, as well as a full list of all third parties with whom their data has been shared.
What is the General Data Protection Regulation?
The EU’s General Data Protection Regulation (GDPR) forms the core of Europe's digital privacy legislation. Agreed upon by the European Parliament and Council in April 2016, it gives EU citizens more control over their personal data.
It introduces new obligations to data controllers (those that gather personal data) and data processors (those that process personal data,) bringing data privacy harmonization to all the EU member states.
How is the CCPA Different from the GDPR?
The CCPA is California’s answer to the European Union’s GDPR. While the GDPR aims to protect EU citizens and their data, the CCPA intends to do the same for California residents, affording them consumer rights unparalleled anywhere else in the United States.
But there are significant differences between the two sets of privacy regulations, which lie in their relative scope, key definitions, legal basis, and enforcement, all of which we explore in greater detail below.
CCPA vs. GDPR
- Who They Apply To
The GDPR applies to businesses, public bodies, and institutions, as well as not-for-profit organizations, regardless of their annual gross revenue. The CCPA, on the other hand, only applies to for-profit businesses that meet one of these three conditions:
The business has a gross annual revenue of $25 million or more.
The business annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
The business derives 50% or more of its annual revenues from selling consumers’ personal information.
There are, of course, fundamental differences as regards who, exactly, the two sets of rules protect. The CCPA only protects California residents, defined as individuals who are in the State “other than for a temporary or transitory purpose” and individuals “domiciled in the State but outside the State for a temporary or transitory purpose.” A California resident who is away studying at an out-of-state college, for example, would still be protected.
The GDPR is a little bit different. It protects what it calls “data subjects,” defined as any natural person, regardless of their residency or citizenship.
- Data Protection and Privacy Laws
The CCPA grants California residents certain data privacy rights, which we can split up into four main categories:
- The right to be informed of what personal information a business has collected, used, sold, or shared.
- The right to delete all the personal information that a business, or any associated company, holds.
- For adults, the right to opt-out of the sale of their personal information. For children under-16, the provision of opt-in consent. And, for children under-13, the requirement of parental or guardian consent.
- The right to non-discrimination for the exercise of rights under the CCPA.
When it comes to the right to be informed, and the right to deletion (which the GDPR calls the “right to erasure”), the CCPA and the GDPR are relatively consistent. But, as regards the right to opt-out (which the GDPR calls “the right to object”), there are considerable privacy protection differences. The GDPR gives consumers the right to object to all processing of their consumer data, while under the CCPA, consumers can only object to the sale of personal information, including their biometric data.
The differences are particularly stark in the matter of the right to non-discrimination. Under the CCPA, businesses cannot charge higher prices or provide worse levels of customer service to consumers who exercise their rights. The GDPR, on the other hand, doesn’t explicitly include a right to non-discrimination at all (although it can be argued it’s implicit in the regulations’ principles.)
- Collecting, Processing, and Selling of Personal Data
What about the specific types of personal information (“personal data” in GDPR language) covered under the two sets of privacy protection laws? They’re similar, but the CCPA is more prescriptive in this regard.
The GDPR counts any information relating to an identifiable person, such as name, ID number, location, online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person, as personal data.
The CCPA goes a step further, providing a long list of categories it views as personal information:
- Identifiers such as name, alias, postal address, username, password, email address, social security number, driving license number or passport number
- Characteristics of protected classifications under California or federal law such as race, religion, sex/gender, and sexual orientation
- Commercial information such as records of personal property and products purchased, obtained, or considered
- Biometric information
- Internet browsing history, search history, and information regarding a consumer’s interaction with websites, apps, or ads
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Employment data
- Education data (that’s not publicly available)
- Any inference that could be used to create a consumer profile such as preferences, characteristics, predispositions, behavior, intelligence, or aptitudes
The GDPR and the CCPA both demand businesses disclose the categories of personal data they collect as well as the purposes of such data processing. But, the CCPA also stipulates that businesses have a conspicuous “Do Not Sell My Personal Information” link on their homepage, which is where consumers go to exercise their right to opt-out of data collection.
- Requirements and Compliance
The GDPR and the CCPA each come with their own set of specific requirements that businesses must follow if they want to achieve compliance. As you can imagine, not all of these are shared. Some of the most significant points of difference are listed below:
- GDPR compliance requires businesses to record a lawful basis for any processing of personal data, while the CCPA allows businesses to process data for any purpose.
- CCPA requirements allow businesses 45 days to respond to requests from consumers (“data subjects” in GDPR language.) The GDPR affords businesses just 30 days.
- The GDPR requires extensive documentation to demonstrate that a business complies with its rules. Under the CCPA, such documentation is merely ‘best practice.
- The GDPR requires businesses that regularly and systematically monitor data subjects on a large scale, or those handling sensitive information, appoint a Data Protection Officer. This is not a requirement under the CCPA.
The GDPR requires businesses to implement what it calls “appropriate technical and organizational measures” to ensure data security. The CCPA doesn’t express any data security requirements.
- Non-Compliance Penalties
If you violate the GDPR or the CCPA, then you’ll be subject to fines. The GDPR can fine a company up to 4% of its annual global turnover or 20 million euros (whichever is highest). CCPA fines are fixed at $2,500 per ‘unintentional’ violation or $7,500 per ‘intentional’ violation. Businesses have 30 days to comply with CCPA rules once notified by authorities, or the heftier of the two fines is levied.
The CCPA also allows any particular consumer the right to take private legal action against offending companies for data breaches. Up to $750 per consumer per incident can be recovered, or actual damages (whichever is greater). $750 might not sound like much for a company turning over $25 million, but when you add up the number of consumers these companies reach, this can quickly reach a massive figure.
An internal CCPA assessment is essential for identifying non-compliance risks and avoiding fines. But such an evaluation has to extend beyond the limits of your organization. It should cover any service provider that processes information for your business, whether it be a large company like Google, or one of your smaller, less organized partners.
CCPA and GDPR Similarities
The spirit of the CCPA and its forebear, the GDPR, are the same. And, when it comes to definitions of personal data, dealing with service providers, rules surrounding children, the right to deletion, the right to know, and the right to access data, the CCPA and the GDPR are somewhat consistent. The right to portability, which means that any data requested should be sent in an easily-understood format, is also shared.
The GDPR and the CCPA have more in common than they have differences and if your business has already made the changes necessary to comply with GDPR data privacy laws, then you’re already halfway towards CCPA compliance. Try to remember that when you’re cursing your way through another round of third-party contract updates!