The Californian Consumer Privacy Act (CCPA) is the latest privacy regulation, second to the General Data Protection Regulation (GDPR) to have a broad impact on the privacy of people’s personal information. On May 25, 2018, the EU’s GDPR replaced the EU Data Protection Directive of 1995, transforming how businesses handle and protect personal information. The CCPA allows a right of privacy to Californian residents. It went into effect Jan. 1, 2020.
Although many similarities exist between these two regulations, some differences stand out as well. It’s good to know where these variances are to determine how they might impact a business. Complying with one may make it easier to comply with the other. However, that might not always be the case.
Currently, data protection is dominating organizations, spurring them to comply with legal obligations as well as to maintain the trust and business of valued customers and clients.
People are more aware than ever of their data’s value, of the importance of data protection and their data security and privacy rights. This is emphasized by the ever-growing large-scale breaches of personal information happening recurrently, across the globe, and impacting millions of people. This growing awareness is influencing change. People want privacy and need the ability to control their information.
Countries and their lawmakers are listening and are now reacting. This is evident in the recent regulation reformations concerning data security and privacy. The CCPA, like the GDPR, demonstrates this and allows individuals the privacy and control over their data that they need and desire. Consumers and data subjects welcome this, but it may be causing some concern for businesses. There’s never been such a significant focus on data privacy, data security and proper handling and processing of people’s information as there is currently and it all seems to be happening at once. So, it’s good to keep abreast of the changes to understand how each regulation may affect how your business operates.
The CCPA guarantees the following rights to Californian residents:
The GDPR guarantees the following rights to EU data subjects:
When considering the above rights, an overlap is noticeable, but on studying them a little closer, differences become more apparent. Both regulations give people specific rights when their data is processed by a controller/processor (GDPR) or for-profit entity (CCPA). Some are similar, some may show overlap or vary, and some exist in one regulation and not the other. Both have specific requirements relating to how the rights are voiced, delivered and upheld. Let’s take a closer look.
Both the CCPA and the GDPR grant the following rights in some form:
Exists under CCPA and not the GDPR:
Does not exist under the CCPA and exists under GDPR:
The CCPA requires only a for-profit entity, operating in California that collects consumer information from Californian residents and meets one of the specific CCPA criteria with regards to revenue and size to comply. These criteria include, it generates more than $25 million in gross income, it processes personal information relating to over 50 thousand consumers annually, or it derives half or more of its annual revenue from the sale of consumers’ personal information.
The GDPR does not focus on the size or revenue of the business but covers all data controllers and processors that process personal data of EU data subjects, regardless if processing takes place in the EU or outside of the EU. The GDPR applies to all businesses and every type of business. If the entity processes personal information from the EU, the entity must comply.
Another notable difference is that the GDPR impacts nonprofit businesses or charitable organizations too. In contrast, the CCPA is only relevant to for-profit businesses that meet the specific criteria relative to revenue and size.
The GDPR requires businesses to register with or notify data protection authorities if they process personal information of data subjects. However, the CCPA does not require a business to register with an authority.
|For-profit or nonprofit entities||Only for-profit entities|
|Irrespective of revenue of size||Meet revenue and size criteria|
|Any EU data subject’s personal data||Data of Californian residents only|
|Register with an authority||No registration requirement|
So, the GDPR has a far broader reach and scope than the CCPA.
CCPA protects consumers described as Californian residents. They can be customers of household goods and services, employees or business to business transactions. The GDPR protects data subjects defined as identified or identifiable persons to which personal data relates. Both the CCPA and the GDPR, focus on information that can identify a person and both have the potential for global reach, so the laws may affect businesses outside of the specific jurisdiction where the law originates.
CCPA protects any personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household. Exceptions apply like public information (data that is already legally available to the public) and personal information already governed by other legislation (like health information governed by HIPPA).
The GDPR protects any personal information relating to an identified or identifiable data subject. The GDPR has strict rules in place for the processing of special category data, and if these are not met, the processing of this information is not allowed at all. The GDPR applies to all personal information irrelevant if it is already fulfilling sector-specific compliance be it financial, medical, insurance-related and so forth (unlike the CCPA). So, in this regard, the GDPR has a wider sector and company reach and impact.
Similar information is protected (data that can identify a person); however, the CCPA includes information (household and device) that is not covered by the GDPR. This means that the CCPA also protects information derived from technologies and analytics (like browsing and search history) that are linked at a device or household level.
|Includes household and device linked information||Does not include this|
|Makes exceptions for businesses already governed by other sector-specific regulations||Does not allow this, every business must comply|
|Does not include this||Special category data criteria apply|
The GDPR is more direct about the requirement for appropriate technical and organizational measures to secure personal information and reduce security risk, whereas, the CCPA does not directly impose data security requirements. However, the CCPA does allow for action to be taken for breaches of information resulting from businesses having inadequate security controls in place.
The GDPR has substantial data security requirements and includes both data privacy and security rules, whereas the CCAP focuses primarily on consumer privacy.
The GDPR requires businesses to appoint a data protection officer under certain circumstances; however, the CCPA does not have this requirement.
The GDPR requires a wide range of documentation, policies, processes, records, and training to show accountability for secure data processing and to prove compliance with the GDPR. The CCPA does not have the same extensive requirement. It requires some training and minimal documentation in comparison with that of the GDPR.
The GDPR prohibits and restricts international transfers of personal data outside of the EU. Transfers of data are only allowed when specific circumstances that are approved by the European Commission are met. Such as if adequate security exists, an approved transfer mechanism is used (like BCRs) or an exception exists under the regulation. However, the CCPA does not restrict international data transfers.
CCPA and GDPR penalty structure and approach differ. GDPR penalties are linked to a business’s revenue (4 percent of annual global turnover or €20 million, whichever is the higher). The GDPR mandates penalties for non-compliance and data breaches.
CCPA fines are assessed and applied per violation basis. Civil penalties can be from $2,500 up to $7,500 per violation. The fines are only applied when a breach happens, so unlike the GDPR, non-compliance with the CCPA does not result in a financial penalty, unless a breach occurs.
Although the California attorney general enforces the CCPA, the legislation provides a “private right of action” whereby, in certain circumstances, consumers can bring a legal action for statutory damages incurred if they can demonstrate the business violated the law. Payouts, in this regard, range from $100 to $750 per consumer incident. So, consumers can sue the business for a violation.
It’s important to note that the CCPA allows a business time (30 days) to resolve violations whenever possible.
Although both have substantial penalties, each approach is different. The GDPR is more preventative in that a business can be reprimanded for non-compliance or inappropriate data handling. In contrast, the CCPA is reactive as penalties may only apply after a violation has occurred and has been reported.
The GDPR requires controllers to report a breach within 72 hours to authorities if the data breach poses a risk to data subjects. The CCPA requires a business to report a breach to consumers without unreasonable delay’ and regulators only need to be informed when more than 500 residents are notified of a breach.
|Preventative approach||Reactive approach|
|Penalty can be applied for non-compliance alone||A breach has to occur for a fine to be applied|
|Penalty based on annual global turnover (4 percent or €20million)||Penalties applied per violation ($2,500-$7,500)|
|Allows a data subject to sue for non-material or material damage caused as a result of a breach||Consumer can sue the business for violation ($100-$750)|
|Breach notification within 72 hours||No time limit is given but required without unreasonable delay|
With many businesses still adapting to the changes of the GDPR, the CCPA may be a little worrying for some. However, it’s probably good that the CCPA has come second to the GDPR as the GDPR is the stricter of the two. By no means is the detail covered here an exhaustive account of all the variances, but rather a means to demonstrate how similar or different the regulations are on closer inspection. So, don’t mistake them for the same. It is safe to say that if you’ve managed to implement the technical and organizational methods to comply with the GDPR over the last 18 months or so, that compliance with the CCPA will be easier to achieve in comparison. Nevertheless, having a good understanding of the differences can help show where adjustments are needed to ensure compliance with the CCPA.
Featured image: Shutterstock
In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…
With these free VPNs based in Hong Kong, you may not be paying any money…
These Azure DevOps tips and tricks come fresh from the field where they have been…
ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…
In these days where remote computing has become crucial, you can connect your home computer…
Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…