The Californian Consumer Privacy Act (CCPA) is the latest privacy regulation, second to the General Data Protection Regulation (GDPR) to have a broad impact on the privacy of people’s personal information. On May 25, 2018, the EU’s GDPR replaced the EU Data Protection Directive of 1995, transforming how businesses handle and protect personal information. The CCPA allows a right of privacy to Californian residents. It went into effect Jan. 1, 2020.
Although many similarities exist between these two regulations, some differences stand out as well. It’s good to know where these variances are to determine how they might impact a business. Complying with one may make it easier to comply with the other. However, that might not always be the case.
A significant focus on data privacy
Currently, data protection is dominating organizations, spurring them to comply with legal obligations as well as to maintain the trust and business of valued customers and clients.
People are more aware than ever of their data’s value, of the importance of data protection and their data security and privacy rights. This is emphasized by the ever-growing large-scale breaches of personal information happening recurrently, across the globe, and impacting millions of people. This growing awareness is influencing change. People want privacy and need the ability to control their information.
Countries and their lawmakers are listening and are now reacting. This is evident in the recent regulation reformations concerning data security and privacy. The CCPA, like the GDPR, demonstrates this and allows individuals the privacy and control over their data that they need and desire. Consumers and data subjects welcome this, but it may be causing some concern for businesses. There’s never been such a significant focus on data privacy, data security and proper handling and processing of people’s information as there is currently and it all seems to be happening at once. So, it’s good to keep abreast of the changes to understand how each regulation may affect how your business operates.
The rights that the CCPA and GDPR allow
The CCPA guarantees the following rights to Californian residents:
- The right to know what personal information is being collected about them.
- The right to know whether personal information is sold or disclosed and to whom.
- The right to not allow the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
The GDPR guarantees the following rights to EU data subjects:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
Differences and similarities of CCPA and GDPR at a glance
-
Information rights
When considering the above rights, an overlap is noticeable, but on studying them a little closer, differences become more apparent. Both regulations give people specific rights when their data is processed by a controller/processor (GDPR) or for-profit entity (CCPA). Some are similar, some may show overlap or vary, and some exist in one regulation and not the other. Both have specific requirements relating to how the rights are voiced, delivered and upheld. Let’s take a closer look.
Both the CCPA and the GDPR grant the following rights in some form:
- Right to be informed: Similar for both, but different information is required when informing individuals of data handling purposes and the delivery method used for notifying individuals can vary too.
- Right of access to information / Right of disclosure: Similar for both, but how the right is fulfilled differs. The GDPR allows broader information access options compared to the CCPA, which only allows written disclosure of information.
- Right of data portability: Similar for both. Both require the provision of information in a readily usable format. The GDPR goes a step further. It allows a request from the data subject for the controller to transfer the data to another data controller of their choice.
- Right to erasure: Similar for both, but the CCPA allows for exceptions, whereas the GDPR insists that all data that is not necessary must be securely deleted, and when a data subject requests deletion of their data if conditions are met.
- Nondiscrimination: Similar for both, both the CCPA and the GDPR prohibit discrimination against individuals that exercise their privacy rights.
- Responding to requests: Similar for both, but differing time frames.
Exists under CCPA and not the GDPR:
- Opt-out right for personal information sales: The GDPR does not include this specific right, but data subjects can withdraw consent for processing activities and not allow processing of their data for marketing purposes. Also, controllers must comply with the principles of the GDPR, such as fair processing and must have a lawful basis for processing the data. It should be noted that the GDPR uses an opt-in approach and not an opt-out approach.
Does not exist under the CCPA and exists under GDPR:
- Right to rectification (allowed by the GDPR, not found under CCPA).
- Right to restrict processing (allowed by the GDPR, CCPA only has the Opt-out right for personal information sales).
- Right to object to processing (allowed by the GDPR, CCPA only has the opt-out right for personal information sales).
- Rights in relation to automated decision-making and profiling (allowed by the GDPR, not found under CCPA).
-
Who the regulations impact
The CCPA requires only a for-profit entity, operating in California that collects consumer information from Californian residents and meets one of the specific CCPA criteria with regards to revenue and size to comply. These criteria include, it generates more than $25 million in gross income, it processes personal information relating to over 50 thousand consumers annually, or it derives half or more of its annual revenue from the sale of consumers’ personal information.
The GDPR does not focus on the size or revenue of the business but covers all data controllers and processors that process personal data of EU data subjects, regardless if processing takes place in the EU or outside of the EU. The GDPR applies to all businesses and every type of business. If the entity processes personal information from the EU, the entity must comply.
Another notable difference is that the GDPR impacts nonprofit businesses or charitable organizations too. In contrast, the CCPA is only relevant to for-profit businesses that meet the specific criteria relative to revenue and size.
The GDPR requires businesses to register with or notify data protection authorities if they process personal information of data subjects. However, the CCPA does not require a business to register with an authority.
| GDPR | CCPA |
| For-profit or nonprofit entities | Only for-profit entities |
| Irrespective of revenue of size | Meet revenue and size criteria |
| Any EU data subject’s personal data | Data of Californian residents only |
| Register with an authority | No registration requirement |
So, the GDPR has a far broader reach and scope than the CCPA.
-
Who the regulations protect
CCPA protects consumers described as Californian residents. They can be customers of household goods and services, employees or business to business transactions. The GDPR protects data subjects defined as identified or identifiable persons to which personal data relates. Both the CCPA and the GDPR, focus on information that can identify a person and both have the potential for global reach, so the laws may affect businesses outside of the specific jurisdiction where the law originates.
-
The information protected
CCPA protects any personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household. Exceptions apply like public information (data that is already legally available to the public) and personal information already governed by other legislation (like health information governed by HIPPA).
The GDPR protects any personal information relating to an identified or identifiable data subject. The GDPR has strict rules in place for the processing of special category data, and if these are not met, the processing of this information is not allowed at all. The GDPR applies to all personal information irrelevant if it is already fulfilling sector-specific compliance be it financial, medical, insurance-related and so forth (unlike the CCPA). So, in this regard, the GDPR has a wider sector and company reach and impact.
Similar information is protected (data that can identify a person); however, the CCPA includes information (household and device) that is not covered by the GDPR. This means that the CCPA also protects information derived from technologies and analytics (like browsing and search history) that are linked at a device or household level.
| CCPA | GDPR |
| Includes household and device linked information | Does not include this |
| Makes exceptions for businesses already governed by other sector-specific regulations | Does not allow this, every business must comply |
| Does not include this | Special category data criteria apply |
-
Security provided
The GDPR is more direct about the requirement for appropriate technical and organizational measures to secure personal information and reduce security risk, whereas, the CCPA does not directly impose data security requirements. However, the CCPA does allow for action to be taken for breaches of information resulting from businesses having inadequate security controls in place.
The GDPR has substantial data security requirements and includes both data privacy and security rules, whereas the CCAP focuses primarily on consumer privacy.
The GDPR requires businesses to appoint a data protection officer under certain circumstances; however, the CCPA does not have this requirement.
The GDPR requires a wide range of documentation, policies, processes, records, and training to show accountability for secure data processing and to prove compliance with the GDPR. The CCPA does not have the same extensive requirement. It requires some training and minimal documentation in comparison with that of the GDPR.
-
International data transfers
The GDPR prohibits and restricts international transfers of personal data outside of the EU. Transfers of data are only allowed when specific circumstances that are approved by the European Commission are met. Such as if adequate security exists, an approved transfer mechanism is used (like BCRs) or an exception exists under the regulation. However, the CCPA does not restrict international data transfers.
-
Penalties and breach notifications
CCPA and GDPR penalty structure and approach differ. GDPR penalties are linked to a business’s revenue (4 percent of annual global turnover or €20 million, whichever is the higher). The GDPR mandates penalties for non-compliance and data breaches.
CCPA fines are assessed and applied per violation basis. Civil penalties can be from $2,500 up to $7,500 per violation. The fines are only applied when a breach happens, so unlike the GDPR, non-compliance with the CCPA does not result in a financial penalty, unless a breach occurs.
Although the California attorney general enforces the CCPA, the legislation provides a “private right of action” whereby, in certain circumstances, consumers can bring a legal action for statutory damages incurred if they can demonstrate the business violated the law. Payouts, in this regard, range from $100 to $750 per consumer incident. So, consumers can sue the business for a violation.
It’s important to note that the CCPA allows a business time (30 days) to resolve violations whenever possible.
Although both have substantial penalties, each approach is different. The GDPR is more preventative in that a business can be reprimanded for non-compliance or inappropriate data handling. In contrast, the CCPA is reactive as penalties may only apply after a violation has occurred and has been reported.
The GDPR requires controllers to report a breach within 72 hours to authorities if the data breach poses a risk to data subjects. The CCPA requires a business to report a breach to consumers without unreasonable delay’ and regulators only need to be informed when more than 500 residents are notified of a breach.
| GDPR | CCPA |
| Preventative approach | Reactive approach |
| Penalty can be applied for non-compliance alone | A breach has to occur for a fine to be applied |
| Penalty based on annual global turnover (4 percent or €20million) | Penalties applied per violation ($2,500-$7,500) |
| Allows a data subject to sue for non-material or material damage caused as a result of a breach | Consumer can sue the business for violation ($100-$750) |
| Breach notification within 72 hours | No time limit is given but required without unreasonable delay |
Although very similar in many ways, they are not the same
With many businesses still adapting to the changes of the GDPR, the CCPA may be a little worrying for some. However, it’s probably good that the CCPA has come second to the GDPR as the GDPR is the stricter of the two. By no means is the detail covered here an exhaustive account of all the variances, but rather a means to demonstrate how similar or different the regulations are on closer inspection. So, don’t mistake them for the same. It is safe to say that if you’ve managed to implement the technical and organizational methods to comply with the GDPR over the last 18 months or so, that compliance with the CCPA will be easier to achieve in comparison. Nevertheless, having a good understanding of the differences can help show where adjustments are needed to ensure compliance with the CCPA.
Featured image: Shutterstock
