CCPA vs GDPR | Key differences in the legislation
While CCPA has become known as the California GDPR, there are some key differences which both organizations and consumers need to be aware of.
In May 2018, the European General Data Protection Regulation (GDPR) came into force, and as a result, it revolutionized the way in which businesses processed the personal data of their consumers.
Two years later, in 2020, the California Consumer Privacy Act (CCPA) came into force, which has provided Californians with the right to place controls over how their personal data is utilized.
While CCPA has become known as the California GDPR, there are some key differences which both organizations and consumers need to be aware of.
GDPR has been discussed in detail within our articles on its meaning, implementation, and compliance. So, now turning the focus on the California Consumer Privacy Act, we consider both its scope and the differences when considering the implications of GDPR vs CCPA.
With the growth in value of personal data being combined with news of substantial data breaches, the CCPA aims to protect its residences’ consumer rights while also requiring the implementation of more robust privacy and greater transparency. In addition, where the consumer is between 13 and 16 years of age, the CCPA does not allow the sale of their personal information unless they have opted in. Where the consumer is under the age of 13, then consent is required from either a parent or guardian.
Considered to be one of the strictest privacy laws in the United States, CCPA compliance requires a number of both pro-active and consumer-focused policies to be implemented. In addition, the consumers rights as to the collection, saving, and use of their personal data, businesses also need to consider a number of requirements within the CCPA regarding their privacy policies.
While the GDPR requires the appointment of a Data Protection Officer, there is no such requirement under the CCPA. Instead, the California privacy law assumes that in order to achieve compliance, there must be a qualified individual with the responsibility for monitoring activities associated with data gathering, the storage and transfer of consumer data, and data privacy. Additionally, there must be processes in place so that consumer requests relating to their personal data are responded to within appropriate timescales.
Both CCPA and GDPR provide data privacy protection to individuals who have shared their information. The GDPR describes data subjects as “an identified or identifiable natural person,” and it applies not only to EU residents but also to those who were within its territories at the time of data collection. So, that means that an American on holiday in the UK would have GDPR protection. Additionally, it protects its citizens no matter where the organization collecting the data is based. Hence, an EU citizen providing information to a US company is also under the protection of the GDPR.
The CCPA provides rights to consumers who are resident in California. This means that the California law does not cover those in the state for a temporary or transitory reason, and as such, their personal data is not protected.
While GDPR and CCPA come from a basis of protecting personal data, there are some significant differences between the two pieces of legislation. One of the key variances comes from which organizations must comply with these two pieces of legislation.
If a company processes personal data of an individual residing in the EU, then the GDPR comes into effect. The organization’s annual revenue, the volume of data processing, and the source of revenue do not affect the requirement to comply with the GDPR.
The CCPA, on the other hand, only protects California residents. In terms of which businesses are required to comply with CCPA, it applies only to those organizations which are for-profit and based in the state of California. In addition, they must meet one or more of the following:
Both the CCPA and GDPR have requirements around the consent required to collect and process consumer data; however, the General Data Protection Regulation does have more stringent requirements relating to data privacy.
The CCPA allows sites to collect and sell personal data if an individual signs up or makes an online purchase. It only offers consumers the right to opt-in. The GDPR requires consumers to opt in to data collection by requiring consent to be obtained before the data is given.
The CCPA provides five rights for what they class as consumers, and these relate to disclosure, deletion, access, opt-out, and non-discrimination
The GDPR, however, lists eight areas for their data subjects, whereby they have the right to be informed of the collection of data and to request access to that data. Should it then prove to be incorrect, the individual can request that it is rectified or erased. Additionally, the person can request that there are restrictions placed on how the data is processed or to object to the processing. Finally, there must be data portability so that it can be used in alternative settings and that it is not subjected to automated decision making, which includes profiling without the data subject’s express agreement.
Where there is noncompliance with the CCPA, then there is the risk of penalties being issued for each violation. These can amount to $2,500, where the violation was unintentional through to $7,500, where it is deemed to be intentional. Where there is a data breach of personal information that affects data privacy, then consumers can sue the business for $100–$750 per incident—or greater when the damages exceed $750.
When that is then compared with the GDPR, California fines appear to be of a much lower deterrent for illegal use of personal data. That’s because the GDPR is also enforced through monetary penalties; however, these can be to 4% of a company’s global annual turnover or €20 million, whichever is highest.
Both GDPR and CCPA are a step in the right direction; however, there are criticisms of both pieces of legislation. The GDPR, for example, has been criticized for the complexity of implementation for small businesses. At the same time, the CCPA is accused of not going far enough to protect California citizens’ personal data.