CCPA vs GDPR: What GDPR-Ready Companies Need to Know about the CCPA

As a response to the EU General Data Protection Regulation (GDPR), Facebook’s Cambridge Analytica scandal and the overall upsurge in personal data breaches, California passed a new data protection and data privacy law, the California Consumer Privacy Act (CCPA). Although the CCPA does not become effective until January 1, 2020, organizations need to know that, as of that date, consumers will be able to request their personal data for the preceding 12 months. Therefore, no later than January 1, 2019, organizations need to have categorized the data they store and gotten a complete view of information protected by CCPA; otherwise, they won’t be able to comply on the effective date.

You might think that because you’ve implemented GDPR controls, complying with the CCPA will be a piece of cake. Unfortunately, that’s simply not the case. The laws are two unique snowflakes that require some different approaches. Let’s take a closer look at CCPA vs GDPR and analyze their similarities and differences.

What’s in common

Both the CCPA and the GDPR legislations are aimed at protecting individuals’ personal information, granting them certain rights regarding how organizations may use the personal information collected. In particular, both standards include the following requirements:

  • Data subjects have the right to know whether their personal information is being collected and processed, the reasons for that collection and processing, and with whom it is shared.
  • Data subjects have the right to require an organization to delete the personal data they hold about them.
  • Organizations are required to implement appropriate data protection measures over personal information, including both organizational and technical measures.
  • Both the CCPA and the GDPR have extraterritorial effect; that is, they can apply to organizations outside of their respective jurisdictions.

What’s different

The GDPR and the CCPA differ in other respects. Let’s take a look at the key differences you should know about.

Whose data privacy is protected

The CCPA safeguards the personal data of consumers who are California residents, while the GDPR protects data subjects in the European Union. Both definitions are broad, but the CCPA provides a clearer explanation of its key term.

According to the CCPA, a consumer is any natural person who is a resident of California as defined in its tax provisions — that is, every individual who is in California for other than a temporary or transitory purpose, as well as every individual who is domiciled in California but who is temporarily outside the state.

In comparison with the CCPA, the GDPR does not define the term “data subject” directly and uses inconsistent qualifiers when referring to data subjects. Thus, it can be applied to at least three types of persons: persons located in the EU, EU residents, and EU citizens located either in the EU or outside of it.

Definition of personal information

Both regulations protect information that relates to a natural person who can be identified, i.e., personal information. However, there are some nuances to understand.

The GDPR provides the following examples of PI: name, identification number, location data, physical address, email address, IP address, radio frequency identification tag, photograph, video and voice recordings, and biometric data. Certain online identifiers provided by devices that, when combined with other information, can be used to identify a natural person are also protected by the standard. Thus, under GDPR, the concept of PI is tied very closely to an individual.

The CCPA has a broader definition of PI. In particular, it includes information that could be used to identify a person’s behavior as a consumer, such as preferences, characteristics, psychological trends, attitudes, intelligence, abilities and aptitudes. Plus, in addition to regulating data about individual consumers, the CCPA also applies to any data that can identify a household.

However, what PI includes under both standards depends on the context and likelihood that a data subject or a consumer can be identified by the given data. With such ambiguous definitions of PI, organizations should make sure to cover all possible types of consumer data.

Entities that have to comply

The GDPR applies to every data controller (an organization that determines the purposes and means of processing EU residents’ PI) and data processor (an organization that processes the data for a data controller). The CCPA has a narrower scope; it applies to organizations that operate for profit, collect PI on California consumers and meet at least one of the following criteria:

  • Have annual gross revenues exceeding $25 million
  • Trade in the data of 50,000 or more California consumers, households or devices
  • Derive more than 50% of their annual revenue from selling the PI of California consumers

Note that any organization controlled by a for-profit that meets these criteria and shares common branding must also comply with the CCPA.

Therefore, many small businesses and nonprofit organizations can breathe a sigh of relief regarding the CCPA.

Rights granted

One of the fundamental elements of the CCPA is a requirement that organizations must inform consumers when their data is being sold to a third party and give them the opportunity to opt out. The GDPR does not regulate the process of selling data subjects’ PI.

Both regulations offer the right to data portability — consumers must be able to get their personal data in a commonly used, machine-readable format that can then be transmitted to another entity. The GDPR goes further, requiring companies to transfer a data subject’s information to another data controller upon request; the CCPA only requires to provide consumers with the information electronically in a readily useable format.

 However, overall, compared to the GDPR, the California regulation cuts businesses some slack in regards to certain data subject rights. First, although both the GDPR and the CCPA grant consumers the fundamental right to delete their data, this right is far more limited under the CCPA. The GDPR applies to all data concerning a data subject, whereas the CCPA’s deletion right applies only to data collected from the consumer and not to data about the consumer collected from third-party sources. In addition, both standards exempt organizations from complying with a request to delete data if that data is necessary for them to exercise free speech or another legal right; comply with a legal obligation; or meet the public interest, scientific or historical research purposes, or statistical purposes. However, the CCPA includes more specific exceptions, such as if data is needed to perform a contract between the business and consumer or to identify and repair errors that impair existing intended functionality. In fact, the CCPA’s exceptions are broad enough to potentially eliminate a consumer’s deletion rights in most, if not all, circumstances.

Second, while the GDPR obliges organizations to limit personal data collection, storage and usage to the minimum necessary for the specified purpose, the CCPA does not impose a data minimization mandate. Third, the CCPA does not grant consumers the right to rectification or correction of their personal data that is held by an organization.

Basis for consent

Under the CCPA, businesses are allowed to process and sell an individual’s PI if they make an online purchase or sign up, though the person has the right to opt out of the sale of their data. The CCPA also requires companies to create a channel, such as a website or a toll-free number, that consumers can use to exercise their rights, including the rights to disclosure, deletion and opt-out.

The GDPR approaches consent in a more nuanced way. It requires organizations to obtain consent prior to collecting a person’s data and giving a third party access to it. It also grants data subjects broader rights to restrict data processing (that is, to allow an organization to store but not process their personal data). Therefore, despite the absence of an express right to opt out of data sale, the GDPR has a more significant impact on how businesses deal with personal data.

DPO appointment

Under the GDPR, with some exceptions, data controllers and data processors must appoint a data protection officer (DPO). The DPO’s role is to advise the organization on data protection obligations, monitor internal compliance, and act as a contact point for data subjects and the supervisory authority. He or she must have expertise in the field of data protection.

The CCPA does not require businesses to appoint a DPO or another designated employee to deal with compliance and data protection. Thus, businesses do not have to hire an arbitrator to monitor whether they protect consumers’ rights and do business in full compliance with the standard. But we hope that businesses will approach CCPA compliance in a sensible way and ask for legal advice to ensure that they have all controls in place.

Fines by EU and U.S. regulators

Both regulations provide for significant financial penalties in case of non-compliance. GDPR fines can reach €20 million or 4% annual global turnover, whichever is higher. The CCPA allows for fines of up to $2,500 per violation or $7,500 per intentional violation. On top of that, the CCPA grants consumers the right to take private action, such as filing class-action lawsuits against businesses seeking compensation of $100 to $750 per consumer, per incident. Unlike the GDPR, the CCPA provides businesses with 30 days to cure alleged violations and avoid penalties.

The GDPR vs. the CCPA: Summary of Differences

Category GDPR CCPA
Whom it protects  EU data subjects California consumers and households
Definition of personal information 

Any information relating to an identified or identifiable natural person, directly or indirectly. Examples include name, identification number, location data and biometric data.

 

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application or advertisement; and biometric or geolocation data.
Entities that have to comply  Data controllers (organizations that determine the purposes and means of the processing of personal data) and data processors (organizations that process the data for data controllers) Medium and large businesses (in terms of revenue and number of consumers affected) that process the PI of California consumers
Right to deletion  Applies to all data collected about the data subject; has few limitations Applies only to data collected directly from and about consumers; has broad limitations
Data minimization mandate  Yes No
Right to rectification or correction Yes No
Basis for consent Requires organizations to obtain consent prior to collecting data. Businesses are allowed to process and sell the PI of all consumers who make an online purchase or sign up. They must enable consumers to exercise their rights to opt out of the sale of their PI or request its deletion.
DPO appointment  Yes No
Fines Up to €20 million or 4% of worldwide turnover, whichever is greater Up to $2,500 per violation or $7,500 per intentional violation, as well as $100 – $750 per incident in compensations to individuals.

 

It is yet to be seen how regulators will interpret the scope and provisions of the CCPA and the GDPR. In the future, we may see more instances of how these two regulations overlap. What we can state firmly is that achieving compliance with the GDPR does not mean that you have also met all the requirements of the CCPA. The CCPA covers a broader range of types of personal data and imposes additional obligations on companies, such as notifying consumers when their data is sold and providing the right to opt out of those sales.

The best approach to ensuring compliance with the CCPA is to establish a solid data privacy strategy that takes its requirements into account. This includes having initiated data classification and record-keeping processes by January 1, 2019.