*There is an updated edition of this article that you can read here
This blogpost will try to provide a comparison guide concerning the EU General Data Protection Regulation and the California Consumer Privacy Act.
The European General Data Protection Regulation (GDPR) of 2016, which went into effect on 25 May 2018, offers a new framework for data protection, additionally with new and increased obligations for organisations. It is applicable to processing carried out by any legal entity — no matter where it resides — that offers goods or services to individuals in the EU.
The California Consumer Privacy Act (CCPA) of 2018, which went into effect on the 1 of January 2020, is a state law intended to enhance privacy rights and consumer protection for residents of California, United States. The CCPA is considered to be one of the most significant legislative privacy developments in the country, due to the absence of a federal privacy law in the U.S.
The scope of GDPR applies to businesses, public bodies and institutions, as well as not-for-profit organisations (“data controllers”) in the world, and it aims to protect “data subjects” within the EU at the time of collection or processing. On the other hand, only for-profit entities (“businesses”) are covered under the CCPA, and it protects individuals that fall under its definition of a “consumer” as being a California resident.
Both the regulations are not applicable in the law enforcement and national security areas.
“Personal data” under the GDPR and “personal information” under the CCPA are both broadly defined. The GDPR separately provides a definition of sensitive data (“special categories of data”) and prohibits processing of such data, while the CCPA provides for a definition to “biometric data”, which includes elements of the GDPR’s definition of special categories of data, but it does not create a more protective regime for this data category.
The main difference between GDPR and CCPA, regarding the data categories, is included in their provisions about data related to health and children’s personal data. The GDPR considers all data related to health as a special category of data, and it provides specific rules for protecting children’s personal data. The categories of medical and health data are excluded from the CCPA protection categories, while a special rule for children’s data exists and regards to “selling” of such data.
The regulations define that “controllers” and “businesses” are responsible for complying with the obligations under the respective laws. Nonetheless, the GDPR includes specific obligations that are also applicable to “processors” (entities that process personal data on behalf of controllers).
The GDPR and the CCPA include specific rights for the “data subjects” and the “consumers”.
The GDPR has six legal grounds for processing personal data in the EU. One of these grounds specifically refers to obtaining the data subject’s consent prior to the data processing. Additionally, the GDPR provides data subjects with the right to object to the processing of their personal data.
The CCPA does not set a list of legal grounds. It only provides for a posteriori mechanism, namely allowing customers to opt-out to the sale and disclosure of their personal information or to ask for erasure of the information. The opt-out can only stop the trading of personal information, and it does not impact other uses of their information.
Both the GDPR and the CCPA allow individuals to request the deletion of their personal information, unless exceptions apply. However, there are minor differences in the amount of time given to the organisations to reply to the individuals’ request. Please note that under the CCPA, the right applies to personal information that has been “collected” from the consumers themselves.
Both legislations include specific provisions with regard to the information organisations must provide to individuals, when collecting and processing their personal data. In particular, they define when information must be given to the individuals and what they must be informed of. Minor differences are traced regarding the information obtained from other sources, where the GDPR includes more specific details.
The GDPR and the CCPA establish the right to access, which allows individuals to have full visibility of the data an organisation holds about them. Some differences are depicted in the procedure organisations should follow to comply with an individual’s request.
Please note that the specific right, under GDPR, applies to all the personal data collected and processed about the data subject making the request, while this right, under CCPA, applies only to personal information collected in the 12 months prior to the request.
The regulations recognise a right to data portability. The CCPA considers data portability as part of the right to access, and therefore it is subject to the same limitation (e.g. it only applies to data collected in the previous 12 months, it applies to the personal data that has been provided by the consumers themselves), while the GDPR provides for a separate and distinctive right.
Both the GDPR and the CCPA provide for the possibility for monetary penalties to be issued in cases of non-compliance. However, the nature of the penalties, the amount and the procedure to be followed differ quite significantly. Their main difference is that the GDPR provides that administrative fines can be directly issued by a data protection authority, while in the CCPA only civil penalties can be issued by a court. Additionally, it has to be noted that under the GDPR, an action can be brought for any violation of the law, while the CCPA provides a cause for action only with regard to the failure of security measures and in the context of data breaches.
Additionally, the GDPR provides for some specific obligations, such as the implementation of appropriate technical and organisational measures, including a Data Protection Impact Assessment, and the appointment of a Data Protection Officer, while the CCPA only mentions that the privacy policy must be updated every 12 months.
As a conclusion, we could say that the GDPR is a bigger, broader privacy law, which is mainly focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is a smaller, more specific sectoral law about creating transparency in California’s huge data economy and rights to its consumers.
We hope the article helped you to grasp the basics regarding GDPR and CCPA, and gave you a starting point if you want to research the subject in depth.
Until next time.
References
https://gdpr-info.eu/recitals/
https://www.privacy-regulation.eu/en/article-3-territorial-scope-GDPR.htm
https://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.140
https://www.jacksonlewis.com/publication/california-consumer-privacy-act-faqs-covered-businesses
https://www.cookiebot.com/en/ccpa-vs-gdpr/
https://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm
https://ccpa-info.com/home/1798-130-means-for-exercising-consumer-rights/
https://fpf.org/wp-content/uploads/2019/12/ComparingPrivacyLaws_GDPR_CCPA.pdf