This revised blogpost will try to provide a comparison guide concerning the EU General Data Protection Regulation and the State of California Consumer Privacy Act. Please check to see what’s new, since some changes have been recently included in the CCPA.
The GDPR, which went into effect on the 25th of May 2018, offers a new framework for data protection, additionally with new and increased obligations for organizations. It is applicable to processing carried out by any legal entity — no matter where it resides — that offers goods or services to individuals in the EU.
The CCPA went into effect on the 1st of January 2020, and with minor amendments until now, it consists the first state law – due to the absence of a federal privacy law in the US- intended to enhance privacy rights and consumer protection for residents of California.
The scope of the GDPR applies to all businesses, public bodies and institutions, as well as not-for-profit organizations (“data controllers”) in the world, and it aims to protect “data subjects” within the EU at the time of collection or processing. On the other hand, only for-profit entities (“businesses”) which have a gross revenue greater than $25M, and/or handle personal data of more than 50,000 consumers for commercial purposes, and/or derive 50% or more of their annual revenues from selling consumers’ personal data are covered under the CCPA, protecting individuals that fall under its definition of a “consumer” as being a California resident.
Both the regulations are not applicable in the law enforcement and national security areas.
“Personal data” under the GDPR and “personal information” under the CCPA are both broadly defined. The GDPR separately provides a definition of sensitive data (“special categories of data”) and prohibits processing of such data, while the CCPA provides for a definition to “biometric data”, which includes elements of the GDPR’s definition of special categories of data, but it does not create a more protective regime for this data category.
The main difference between GDPR and CCPA, regarding the data categories, is included in their provisions about data related to health and children’s personal data. The GDPR considers all data related to health as a special category of data, and it provides specific rules for protecting children’s personal data. Where the child is below the age of 16 years, processing of their personal data shall be lawful only if and to the extent that consent is given or authorized by the legal guardian. The categories of medical and health data are excluded from the CCPA protection categories, while a special rule for children’s data exists and regards to “selling” of such data. Minors under 16 years of age must authorize the sale of their personal information. For children under 13, the opt-in must be collected from a parent or guardian.
Additionally, the GDPR applies to job candidates and employees, whereas the CCPA may not be applicable to these categories (according to amendment Assembly Bill 25).
The regulations define that “controllers” and “businesses” are responsible for complying with the obligations under the respective laws. Nonetheless, the GDPR includes specific obligations that are also applicable to “processors” (entities that process personal data on behalf of “controllers”).
The GDPR and the CCPA include specific rights for the “data subjects” and the “consumers”.
Both regulations establish the right to access, which allows individuals to have full visibility of the data an organization holds about them. Additionally, they allow individuals to request the deletion of their personal information, unless exceptions apply. Both legislations include specific provisions with regard to the information organizations must provide to individuals, when collecting and processing their personal data, and they both recognize a right to data portability.
The right to rectification is only applicable under the GDPR. The CCPA gives to consumers the right to object only to the sale of their personal information, while the GDPR gives data subjects the right to object to and/or restrict all data processing.
The right to non-discrimination (i.e., deny services to consumers who have requested their data to be deleted) is specifically mentioned under the CCPA. In addition to the above, consumers are entitled to have an authorized agent to make any CCPA-related requests to companies on their behalf, while it is mandatory for businesses to inform their customers if they provide financial incentives tied to the collection, sale, or deletion of personal information.
On the other hand, the GDPR permits any automated decision-making and profiling only under certain specific conditions. Such a provision is not included in the CCPA.
The GDPR has six legal grounds for processing personal data. One of these grounds specifically refers to obtaining the data subject’s consent prior to the data processing.
The CCPA does not set a list of legal grounds. It only provides for a posteriori mechanism, namely allowing customers to opt-out to the sale and disclosure of their personal information or to ask for erasure of the information. The opt-out can only stop the trading of personal information.
Both the GDPR and the CCPA provide for the possibility for monetary penalties to be issued in cases of non-compliance.
Their main difference is that the GDPR provides that administrative fines can be directly issued by a data protection authority, while in the CCPA only civil penalties can be issued by the Attorney General of California. Additionally, it has to be noted that under the GDPR, an action can be brought for any violation of the law, while the CCPA provides a cause for action only in the context of data breaches. Under the GDPR, more severe violations can be up to €20M ($21.6M) or up to 4% of the firm’s worldwide annual revenue from the preceding fiscal year, whichever is higher. On the other hand, penalties for intentional violations under the CCPA can be up to $7.5K.
Additionally, the GDPR provides for some specific obligations, such as the implementation of appropriate technical and organizational measures, including a Data Protection Impact Assessment, and the appointment of a Data Protection Officer, while the CCPA does not define or impose data security requirements and it has no representative requirements.
As a conclusion, we could say that the GDPR is a bigger, broader privacy law, which is mainly focused on creating a “privacy by default” legal framework for the entire EU, whereas the CCPA is a smaller, more specific sectoral law about creating transparency in California’s huge data economy and rights to its consumers.
However, the CCPA will soon be further modified, since a new law has been voted by California. The California Privacy Rights Act (CPRA) includes a number of amendments to the CCPA, and it will be enforced on January of 2023. A new blog post will come up soon including details regarding the CPRA.
We hope the article helped you to grasp the basics regarding GDPR and CCPA, and gave you a starting point if you want to research the subject in depth.
Until next time.