CCPA versus the GDPR

The General Data Protection Regulation (GDPR) scope and attention to detail has made it the most sweeping data privacy law in Europe to date. Around the same time the GDPR came into effect, however, former California Governor Jerry Brown signed a new policy for his state: the California Consumer Privacy Act (CCPA).

California's attention to user privacy and security isn't new. CalOPPA was the first law in the United States to require businesses to post a Privacy Policy.

If you know anything about the GDPR, you might quickly see some similarities between the EU's regulations and the new CCPA, which went into effect in January of 2020. Like the GDPR, it impacts more businesses than just those in its local jurisdiction. At the same time, it restricts its scope to an extent that it largely seems to point its target at the mega-companies of Silicon Valley.

Regardless, the CCPA comes with fines and allows Californians to bring a civil action against companies that violate the law.

If you run a large business with a huge emphasis on data use, there's a good chance that you need to abide by both the CCPA and GDPR. But what's the difference, and can your GDPR preparation help you comply with the CCPA?

We break down the substantive differences between the two texts and then cover the rights and protections offered by each law.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act became an effective law on January 1, 2020. It applies to businesses (legal entities that operate for profit) that meet a minimum of one of the following characteristics:

• Declares an annual gross revenue over $25 million
• Derives 50 percent or more of annual revenue from selling personal data
• Buys, sells or shares the personal information of 50,000 or more consumers, devices, or households in California

If a business meets one of the above and also both of the below, it will fall under the scope of the CCPA:

• Collects personal information from consumers in California and determines the purposes and means of processing the information, and
• Operates in California

Under the new law, the CCPA provides consumers with rights that include:

• Right to request disclosure about personal data from a business
• Right to access personal information held by a business
• Right to request the deletion of personal data (with some exceptions)
• Right to avoid discrimination for exercising their rights
• Right to opt out of website requirements
• Right to access a Privacy Policy that is updated at least once every 12 months

Any businesses or service providers that violate the CCPA may see civil penalties. At present, the legislation schedules a $2,500 maximum fine for violations and $7,500 for intentional violations.

It also allows consumers to bring the business to civil court in the event of unauthorized access to their data, unlawful disclosure, or a failure to create and maintain reasonable security protocols. Consumers can request between $100 and $750 in actual damages or per incident.

What is the GDPR?

The General Data Protection Regulation is a data privacy law that protects European residents and citizens. It impacts businesses and individuals that collect data from individuals located in the EU, regardless of whether the collecting entity is based in Europe or not.

Although the GDPR is a both a dense and vague regulation, it's possible to get to grips with the inspiration behind it by exploring its key principles: accountability and governance, individual rights and transparency, and privacy and security.

You must use both organizational and technical measures to ensure that you are actively protecting all the personal data you collect and store.

Individuals also receive specific rights under the regulations. These rights allow access on behalf of individual data subjects and they require transparency from processors and controllers. Now, Europeans have a right to be informed that you collect their data (through your Privacy Policy), the right to access their data, and the right to ask you to erase their data.

Finally, the GDPR deals specifically with data breaches. The EU took notice of the sheer scale of the privacy breaches that occurred in the past few years and continue to happen on a regular basis. Now, the GDPR requires all processors and controllers to report any relevant breach to their supervisory authority within 72 hours.

Then of course, there are the fines. The GDPR carries fines of up to 4 percent of global turnover or 20 million Euro, whichever is greater. Moreover, data protection commissions aren't afraid to use them. In early 2019, France fined Google $57 million for GDPR violations.

Key Similarities and Differences between the CCPA and GDPR

Both the CCPA and GDPR aim to protect citizens from the excesses of huge data processors and introduce greater accountability for organizations that control and process personal data. But are they virtually the same law?

The answer is: not at all.

If you get to know both pieces of legislation, you'll quickly spot real differences both in language and in substance. To help you get to know both and see how they compare, we broke down the most important aspects of the laws according to category to identify key similarities and differences.

Let's take a look at the following:

• Reach and scope
• What data does each cover?
• What consumers receive protection?
• What legal bases are required?
• Does each require a Privacy Policy?
• How does each deal with security?
• How does each handle the data of children?
• What are the penalties for violations?

Reach and Scope

The CCPA comes to us from the California State Legislature and the European Commission established the GDPR. But how far does each law extend?

The CCPA covers any for-profit entity doing business in California with a revenue over $25 million and significant interaction with personal information (over 50,000 consumers/households/devices) or derives 50 percent of more of its revenue from selling information.

It also applies to businesses that share branding with covered business or are controlled by one.

The GDPR regulates all data processors and controllers in the EU, as well as entities abroad that offer goods or services to consumers located in the EU or monitor the behavior of EU consumers.

Key Takeaway: The GDPR extends much further than the CCPA both in terms of the geographic territory it covers and in the kinds of entities it regulates. The GDPR applies to any entity (for-profit, non-profit, governmental, or otherwise) that collects (or has the potential to collect) any data from anyone located in the EU.

In other words, the GDPR applies to almost everyone, and if you want to avoid GDPR compliance, you need to take steps to block your site from being accessed by anyone in the European Union.

On the other hand, the CCPA seems to target big data businesses in Silicon Valley without consideration for SMEs, non-profits, or government organizations.

What Data Does Each Cover?

The CCPA covers personally identifiable information that you could trace back to a real person, and it includes a specific list of what it covers.

The categories include identifiers (names, addresses, IP addresses, driver's licenses or other I.D. numbers); protected information (sex, gender, religion, etc); commercial information; biometric information; geolocation data; internet or electronic network activity information; professional or employment information; education information; inferences from information; audio, visual, electronic, olfactory, or thermal information.

However, some information remains excluded. For example, the law doesn't cover certain information found in government records or information covered in other California legislation.

The GDPR takes a much broader approach to personal data. It covers any data or information that can identify a data subject protected by the law. Processors must also refrain from processing the special categories of data noted explicitly in Article 9 unless special conditions are met (such as obtaining consent). These data types include data regarding religious or philosophical beliefs, racial or ethnic origins, trade union membership, political opinions, genetic and biometric data, or data related to a person's sexual orientation or sex life.

Key Takeaway: The substance of the law covers similar information in its attempt to protect any data that can identify its owner.

The two differences are that the GDPR explicitly bans the processing of specific data categories unless conditions are met. Additionally, the CCPA addresses data that could identify a household, which extends beyond a data subject or natural person.

What Consumers Are Protected?

The CCPA protects California residents either domiciled and living in California or domiciled in California and temporarily out of state. It covers customers, employees, and other businesses.

The GDPR covers a group it refers to as "data subjects." These data subjects are any person who can be identified by the personal data a controller or processor collects or stores.

Key Takeaway: The approach to protection is different both in language and substance, but the effects are broad in consideration. Both laws refer to personal data that could be identifiable to a person. Both also continue to cover those protected consumers outside their home territories.

What Legal Bases are Required?

One of the GDPR's key tenants is that all data processors must use one of six legal bases to process data. They include:

1. Consent has been given by the individual to process data for a specific purpose
2. Data must be processed to fulfill a contract between yourself and the data subject
3. Data must be processed to comply with a legal obligation
4. Data must be processed to protect the "vital interests" of the data subject or others
5. Data must be processed to perform a public interest task, or through exercising official authority
6. Processing data is necessary for legitimate interests

The CCPA doesn't require a legal basis for businesses to process data - at least not within its text.

Key Takeaway: If you must meet GDPR regulations, then you need a legal basis to process your data.

Does Each Require a Privacy Policy?

It doesn't matter whether the CCPA requires businesses to use a Privacy Policy: CalOPPA already does that. However, the CCPA now requires covered businesses to update their Privacy Policy at least once per 12 months.

The GDPR also famously requires a Privacy Policy, and the legislation dictates what each Privacy Policy must cover, how it is written, and where you place it on your website. It needs to be comprehensive, easy to read, and simple to find.

Key Takeaway: Although the CCPA doesn't require a Privacy Policy, it adds on to the pre-existing need to have one under CalOPPA. The GDPR also requires a Privacy Policy, but it presents more stipulations on the contents and placement of the Privacy Policy. Generally, a GDPR Privacy Policy will meet CalOPPA/CCPA requirements, but a CalOPPA/CCPA policy might not be GDPR-compliant.

What Security Issues are at Play?

The CCPA doesn't mention security requirements at all. The closest its comes to doing so is allowing consumers a right of action if they experience a data breach. Instead, it relies on existing California law and a business's duty to act reasonably.

The GDPR requires both controllers and processors to follow technical measures that are appropriate to the level of risk they face.

Key Takeaway: Both laws require (or assume) that covered bodies will follow the appropriate technical measures to exercise a reasonable duty of care. The GDPR doesn't require specific security measures to allow businesses the lattitude to make those decisions on their own.

But remember - Both laws are intended to protect consumers and their personal data, so they both have security at their hearts.

How Does Each Deal with the Data of Children?

Both laws add special provisions for the data of children to hold companies more accountable and detail more substantive standards of consent.

The CCPA allows those between 13 and 16 years of age to provide consent to covered businesses. Those under 13 must provide consent through their parents. Once the law goes into effect, the CCPA cannot sell personal data belonging to those under 16 without consent.

European law goes slightly further. Member states may set their own age of consent (not to be lower than 13), and the default age is 16. Additionally, companies known to attract children or those 16 and under must also provide a Privacy Policy that matches the reading and comprehension level of those viewers.

Key Takeaway: Expect to consider the data of children under 16 separately from data from adults. The rules are straightforward in California, but if you operate in the EU, you should check in with each member state to match the most stringent children's data protection laws.

What are the Penalties for Violations?

Both the GDPR and the CCPA come with two types of penalties: a right to action and civil fines.

In California, the Attorney General may fine businesses that violate the CCPA up to $2,500 per instance or $7,500 if the office proves the violation was intentional. However, the AG doesn't jump immediately to fines: entities receive a 30-day cure period to rectify a notification of a violation.

The EU takes penalties much further. The administrative fines for GDPR violations can reach 4 percent of the processor's annual global revenue or 20 million Euro (or whichever one is higher). Additionally, EU member states have the leeway to impose their own penalties beyond the administrative fines levied by the European Commission.

Both Californians and Europeans may take a private right of action. Europeans can use action to rectify both material and non-material damages. Californians, however, must grant the offender 30 days to fix the issue when possible, and can then only seek $100 to $750 in damages per person per incident.

Key Takeaway: The underlying principle of the penalties remains the same, but the GDPR comes with far harsher penalties and fines with no right to cure built into the legislation.

Consumer Rights

Both the CCPA and GDPR afford new rights to data subjects/consumers with a focus on transparency and the "right to be forgotten."

At first glance, both seem to offer identical rights. However, just as in the legislation itself, real differences emerge in the details.

The biggest difference between the two is that the CCPA allows customers to opt-out whereas the GDPR requires data subjects to opt-in.

With an opt-out structure, the CCPA gives customers these rights:

1. "The right of Californians to know what personal information is being collected about them.
2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
3. The right of Californians to say no to the sale of personal information.
4. The right of Californians to access their personal information.
5. The right of Californians to equal service and price, even if they exercise their privacy rights"

The GDPR, on the other hand, provides these eight rights:

1. "The right to be informedy
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling"

Both laws have the right to be informed of data collection, processing, or sales.

Both allow access (or the right to request) their own personal data and other information about what the processor does with their data.

Both also allow the right to restrict processing. The GDPR allows users to make most kinds of requests, but the CCPA allows consumers to say "no" to the sale of their personal information by opt-ing out.

The GDPR and the CCPA both allow requests to be forgotten or for erasure. Each law has stipulations for the request, but both require the request to be fulfilled if it meets the standards.

Finally, both require businesses/processors to provide equal service even when users exercise their privacy rights. However, the CCPA does allow businesses to offer financial incentives in exchange for personal information.

Final Word

The CCPA and GDPR are relatively similar legislation with matching intent: to protect consumer privacy and apply more rigorous accountability standards to companies (and data processors generally). Once you move beyond a quick glance, it becomes evident that the GDPR is much broader in its scope and thus requires more investment in compliance.

Fortunately, If you already comply with the GDPR, then meeting CCPA requirements are a breeze. For many California businesses, it will be a matter of double-checking your Privacy Policy, data inventories, strategies, and processes as of January 1, 2020 and extending your EU compliance mechanisms to Californians.