CCPA vs. GDPR: How the Two Data Protection Regulations Compare
The California Consumer Privacy Act (CCPA) is the most significant development in privacy legislation in the US in recent years. Hurriedly passed into law on 28 June 2018, the CCPA followed in the footsteps of the EU’s General Data Protection Regulation (GDPR), which was enforced only a month prior. It aims to protect consumers’ privacy by establishing new data protection standards and granting consumers rights over their data.
Given it was inspired by the GDPR, the CCPA shares many similarities with its European counterpart. Among others, data subjects’ right to know what data is being collected about them and how it is being used as well as the right to have their data erased. That being said, the CCPA is adapted to its US context and differs in significant ways from the GDPR, especially in regards to its scope and accountability. Here are some of the key differences to keep in mind:
EU Data Subjects vs. California Residents
While neither the GDPR nor the CCPA apply to legal persons, both apply to natural persons, but with a difference in the way they are defined. The CCPA clearly states that it applies to California residents, while the GDPR uses the more vague term “EU data subjects” without naming any residency or citizenship requirements. The CCPA also protects data that can be linked to a particular household, not just an individual as the GDPR does.
All Organizations vs. For-Profit Companies
The GDPR’s scope is broad: it applies to all organizations, from businesses to public institutions and the non-profit sector. The CCPA meanwhile has restricted its applicability to for-profit companies that meet very clear requirements: they must have an annual gross revenue of over $25 million, buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers and derive 50 percent or more of their annual revenue from selling consumers’ personal information.
In regards to geographical location, the GDPR applies to any company that processes the data of EU data subjects, wherever they may be located. The CCPA is unclear on this point: companies falling under its jurisdiction must be “doing business in California”, but does not clarify whether the company must be located in the state or meet certain profit thresholds to qualify as such.
All Personal Data vs. Particular Categories
The GDPR applies to all categories of personal data, while the CCPA, as of September 2018, only applies to data not covered by existing federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA).
Both the GDPR and the CCPA require organizations to disclose what they do with the personal data they collect. The CCPA however requires companies to disclose data sales and activities pertaining to data processing in the last 12 months, while the GDPR places no such limitation.
While the GDPR requires organizations to get prior consent from data subjects for data processing and third-party access to their data, the CCPA allows data subjects to opt-out of the sale of their data and requires businesses to have a visible link at the top of their homepage for this purpose.
Both the GDPR and the CCPA offer the right to data portability: namely to provide consumers with their personal data in a commonly used, machine-readable format that can then be transmitted to another entity. The GDPR goes a step further in this direction, putting organizations under the obligation to transfer a data subject’s information to another data controller upon request. Under the CCPA, businesses are only required to provide consumers with the information electronically in a readily useable format.
While the GDPR’s right to erasure has a few notable exceptions such as data necessary for exercising the right of freedom of expression or data needed for compliance with EU or EU member state law, the CCPA broadens these exceptions further by including not only free speech and information needed for contracts, but, most notably, also internal uses compatible with the context in which the consumer provided the data.
While in many ways the GDPR and the CCPA align, there are notable differences between the two regulations. The GDPR’s definitions are often broader, while the CCPA has taken a more specific approach to its scope. That does not mean however that companies that are GDPR compliant don’t need to worry about the CCPA. As shown above, the CCPA’s requirements sometimes fall beyond the GDPR’s reach. It is important therefore that companies consult both regulations and look for the appropriate tools to help them on their road to compliance.