CCPA vs GDPR: Data Privacy in Motion
The need to protect the consumer’s data privacy has increased significantly over the last several years. This need has given rise to several data privacy laws and regulations, two of which (CCPA and GDPR) we are going to discuss in this article.
There’s a lot to cover, so let’s get started.
Data Privacy Throughout the Years
Privacy was always a thing that people wanted to protect, whether from a nosy neighbor, or their ruler.
The US Constitution, a document written in 1789, for instance, covers privacy in the 4th Amendment, which states that:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated and no warrants shall issue, but upon probable cause, supported by oath or affirmation and particularly describing the place to be searched and the persons or things to be seized.”
In 1948, the United Nations General Assembly issued the Declaration of Human Rights, whose Article 12 says:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attack upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
The problem was that such laws were too few and far between to make a difference.
One of them was the Privacy Act of 1974, which established a Code of Fair Information Practice on the collection, maintenance, use, and distribution of personally identifiable information (PII) by federal agencies in the United States.
Across the pond, in Europe, the EU countries arguably were paying even more attention to their citizens’ right to privacy and established the EU Data Protection Directive in 1995.
What is CCPA vs GDPR: Overview
Both of the aforementioned laws, the Privacy Act of 1974 and the EU Data Protection Regulation, will prove instrumental in creating the two laws that we are discussing today: the California Consumer Privacy Act and the GDPR.
The California Consumer Privacy Act (CCPA) took effect on January 1st, 2020 and it applies to any business that deals with primarily consumers in California.
Its three core principles include:
On the other hand, the EU’s General Data Protection Regulation (GDPR) applies to any entity (individuals, NPOs, or businesses) that collect and process data from EU consumers.
The GDPR also identifies some key principles:
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitations
- Integrity and Confidentiality
CCPA vs GDPR: Key Similarities
Although the terminology between CCPA and GDPR differs, the two laws share many similarities (CCPA is often called “the California GDPR”), especially when it comes to:
Both laws aim to protect consumer’s data privacy in their respective regions (California and EU) and of people of its residents.
Whether they call it “personal information” (CCPA) or “personal data” (GDPR), both GDPR and CCPA mean the same thing: information that can be used to identify a person.
CCPA defines a service provider as a “for-profit legal entity that processes information on behalf of a business.
On the other hand, GDPR uses the term “data processor” and by this means “a person or organization that processes information on behalf of the data controller”. So, even though the names they use are different, both the service provider and the data processor do the same thing process information on someone else’s behalf.
Neither CCPA nor GDPR is limited to their respective territories. Instead, CCPA applies to anyone who does business in the state of California, US, whereas GDPR applies to anyone who offers goods and services to consumers in the EU.
In other words, a business does not have to be in California or the EU for the CCPA or GDPR to apply to them.
Not all consumer rights are equal under CCPA and GDPR since in general, the GDPR has a broader scope.Still, both laws include:
- Personal Information or Personal Data
- Service Provider or Data Processor
- Extra-Territorial Scope
- Certain Consumer Rights
- Right to access information
- Right to delete/erase information
- Right to data portability
- Right to opt-out/object
CCPA vs GDPR: Key Differences
However, there are many more differences between them, especially in terms of scope and how they define certain things.
Here are the main differences between CCPA and GDPR
- CCPA is Statutory AND Regulatory, Whereas GDPR is Only Regulatory
The state of California does not need to enforce CCPA in case of a violation. Any such will automatically trigger it and the affected individual can file a civil lawsuit with the state court in CA.
On the other hand, the GDPR is a framework that individual EU members have to enforce through their own national laws.
- Individuals that it Applies to
Although both laws have an extraterritorial scope, the CCPA applies only to consumers who are residents of California and not in transit or temporarily there.
The GDPR, however, applies to any individual who is in the EU at the time of data processing, whether they reside there or are in transit
- Entities that it Applies to
CCPA applies to for-profit organizations that collect personal data from residents of California for commercial purposes
Whereas, GDPR applies also to any kind of entity that is involved in data processing activities, be it for profit or not
- Definition of “Personal Data”
Under CCPA, “personal data '' refers to “Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer, device or household.”
For instance, this includes the individual’s location, biometric data (fingerprints, facial recognition, etc.), email address, and more.
However, it does not include things such as:
- Information that is already publicly available through federal, state, and local government records
- Medical information that is already protected by HIPAA and CMIA
- Personal information covered in the Gramm-Leach-Bliley Act (GLBA)
- Information in California’s Driver’s Privacy Protection Act (CDPPA)
The definition of “personal data under GDPR, however, is much broader and it refers to “any information relating to an identified or identifiable natural person (data subject)”.
Where, an identifiable natural person” is identified as “one who can be identified, directly or indirectly”.
Under GDPR, personal data includes:
- An individual’s name and surname
- Their home address
- Email address (if it includes the individual’s name and surname (like [email protected])
- ID number
- -Location data
- -Internet Protocol (IP) address
- -Cookie ID
- -Advertising identifier on the phone
- -Data held by the doctor that can be used to identify someone
On the other hand, GDPR does not consider the following as “personal data”:
- Anonymized data
- Email addresses that don’t include one’s name and surname
- Data that is related to a deceased person
- Non-EU recipient countries
- International Data Transfer
There are no restrictions to it under CCPA.
Non-EU recipient countries must provide adequate protection.
- Definition of Data Management
Under CCPA, “data management” includes:
- Data collection
- Data processing
- Sale of data
With CCPA, a business that collects data from consumers must provide them with a choice to opt-out via a “Do Not Sell My Personal Information” link on any page on their website where personal information is collected.
The GDPR, on the other hand, requires businesses to provide both an opt-in and an opt-out option on their website. That means a business that processes data must ask its consumers for explicit consent to use their data (opt-in) and also an option to revoke their consent at any time (opt-out).
Consumer Rights Under CCPA and GDPR
Consumers have certain rights under both CCPA and GDPR, although the EU law covers more rights.
Consumer Rights Under the CCPA
Under the California Consumer Protection Act, consumers have the right to:
- Request information
- Access data
- Data disclosure
- Delete data
- Opt-out of data processing
Consumer Rights Under the GDPR
Under the General Data Protection Regulation, consumers have the following rights:
- To be informed
- To access their information
- To correct inaccurate data
- To delete data
- To object to personal data processing
- To data portability
- To access data
- To restrict automated data processing for profiling and/or decision-making
Exercising Consumer Rights
Consumer rights are exercised and enforced differently by the CCPA and the GDPR.
In California, CCPA enforcement is the domain of the Office of Attorney General (OAG), which is responsible for determining fines and penalties for CCPA violations.
The EU, in comparison, has established the Information Commissioner's Office (ICO) as the primary enforcement body for GDPR.
CCPA vs GDPR: Consequences of Non-Compliance
Both CCPA and GDPR impose fees and penalties in case of a violation.
CCPA Fines & Penalties
Under the California Consumer Privacy Act, the fines are imposed by the state court of California and can be up to $2,500 per violation or $7,500 per intentional violation.
Also, the CPRA, which acts as an amendment to the CCPA as of January 2023, imposes a penalty of $7,500 for any violation relating to minors under 16 years of age
Finally, can also claim statutory damages of a minimum of $100 and a maximum of $750 per violation.
GDPR Fines & Penalties
The General Data Protection Regulation defines two levels of fines based on their severity:
- Less severe violations cost the perpetrator up to €10 million or 2% of the business’s annual global turnover (whichever is higher)
- While more severe violations cost up to €20 million or 4% of the business's annual global turnover (whichever is higher)
CCPA and GDPR: Compliance Requirements
Compliance with both CCPA and GDPR is important in two ways:
- It ensures that your business handles consumer’s personal data in a safe and responsible manner
- It sets a standard that everyone has to follow, regardless of the size, thus creating a level playing field (at least in this)
Let’s take a look at the difference between GDPR and CCPA requirements next:
A business is required to comply with CCPA if it:
- Collects personal data of California residents
- Collects data for commercial purposes on a minimum of 50,000 consumers
- Selling products or services accounts for at least 50% of its annual revenue
- Has an annual gross revenue income of $25 million or more
So how can you ensure CCPA compliance?
Here’s a checklist that can help you:
You must be fully transparent about:
- What data do you collectWhy you collect it
- How you process dataHow (methods) users can request access to their data, move, change, or delete dataHow you verify the identity of the person submitting a request
- How users can opt-out (a clear “Do Not Sell My Personal Information” link
If you sell or share personal data of consumers with third parties, you must inform them about it.
A good way to do this is via a consent management pop-up or banner on your website homepage that users will see when they visit it.
Obtain and Store Consent
Consent can be obtained directly if the person is over 13 years of age or from a parent or legal guardian for children under 13 age
Offer a Way for the Consumers to Contact You
You must provide a clear and unambiguous way for consumers to contact you if they want to, for instance, request access to their data, rectify data, or delete data.
As well, you must reply to such requests without delay. One way to ensure that your organization’s privacy practices are up to the standards is to appoint a CCPA DPO.
If you are:
- A business (whole or a branch) located in the EU that processes personal data of consumers or
- A business outside the EU that provides goods or services to consumers in the EU or
- Monitor the behavior of consumers in the EU,
You are required to comply with the GDPR
To ensure GDPR compliance, you can use the following checklist:
Understand how Data Flows Through Your Company
A business that doesn’t understand and can’t explain how data flows through its systems will have a hard time controlling that data and being compliant with GDPR.
This is why you must keep a record of the following:
- The type of personal data recorded in each department
- How does each department process data?
- Who is responsible (per department) for data processing?
- How do you gather data?
- Do you have a lawful basis for gathering data?
- Your purpose for gathering data?
- The timeframe you will keep that data
- What rights do the users have?
Appoint a DPO
A DPO or a “Data Protection Officer” is a person in your company who is responsible for overseeing your data protection strategy.
Only Collect Data That You Actually Need
You can’t collect data on a “might be useful one-day” basis. Instead, you must have a clear purpose for it and must only collect data for that purpose.
In addition, once that purpose is fulfilled, you should no longer hold that data and should delete it.
Verify the Age of Users Giving You Consent
You can only process data from persons over 16 years of age under GDPR.
If there are users under 16 years of age that might interact with your website, you must have an age verification process on it.
For processing data from users under 16, you must obtain consent not from them, but from their parents or legal guardians.
Assess Third-Party Risks
If you’re also sharing consumers’ personal data with third-party vendors, you need to first be aware of the security risk they might pose.
Evaluate each vendor that you share data with for potential security vulnerabilities.
Report Data Breaches
The General Data Protection Regulation makes it mandatory to report data breaches within 72 hours.
Any data breach must be reported by the data processor to a data controller, who in turn reports it to the supervisory authority.
A supervisory authority, called a Data Protection Association (DPA) is located in the EU state that the business is based on and is responsible for enforcing GDPR compliance.
How is GDPR Different from CCPA?
GDPR applies to any entity (for-profit or NPO) that processes the personal data of consumers in the EU, whereas CCPA applies to for-profit companies that offer products and services to consumers in California.
In addition, GDPR requires both an opt-in and an opt-out, while CCPA only requires an opt-out.
What is the California GDPR-Like Law?
The California Consumer Privacy Act was introduced in 2018 and serves to give consumers in California more control over how their personal data is collected and used by businesses.
What is the US Version of GDPR?
Unlike the EU, which has the General Data Protection Regulation, the United States doesn't have a privacy law that applies to its entire territory.
Instead, each state has its own privacy law, such as the CCPA in California, the Utah Consumer Privacy Act, or the Colorado Privacy Act.
Is GDPR Valid in the US?
GDPR applies to businesses outside the European Union (in the United States for instance) as long as they offer goods and services and process data of EU citizens.
Is CCPA Applicable Outside of California?
Yes, the California Consumer Privacy Act applies not only outside of California but outside of the United States as well as long as the business processes data of Californian citizens.
Does GDPR Apply to Non-EU Citizens?
The General Data Protection Regulation was developed to protect the personal data of EU citizens and give them more control over it. It does not, however, apply to non-EU citizens.
For instance, GDPR wouldn’t apply to a consumer in Switzerland as it is not an EU member.
Does GDPR Apply in the UK?
Since the United Kingdom is no longer a part of the European Union, the EU GDPR no longer applies in the UK. However, the UK has its own version the UK GDPR which is based on the EU GDPR, only smaller in scope and modified for the UK law.
According to the Pew Research Center, most Americans don’t think they have control over how companies or governments collect their data. This is why laws such as CCPA (in California) or GDPR (in the EU) hold such importance.
Need help complying with CCPA or GDPR?
Captain Compliance can assist you in getting CCPA and GDPR compliance on your website and protect your consumers.