CCPA vs. GDPR – differences and similarities

After the European General Data Protection Regulation (GDPR) came into full force on May 25, 2018, other governments followed the EU lead. 

California is one of the countries preceding this effort to create one cohesive national data privacy law with the California Consumer Privacy Act (CCPA), which became fully effective on January 1, 2020.

That is why it is no surprise that the CCPA is heavily inspired by the GDPR. However, to what extent? That is what we are going to find out.

The important thing to remember is that both CCPA and GDPR have the same goal, to protect the privacy of individuals, no matter if they are called consumers or data subjects.

The impact the CCPA will have is yet to be seen, but considering the State of California is the fifth-largest economy in the world, there is no doubt that the impact will be on a global scale.

What are the differences between CCPA and GDPR?

The worldwide trends point out that the European GDPR was just first in line with many similar laws to come, and in many ways, new legislatures will adopt good practices from previous privacy laws and add something of their own.

Therefore, the similarities in terminology are to be expected, but differences will bear more significance.

Key differences between CCPA and GDPR:

• The territorial scope and application of the law
• Fines
• Nature and extent of collection limitations
• GDPR lawful basis requirement for all processing of personal data

Let’s see how this translates into practice.

1. CCPA vs. GDPR – Who must comply?

The GDPR states that public institutions and non-profit organizations are required to comply just the same as companies and businesses do.

However, the CCPA is focused only on for-profit businesses that have residency in California or process personal information of California residents and meet one of the following criteria:

• The companies’ annual revenue surpasses $25 million;
• The company obtains personal information of at least 50.000 California residents, households or devices annually;
• Or the company makes at least 50% of its annual revenue from selling the personal information of California residents.

The CCPA allows the processing of consumers’ data if they do not meet one of the mentioned criteria.

At the same time, GDPR is applicable to all data controllers who process the personal information of EU citizens, with no exception.

2. CCPA vs. GDPR – Territorial scope

Regarding the territorial scope, the similarity between GDPR and CCPA is reflected in the fact that the enforcement of the CCPA is not defined by the territory. Instead, it protects the personal data of the residents of California no matter where just like the GDPR. 

The GDPR applies to all organizations, EU and non-EU, that process personal information of European citizens. This means they offer goods or services to European Union citizens or monitor the behavior of individuals within the EU.

For example, if the company is operating outside the EU territory but has a website in one of the languages of Member states, ships and delivers goods in the EU territory, or offers prices in the currency of any country in the EU, it will be considered that the company offers goods and services to the EU citizens and the GDPR will be applicable to that company as well.

The CCPA applies to businesses that do business in California if they collect or sell Californian personal information, no matter where the company is located.

3. CCPA vs. GDPR – Penalties and Fines

The EU legislators demonstrated intolerance of violation of individuals’ privacy when introducing, up to that point, unprecedented GDPR fines.

Depending on the violation, the range of the GDPR fine can go from:

• 2% of global annual turnover or €10 million, whichever is higher
• 4% of global annual turnover or €20 million, whichever is higher

Penalties for non-compliance with the CCPA can be up to:

• $2,500 per record for each unintentional violation
• $7,500 per record for each intentional violation

When we look at the numbers at first, the GDPR may seem to introduce more severe fines. However, according to the CCPA, if a company violates the rights of 10,000 consumers, the company could face a fine ranging from $25,000,000 to $75,000,000.

So if we look at some of the data breaches so far, those incidents affect a lot of data subjects’ personal information, and in the case of the CCPA, numbers can add up quickly.

Especially since the CCPA does not provide a maximum amount of penalties for each violation.

4. Opt-out vs. Opt-in

According to the GDPR, there are six lawful bases for processing personal information of citizens and residents of the EU (one of them being consent), while the CCPA does not recognize the lawful basis for processing.

The CCPA focuses on an opt-out system, while GDPR focuses on an opt-in system.

This means in the EU, prior to the processing, the data controller needs to identify the lawful basis for processing in order to be GDPR compliant, while the CCPA allows businesses to process consumers’ data unless the individual exercises his or her right to opt-out from having their data sold.

“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out. ” – CCPA

According to the Californian Privacy Act, the opt-out does not refer to data processing in general. It is, in fact, a very specific right that applies only to the selling of personal information about a Californian consumer.

Selling in these terms means a transfer of personal data to any third party, which includes giving access to, sending, releasing, communicating, and so on, in exchange for monetary value.

Furthermore, GDPR requires that you opt-in for every specific data processing (if other lawful bases are not applicable), which gives a lot more control over data processing to the individual.

5. Consumers vs. Data Subjects

With time, we adjusted to the term Data Subject that was introduced in the GDPR.

The data subject is an identifiable natural person. While the data subject translates to the consumer in the CCPA (to be fair, a term that sounds much more natural and much less legal), there are certain differences.

Both data subjects and consumers are living natural persons. However, the CCPA clearly specifies that Consumer needs to be a Californian resident (the Californian resident is considered an individual who has permanent residence in the State of California or a domiciled individual who is temporarily outside the State).

While GDPR never specifies the residency or citizenship of the Data Subject, it identifies the data subject as a natural person who can be directly or indirectly identified through personal data.

If a Californian is visiting the EU, his data will be protected under the GDPR.

The GDPR is oriented to protecting data subjects and seems far more inclusive, while CCPA is oriented on protecting only Californian residents.

6. CCPA vs. GDPR – Exclusion of data

When comparing CCPA vs. GDPR, There are certain types of data that the CCPA excludes from its scope, unlike the GDPR, which applies to all data related to the data subject.

Data excluded consist of:

• Medical information
• Information collected as part of a clinical trial– research that studies a test or treatment given to people
• Sale of information to or from consumer reporting agencies – an independent firm that collects, compiles, and reports the credit activities of individuals, which is made available, for a fee, to lenders or credit issuing entities investigating the creditworthiness of those applying for credit.
• Personal information under the Gramm-Leach-Bliley Act -Financial Services Modernization Act of 1999
• Personal information under the Driver’s Privacy Protection Act– a US federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
• Publicly available personal information

7. CCPA vs. GDPR – Consumers’ rights

If we compare existing privacy laws in California, the novelty in the way the consumers are protected are mostly related to new rights that are granted by the CCPA. From now on, Californians will be able to exercise one of the six rights granted by the CCPA:

• Right to deletion – the same as the right to be forgotten from the GDPR, with certain differences such as response time which is 45 days under the CCPA, while the GDPR response time is 30 days.
• Right to be informed – the consumer has a right to request information about processing his/her personal information.
• Right to data portability
• Right to opt-out  – This gives the consumer the right to opt-out of the sale of their personal information to third parties
• Right to access – The CCPA grants the consumer the right to request access to information about what categories and types of personal data the company is processing.
• Right of disclosure

Read more about the rights granted by the GDPR and compare them with the CCPA.

Conclusion

Although we can discuss and guess how the CCPA story will unveil, everyday practice will show the effectiveness of the CCPA.  So far, it seems it is not completely clear what it will require to be CCPA compliant.

One thing is for sure, you will see a lot more of “do not sell my personal information” around the web.

We could continue on about the differences and similarities between the GDPR and CCPA, like the fact that the GDPR dictates an obligation (in certain cases) to appoint a Data Protection Officer and keep the records of processing activities. However, we are running out of lines, so subscribe to our newsletter, and we will notify you when there is a new article!