What are the key differences between the CCPA and GDPR?
Who it applies to, where it affects and its global impact.
By eleanor blackwood
Mon 13 July 2020
First of all, what do the letters stand for?
Let’s start with GDPR, which stands for General Data Protection Regulation. GDPR was introduced by the European Union in 2018, and is widely viewed as a landmark law for data and consumer rights.
Fun fact: GDPR applies to the entirety of the EU and all business operations that take place there. Plus, it’s designed so that its member states can tailor it to suit their needs.
CCPA stands for the California Consumer Privacy Act, and came into effect on January 1st 2020. It applies to organisations that conduct business in California, and like GDPR, regulates how personal data is handled.
What impact did the introduction of both GDPR and CCPA have?
Both pieces of legislation have had a global impact on the way that personal data is viewed and handled by both people and companies.
When GDPR was introduced, it was the most comprehensive set of data privacy regulations, with the widest reach, ever to be made into law. Without doubt, it changed how data-handling was viewed worldwide, both raising public consciousness about data issues as well as forcing companies to handle personal data according to certain principles.
Similarly, the introduction of the CCPA had and continues to have a large global impact. This is partly because California is the fifth biggest economy in the world, so their regulation affects global business significantly.
How similar are the laws?
In many ways, the CCPA is a slightly altered version of GDPR. Both strive to ensure strong protection for the personal data of individuals and apply to businesses that collect, use, or share user data.
However, there are some key differences in terms of who the regulations apply to, how they protect user data rights, and what consequences there are for companies who violate their terms.
Personal information is defined differently under GDPR and CCPA
CCPA refers to 'personal information' rather than using the term 'personal data' that is used in GDPR, and there is a slight difference in the scope and definition of these terms.
The CCPA explicitly includes information related to households rather than just individuals, whereas this is unclear within GDPR.
GDPR offers a definition of sensitive data, 'special categories of data' and affords extra protections for this kind of data, the CCPA does not. These include racial or ethnic origin, political opinions, religious beliefs, trade union membership, and genetic data. Whilst CCPA makes reference to 'biometric data' it does not offer extra protections for this data.
Who's protected under GDPR and CCPA isn't the same
GDPR protects ‘data subjects’, which it defines as 'an identified or natural person' whose data is being processed within the European Union. In short, it protects all personal data being processed in the EU. Interestingly, it protects this personal data regardless of where the company processing the data is based or where the data is stored.
CCPA on the other hand protects any 'consumer' who is a 'natural person' and a California resident. The key difference here is that between a ‘data subject’ and a ‘consumer’. Under GDPR, data subjects do not need to be engaged with companies as consumers in order to have their personal data protected.
GDPR affects a much wider range of organisations than CCPA
Since 2018, millions have been levied in fines under GDPR. This is partly because GDPR defines 'data controllers' as any business, organisation, charity, or public service, which offers goods, services or monitors the behaviour of EU citizens. None of these have to be based within the EU to fall under the territorial scope of GDPR, they just have to in some way process the data of EU-based people.
On the other hand, the CCPA applies to ‘for profit’ businesses which collect the personal information of consumers and determines the purposes and means of the data processing they conduct. This leaves many organisations out of its range, such as charities.
These businesses also have to do business in California, have a gross revenue in excess of $25 million, and sell or share the personal information of 50,000 or more consumers, households or devices.
While GDPR has a much wider scope in terms of who needs to comply to it, CCPA does still have a global impact due to the high concentration of large tech companies in California, such as Facebook.
Your data rights under GDPR and the CCPA are different
There is a fundamental difference between GDPR and CCPA when it comes to how they protect users, you need a 'legal basis' to collect and share personal data under GDPR, but this isn’t required under CCPA.
- Companies must get clear and affirmative consent before collecting and processing personal data.
- When data is being processed on a large scale, the appointment of data protection officer is required and regular data protection impact assessments must be carried out.
- Companies are expected to be fully transparent in how and why they collect personal information.
- When they receive a SAR they need to disclose how they've handled your data, and exactly what information they have within 30 days.
You can read more about GDPR here.
- Focuses on transparency about what businesses are doing with your personal information.
- Requires businesses to have a 'do not sell my personal information' link on their homepages online.
- In the event of a merger, CCPA requires businesses to offer consumers an opt out for the continued processing of their information, if the way their data is being used has substantially been altered.
- Excludes some information covered by other acts from its scope, such as medical information collected in clinical trials, or personal information collected by credit reporting agencies.
Ultimately, CCPA is designed to protect consumers, more so than individuals .
Many of these differences stem from the fact that GDPR guarantees individuals the right to access their personal information and to request that it be erased, whereas CCPA guarantees the right of consumers to have knowledge of when their information is being sold.
GDPR focuses on prior consent of the user for personal information to be collected at all, CCPA on transparency around the commercial sale of data.
The consequences for businesses who violate GDPR
Companies in California were given a grace period until July 1st 2020 to comply with CCPA, but now they're expected to comply, or, as is the case with GDPR in the EU, there will be financial and legal consequences.
Under GDPR, depending on the nature of the violation, data protection authorities such as the Information Commissioner in the UK, can issue a standard maximum penalty of up to 2% of global annual turnover, or €10 million, or 4% of global annual income, or €20 million: whichever is higher.
The size of the fine issued depends on the 'gravity and duration of the infringement', and the amount of people who have been affected.
The consequences for businesses who violate the CCPA
Financial penalties can also be issued under CCPA in the form of civil penalties (which means the penalty is court ordered), which could be $2,500 for each violation, or $7,500 for each intended violation.
There can also be more intensive legal consequences for both GDPR and CCPA violations when individuals bring forward cases of privacy law violations through data breaches.
These are awarded when successful civil action cases are brought before the Attorney General.
Businesses must be given a thirty day notice period prior to any individual or class action case being initiated, in which they have the opportunity to try and “cure” the violation that has occurred.
Ultimately, all violations of GDPR or the CCPA can lead to judicial ramifications, including both those that cause material and non-material damages. However, while GDPR does not provide a limit for potential damages awarded in the courts, CCPA statute establishes that damages cannot be less than $100 or greater than $750 per consumer effected.
Final thoughts 💭
Both CCPA and GDPR actively regulate how personal data is handled, and grant greater rights to users over their own data. With GDPR personal data cannot be collected and processed without the establishment of prior consent, whereas CCPA focuses on the importance of consumers being able to opt out of the sale of their data.
The limits to penalties and judicially awarded damages under CCPA may raise questions for the UK’s Information Commissioner and the High Court, when companies like British Airways are facing unprecedented fines as well as class action suits, which has no set limit for potential damages.
What’s more, whilst GDPR is more all-encompassing and affords greater protection, it doesn't always work in the way that it was intended to. Similarly, CCPA leaves many companies free to handle personal data in a way that many would find concerning.
Ultimately, while there are key differences between GDPR and CCPA, both are are huge leaps forward for data rights.
If you have any more questions about this topic please get in touch, we'd love to hear from you. In the meantime, we'll keep you up to date with any changes!