GDPR vs. CCPA: Everything about the 2020 California Consumer Privacy Act (and How it Stacks up Against GDPR)
The General Data Protection Regulation (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) (which has been technically amended by California Senate Bill 1121 (SB-1121)), both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA will take effect on 1 January 2020, but certain provisions under the CCPA require organizations to provide consumers with information about the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.
The two laws are similar in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information. However, the CCPA differs from the GDPR in significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.
The GDPR and the CCPA: A Comparison for Businesses
Data subjects, defined as identified or identifiable persons to whom personal data relates.
Consumers, defined as California residents who are either:
- In California for other than a temporary or transitory purpose.
- Domiciled in California but are currently outside the State for a temporary or transitory purpose.
Consumers include:
- Customers of household goods and services.
- Employees.
- Business-to-Business transactions.
While neither the GDPR nor the CCPA apply to legal persons, both apply to natural persons, but with a difference in the way they are defined. The CCPA clearly states that it applies to California residents, while the GDPR uses the more vague term “EU data subjects” without naming any residency or citizenship requirements. The CCPA also protects data that can be linked to a particular household, not just an individual as the GDPR does.
Data controllers and data processors:
- Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
- Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.
Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The GDPR’s scope is broad: it applies to all organizations, from businesses to public institutions and the nonprofit sector. The CCPA meanwhile has restricted its applicability to for-profit companies that meet very clear requirements.
In regards to geographical location, the GDPR applies to any company that processes the data of EU data subjects, wherever they may be located. The CCPA is unclear on this point: companies falling under its jurisdiction must be “doing business in California”, but does not clarify whether the company must be located in the state or meet certain profit thresholds to qualify as such.
Personal data is any information relating to an identified or identifiable data subject. The GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies.
Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
The GDPR applies to all categories of personal data, while the CCPA only applies to data not covered by existing federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA) or the Health Information Portability and Accountability Act (HIPAA).
Pseudonymous data is considered personal data. Anonymous data is not considered personal data.
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated. However, the CCPA establishes a high bar for claiming data is deidentified or aggregated. Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household.
The definition of “pseudonymisation” under the GDPR and CCPA is very similar in that it is the processing of personal data in such a manner that the personal data can no longer be attributed to an identified or identifiable person without the use of additional information, by putting in place technical and organizational measures which keep the additional information needed for identification separately.
GDPR Article 13, CCPA 1798.100
Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.
Businesses must inform consumers about:
- The personal information categories collected.
- The intended use purposes for each category.
Both the GDPR and the CCPA requires organizations to disclose what they do with the personal data they collect. The CCPA however requires companies to disclose data sales and activities pertaining to data processing in the last 12 months, while the GDPR places no such limitations.
GDPR Article 24, CCPA 1798.150
The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.
- The personal information categories collected.
- The intended use purposes for each category.
Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organization’s circumstances and regulator interpretation.
GDPR Article 12 – Article 21 , CCPA 1798.120
Expanded Individual’s’ Rights:
- access their information;
- have inaccuracies corrected;
- have information erased;
- prevent direct marketing;
- prevent automated decision making and profiling;
- data portability.
Expanded Individual’s’ Rights:
- access their information;
- have inaccuracies corrected;
- have information erased;
- prevent direct marketing;
- prevent automated decision making and profiling;
- data portability.
While the GDPR requires organizations to get prior consent from data subjects for data processing and third-party access to their data, the CCPA allows data subjects to opt-out of the sale of their data and requires businesses to have a visible link at the top of their homepage for this purpose.
Both the GDPR and the CCPA offer the right to data portability: namely to provide consumers with their personal data in a commonly used, machine-readable format that can then be transmitted to another entity.
The GDPR goes a step further in this direction, putting organizations under the obligation to transfer a data subject’s information to another data controller upon request.
Under the CCPA, businesses are only required to provide consumers with the information electronically in a readily useable format.
While the GDPR’s right to erasure has a few notable exceptions such as data necessary for exercising the right of freedom of expression or data needed for compliance with EU or EU member state law, the CCPA broadens these exceptions further by including not only free speech and information needed for contracts, but, most notably, also internal uses compatible with the context in which the consumer provided the data.
The GDPR’s default age for consent is 16, although individual member states law may lower the age to no less than 13.
The person with parental responsibility must provide consent for children under the consent age. Children must receive an age appropriate privacy notice.
Children’s personal data is subject to heightened security requirements.
The CCPA prohibits selling personal information of a consumer under 16 without consent.
Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.
The GDPR emphasizes special protection for children and provides specific provisions for protecting children’s personal data when processed for providing information society services.
The CCPA creates a special rule for children with regard to “selling” personal information, however this rule is not limited to information society services.
While in many ways the GDPR and the CCPA align, there are notable differences between the two regulations.
The GDPR’s definitions are often broader, while the CCPA has taken a more specific approach to its scope. This does not mean however that since Convert is GDPR compliant, we will not have a plan of action in place for robust CCPA compliance. We will apply the same rigour and preparation to the CCPA, as the date of imposition approaches, and keep you the reader updated.