The EU’s General Data Protection Regulation (GDPR) was a game-changer in the world of data management, as companies across the globe were prompted to implement measures that would ensure GDPR compliance. In the US, the California Consumer Protection Act (CCPA) has garnered lots of attention, as well, as the law has many similarities which have prompted businesses to reconsider their data governance strategies. Let’s perform a CCPA vs GDPR comparison to evaluate how the two data privacy laws compare and how to make sure that you’re fully compliant.
When Were These Data Privacy Laws Enacted?
The General Data Protection Regulation was approved by the European Parliament in April 2016, following a lengthy four-year discussion about the legislation which strives to make privacy the default. The law went into effect on May 25, 2018, replacing the outdated 1995 law known as the EU’s Data Protection Directive. It was about one year later that the GDPR fine was actually enacted and enforced.
The California Consumer Protection Act was signed into law on June 28, 2018, and began on January 1, 2020. The CCPA demands greater transparency around the collection, storage and use of personal information. The California Attorney General will begin issuing CCPA fines and penalties beginning on July 1, 2020.
Who’s Protected by CCPA and GDPR?
GDPR applies to all data subjects (not just legal “residents” or “citizens”) of the EU, while the CCPA protects California residents, who are defined as anyone “who is in the State for other than a temporary or transitory purpose” or a person “who is domiciled (domiciled = residing) in the State who is outside the State for a temporary or transitory purpose.”
Who is Affected by GDPR and CCPA?
There are thousands of companies that are subject to both GDPR and CCPA requirements. GDPR affects any and all organizations that do business with citizens of the European Union (EU), including e-commerce businesses.
The CCPA affects a narrower segment of the business world. CCPA applies to any company that serves California residents and meets one or more of the following criteria:
- Annual revenue of $25 million or more; or
- A company of any size that collects personal data for 50,000+ people; or
- A company of any size with more than half of its revenue arising from data sales.
There is also a CCPA exemption for businesses that are subject to the California Insurance Information and Privacy Protection Act (IIPPA). This includes “insurance companies, agents and support organizations.”
How Do GDPR and CCPA Define Personal Data and Information?
The CCPA has defined personal information as any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Worded as only a legal document can be worded, of course.
Meanwhile, GDPR defines personal data as “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.” GDPR also calls out sensitive personal data, which cannot be processed unless a business meets at least one of its special requirements.
What Personal Data is Protected?
The scope of personal data that’s covered by GDPR and the CCPA is quite similar, although the latter includes a broader range of information.
Both laws protect personal data such as:
- Identifiers such as a person’s name, alias, account number, postal address, IP address, email address, passport number or other pieces of information able to identify a specific person.
- Biometric information, such as fingerprints, retinal scans, DNA or genetic information.
- Internet and network data such as browser history, search history and cookies.
- Commercial data such as a person’s purchase history or memberships.
- Geolocation information.
The CCPA affords additional protections, including:
- Visual, olfactory, auditory, thermal or electronic information that’s specific or unique to an individual.
- “Characteristics of protected classifications” as defined by California and federal laws.
- Any and all inferences that are derived from the aforementioned information types, including a consumer’s behavior patterns, preferences, characteristics, intelligence and abilities.
- Employment history, education, certifications and any other personal data that is “not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act.”
GDPR Fines vs CCPA Fines
Both the CCPA and GDPR have hefty penalties for violators. GDPR fines can total up to €20 million “or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,”
Meanwhile, CCPA fines can total up to $7,500 per record. The law also affords consumers the right to file a lawsuit, which can bring a penalty of $100 to $750 per incident or actual damages — whichever is greater. It should be noted that companies are granted a 30-day period to resolve a violation.
The California Attorney General holds the power to hand down CCPA fines, while the courts handle lawsuits. In the case of GDPR, the Information Commissioner’s Office (ICO) is responsible for performing investigations and issuing GDPR fines.
CCPA vs GDPR Rights
GDPR and CCPA both grant individuals the right to access, the right to be informed, the right to have personal data deleted and the right to portability. The latter allows a person to transfer their records to another service provider, for instance. The CCPA grants Californians the right to opt-out of data sharing, while GDPR offers the right of prior consent and the right to withdraw consent.
GDPR affords EU citizens with the right to request information on what personal data is stored by a company; individuals also have the “right to be forgotten,” meaning that a person can request to have all of their data removed from a company’s system. The CCPA law offers the same protections, in addition to giving California citizens the right to request information about all third-parties that have access to their information.
Consent is a key aspect of GDPR, whereas the CCPA focuses more on the issue of transparency. In fact, the CCPA does not require companies or websites to obtain prior consent for processing or even selling user data.
Additional Points on CCPA and GDPR Compliance
Both laws require websites to display a message that informs visitors about what data is collected and how that data is utilized. These two regulations also disallow companies from penalizing or refusing individuals who refuse to share data.
GDPR requires the website to provide the visitor with an opportunity to accept or decline data sharing; notably, you cannot have any tick boxes ticked by default. In fact, GDPR has proved to be a game changer by making privacy the “default,” versus the exception, like most of us are used to.
The CCPA specifies that this message must be placed in the website footer. This law also goes one step further than GDPR by allowing consumers to file a lawsuit against any company that fails to display this type of message (assuming the business is required to achieve CCPA compliance.)
In the case of companies that sell data, the CCPA requires company websites to include a button or link with the text, “Do Not Sell My Personal Information,” thereby enabling consumers to opt-out with ease.
GDPR stands apart from the CCPA in its recommendation for the appointment of a Data Protection Officer (DPO). The DPO works to ensure compliance, while also serving as a point of contact for anyone who submits a request “to be forgotten” or a request for additional information on a data breach or other data-related issue. Additionally, GDPR sets forth procedural requirements and a time frame for informing individuals who have been impacted by a data breach.
The CCPA differs from GDPR in the way it allows for lawsuits, including class-action lawsuits. This law now gives consumers the ability to file a lawsuit if CCPA privacy guidelines are violated — even in the absence of a traditional security breach. This includes cases whereby a consumer is unable to determine how their information was collected or cases where an individual is unable to obtain a copy of the recorded data.
Compliant Data Governance Solutions for Business
At SevenTablets, data management and data governance software is amongst our specialties, as evidenced by our product, Sertics. From creating data lakes to devising a new data governance plan, we help clients as they strive to leverage their data like never before. Our talented custom software developers and mobile app development experts can also lend a hand with any custom development projects. And don’t forget to check out our GDPR compliance ebook, with an overview of how GDPR can impact your company and its data.
SevenTablets is based in Dallas, with offices in Houston, Chicago, and beyond. We provide a range of service offerings, including ERP and CRM development, cloud integrations and system integrations. So if you’re in search of an innovative team to help your company make the most of its data, contact SevenTablets today.