The Main Differences Between GDPR and CCPA
As a continuation from my previous blog on the differences between GDPR and CCPA I will define some of the differences in more detail, it is also noteworthy that the core legal framework of the CCPA is quite different from GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA.
Further, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”
There’s no denying that the CCPA has been inspired by the earlier enacted laws of the GDPR and may appear like its European counterpart; however, the core legal framework of each is different. Here are some of the notable differences:
• Definition of Personal Information: While the CCPA covers “residents of California” only, the GDPR applies to “EU data subjects” with no mention about the citizenship or residency requirements of those individuals. While the CCPA offers protection of data linked to a specific household, the GDPR is concerned about the information related to individuals only.
• Covered Entities: According to the GDPR, all organizations (businesses, public institutions, and non-profit companies) must comply to avoid penalty. The CCPA applies to “for-profit companies” that meet these criteria:
o Annual gross revenues over $25 million.
o Dealing with personal data of over 50,000 consumers, devices or households.
o Minimum 50% of annual revenue made from selling customer data.
o Collect and process customer’s data.
o Doing business in California, although the CCPA does not offer clarity whether the company must be located in the state or fulfill particular profit thresholds.
• Data: While all categories of personal data come under the scope of the GDPR, the CCPA applies to data not covered by the current federal privacy laws, such as Health Information Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
• Transparency Obligations: Both the GDPR and the CCPA need organizations to reveal what they do with the consumer’s personal data they’ve collected. While the CCPA requires that businesses divulge details related to data sales and the data processing activities of the last 12 months, the GDPR does not bind organizations by such a limitation.
• Right to Delete: While the CCPA’s right to delete personal data is only applicable to the data collected from the consumer, the GDPR applies to all data concerning a subject matter, no matter where it came from.
• Rights of the Consumers: According to the GDPR, a business must take prior permission from data subjects for data processing and allowing third-party access to their data. In the CCPA, Californians can opt-out of the data sale if they wish, and businesses must share a visible link in their homepage for this purpose.
• Data Portability: Both the privacy laws offer the right to data portability, which means the consumer data must be provided in a machine-readable format that can be transmitted to another entity. While under the GDPR organizations are obliged to transfer a data subject’s information to another data controller if requested, in the CCPA companies do not need to follow any such obligation and should offer consumers the information electronically in a readily useable format.
• Penalties for Non-Compliance: Under GDPR, the fines are 4% of the annual turnover or €20 million (whichever is higher), and they are directed through an assigned data protection authority such as the Information Commissioner’s Office in the UK. A CCPA violation means the organization will be paying a $7500 fine plus $750 per individual involved and that it will be directed through the Attorney General of California.
For the final segment in this 4-part series, where I cover some key differences between GDPR and CCPA, I will go over a more focused review and where an organizations’ efforts should lie. Tune in for this coming soon …