The Main Differences Between GDPR and CCPA
This is a continuation from our last segment where I went into more detail on the main differences between CCPA and GDPR. Here I will focus on a narrower scope and where your efforts should lie. This will be split into two pieces as there is a lot of information to digest.
Significantly different: GDPR requires the organization to name a data privacy officer (DPO) and keep a log of personal data processing activities. CCPA does not have the same requirements.
Definition of Personal Data
Somewhat different: While both regulations use broad definitions for personal data, CCPA provides specific examples of any identified or identifiable person. CCPA also extends the definition to households, which significantly impacts organizations that offer products or services associated with IoT and digital devices. Unlike CCPA, GDPR specifically defines sensitive data and prohibits the processing of such data unless specific exceptions apply.
Almost the same: GDPR and CCPA address organizations and entities in the same way. Organizations outside of the EU offering products and services in the EU must abide by GDPR. In the same manner, organizations doing business in California must comply by CCPA regardless of where they are located.
Significantly different: GDPR is much broader in defining who is regulated (anyone who markets, sells, or deals with a person located in the EU), whereas CCPA says individuals living or working in California. The level of protection is extended by CCPA, as it includes information linked to the household or a device, making many IoT devices in scope.
GDPR initially had a provision excluding small and medium businesses, in the final version that exception was removed. The CCPA specifically excludes firms with annual gross revenue below $25 million, or that possesses the personal information of fewer than 50,000 consumers, households, or devices; or earns less than half of its annual revenue from selling consumers’ personal information.
Completely different: GDPR indicates that personal data processing is lawful under six specific grounds. The CCPA does not define prerequisites for data collection, selling or disclosing which is a significant difference for any business. Instead, the CCPA allows consumers to post-collection the right to opt out (by a straightforward and publicly accessible link in the organization’s website) to the sale and disclosure of personal information.
Almost the same: GDPR and CCPA overlap in their definition of personal information, but the CCPA differs from GDPR by defining anonymous data, and not including aggregate consumer information and de-identified data from the application, collection, storage and processing of the data.
Controller and Processor Definition
Almost the same: Controllers under GDPR are similar to businesses under CCPA. And processors under GDPR are similar to service providers. The two differ when it comes to the obligations required under each, as GDPR requires a contract or legal tool (DPA) to be used between controllers and processors for data processing purposes. CCPA requires personal information to be shared based on the terms of a written contract.
Stay tuned for our next blog where I will finish up this series, providing a few more examples and where to focus your efforts. Until next time …