The Main Differences Between GDPR and CCPA
This is the final piece of my discussion about these two consumer data protection regulations. This part will continue my recommendations about where to focus your time and efforts.
Children’s Online Privacy Protection
Almost the same: CCPA prohibits the selling of any data for consumers under the age of 16, but children ages 13-16 can give their consent for data collection and sale. Children under 13 require parent or guardian permission under CCPA. The GDPR states that the processing of data belonging to a person under the age of 16 requires parental consent. It is worth noting that individual EU member states can (and do) lower the age of consent, but no less than 13 years of age.
Scientific and Medical Privacy Considerations
Significantly different: Unlike the GDPR, CCPA excludes clinical trials from its scope. CCPA also leaves medical data privacy considerations to other regulatory statues (e.g., HIPAA). It is also worth noting that GDPR defined scientific research very broadly, while CCPA stays in a narrowly defined area of systematic study.
Individual Rights to Erasure (“Right to be Forgotten”), Opt-out, Information Access, Portability, Non-discrimination
Significantly different: Both GDPR and CCPA allows individuals to request deletion of their personal information unless exceptions (legal, for example) apply. Both regulations include requirements to inform individuals when collecting and processing their personal data, but CCPA does not distinguish notice for collecting information directly from individuals versus 3rd parties. The right to object (or opt-out) differ in that CCPA is prescriptive and requires a link with the title “Do Not Sell My Personal Information” on the business’ homepage, and under CCPA users can only opt-out of the sale of personal data. Both laws provide the right to access data, but CCPA mandates not just portable data but usable as well. Whereas CCPA considers the right to portability as part of the right to access, GDPR separates an individual’s right in that regard into a separate section, but the requirement remains the same. Perhaps the most notable difference in this area is that CCPA introduces the right not to be discriminated against if any rights under CCPA are. GDPR lacks this provision. As they say, the devil is in the details; while the two regulations are generally aligned in this area, when looking to implement them within an organization, the differences become more notable, and I advise closer examination of the details.
Completely different: Unlike GDPR, CCPA allows businesses a 30-day window to cure violations.
Somewhat different: The civil fines under CCPA are $2,500 per violation or $7,500 for each intentional violation, versus GDPR’s €20 million or 4% of global revenue (whichever is greater). Both can be significant to a business … so be mindful of the risk.
Private Rights Actions
Significantly different: CCPA stipulates that a company can be liable for $100-$750 per consumer incident in a private rights action, whereas GDPR has no limit.
It All Seems Complicated, Where Do You Start?
If you are required to comply with GDPR, you may have already started the adoption process in advance of last year’s deadline. But if you are anything like the average business, you still have some tasks ahead of you, and this is a great time to consider whether you will be adopting CCPA. For those that must address both regulations, I recommend that you do a little homework and align efforts now. After all, if you will be adopting the most stringent requirements of the two, why create a process that you will need to revisit and alter or change down the road?
Rather than looking at the global requirements, step through the categories of regulation necessities that each act specifies.
Because the GDPR and CCPA are such new regulations and we have had little (GDPR) to no (CCPA) interpretations by the enforcement authorities, it is quite challenging to tell how regulatory enforcement will play out over the next five to ten years. However, we do have digital precedents that can give us glimpses into what the new world of data privacy compliance might look like.
What we know from other historical, massive initiatives is twofold:
- 1) Governments don’t see digital regulation as a money-making scheme, so it will likely take time before full enforcement comes into play
- 2) If you run afoul of the law but can demonstrate good intent, you are likely to get just a slap on the wrist
I hope this gives you a better understanding on CCPA and some of its differences between GDPR. As the CCPA gets closer and closer to being in effect, the more prepared you are the better off you will be.