The California Consumer Privacy Act has been coined California’s GDPR, referring to the comprehensive data protection law that took effect in May 2018 in Europe, just one month before the CCPA was passed. The CCPA, which is set to take effect January 2020, creates new rights for Californians and other obligations for businesses handling their information. The CCPA is said to be a model of the GDPR, however, there are some clear differences between each legislation.
Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, but there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we are already seeing it influence federal legislation.
Understand the similarities and differences between the GDPR and CCPA.
|Who It Protects|
|‘Consumers’ who are California residents||‘Data Subjects’ in the European Union|
|Defined as any information that ‘identifies, relates to, describes, is capable of being associated with, or could reasonability be linked directly or indirectly, with a particular consumer or household.” This includes not only identifies like name or address, but extends to browsing history, behavioral data and more.||Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually mean data like address, license plate numbers, SSN, blood type, bank account information, and more.|
|Grants consumers five rights:
1. The right to disclosure
2. The right to deletion
3. The right to access
4. The right to opt-out
5. The right to non-discrimination
|Grants data subjects eight rights:
1 . The right to be informed
2. The right to access
3. The Right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated individual decision making, including profiling
|Right to Deletion|
|CCPA right to deletion applies to data collected from and about the consumer||GDPR right to deletion applies to all data collected about the consumer|
|Who Must Comply|
|“California businesses” of substantial size (with regards to revenue or number of consumers affected) that collect consumer personal data||Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.|
|Basis for Consent|
|Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.||Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.|
|Time allowed to respond to a request|
|Responsible parties have 30 days to respond to a request||Responsible parties have 40 days to respond to a request|
|Organizations in breach can be fines up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.||Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.|
While in many ways the GDPR and the CCPA align, there are notable differences between the two regulations. The GDPR’s definitions are often broader, while the CCPA has taken a more specific approach to its scope. That does not mean however that companies that are GDPR compliant don’t need to worry about the CCPA.
Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification. Stay tuned…