The California Consumer Privacy Act (CCPA), heralded as the U.S. version of the European Union’s General Data Protection Regulation (GDPR), has many American companies overhauling their approach to privacy protection in data processing activities.
Assuming that the CCPA is “GDPR Lite,” however, can result in non-compliance with the California law. The two privacy laws have many differences. Compliance with the GDPR does not necessarily assure compliance with the CCPA.
To meet the standards required by each of these data protection laws, you need to understand the differences between the two. To help, we offer a detailed comparison of the CCPA and the GDPR.
What Are CCPA and GDPR?
Governments have enacted laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) to give people more control over their personal information. Both laws govern how businesses can use the data they collect about consumers.
The CCPA is meant to protect Californians, so they can understand how personal data is gathered and used. The GDPR governs data privacy across the EU, superseding various data protection rules with a unified framework. (Despite coming from Europe, it’s vital to remember that the GDPR affects many companies in the United States.)
Broadly speaking, the CCPA and GDPR are both premised on the idea that personal data belongs to the person the data is about, rather than the organization collecting or using the data. And if personal data is an individual’s property, that means the individual can exercise certain rights over it, and organizations have certain duties of care they must meet while handling it.
The GDPR mandates that websites, organizations, and enterprises have a legal reason for processing the personal data of EU residents. The first legal basis is permission from the individual.
On the other hand, the definition of a “sale” under CCPA states that neither a business’s use or website’s sale of personal data to a third party requires an individual’s prior consent.
Who Has to Comply With GDPR vs. CCPA?
The CCPA protects consumers: natural persons who reside in California. The GDPR is focused on “data subjects” who are EU residents. Both laws are applicable to organizations globally, in slightly different situations.
The CCPA governs for-profit organizations that conduct business in California and gather personal data from California residents. To fall under CCPA jurisdiction, a company must also meet one of the following criteria:
- Yearly gross revenues of at least $25 million;
- Purchased, received, sold, or distributed the personal information of at least 50,000 customers, households, or devices;
- At least half of yearly income is derived from the sale of customer information.
The CCPA also specifies rules for service providers that handle customer data on a company’s behalf.
The GDPR focuses on data controllers, which are organizations that select how and why to use the data of EU residents. The GDPR also governs data processors, which are companies that handle personal data on behalf of controllers.
The GDPR applies to non-EU controllers that process personal data of EU citizens to provide them with commercial products and services or to keep tabs on their behavior. Additionally, the GDPR applies if the data controller or its processor has a physical presence in the EU.
It’s essential to consider how you gather and handle personal data in various regions because the CCPA and GDPR significantly influence a wide range of globally active businesses.
How Do CCPA and GDPR Affect My Business?
The CCPA and GDPR do have many similarities. This is especially true thanks to another law recently enacted in California, the California Privacy Rights Act (CPRA). The CPRA strengthens the CCPA with additional protections, and organizations must comply by January 2023.
First, both laws define “personal information” in essentially the same way: information that can identify, relate to, or is somehow capable of being associated with a specific person. That can include names, addresses, identifiers such as passport or driver’s license numbers, and phone numbers. It can also include genetic material, photographic images, or even internet search histories. The CCPA includes a list of examples (which is not exhaustive). The GDPR does not, and leaves the definition quite broad.
The CCPA gives Californians the right to know if and why their personal information is collected or processed; the GDPR does the same for EU citizens. Companies must implement organizational and technical capabilities to abide by these requests.
The CCPA asserts the individual right to non-discrimination, which makes it illegal to refuse products and services, charge different prices, or provide services of lesser quality. Everyone also has the same right to opt-out. Additionally, it allows people to choose a legitimate individual or corporate body to represent them in exercising their CCPA-awarded rights.
The right to rectification allows individuals to request companies to correct incomplete or erroneous records of personal data. It also prevents organizations from moving further if such documents have been wrongfully processed or are no longer necessary. It was one of the rights included in the GDPR, and is included in the forthcoming CPRA updates.
There are also some exemptions in the CCPA regarding personal information transmitted between businesses. For example, if personal data for an employee or contractor of a company is obtained in the course of business-to-business communications or transactions, the information may be exempt from specific CCPA requirements.
Users under both CCPA or GDPR have a “right to be forgotten.” This means companies are required to erase customer information unless they have a legal obligation to maintain it.
The CCPA contains several exceptions aiming to assist companies in striking a balance between maintaining customer privacy and being able to collect and use the data the companies require for both commercial and compliance needs. The exceptions apply to completing transactions, upholding legal obligations, maintaining security and existing functionality, protecting free speech, conducting research, and allowing for internal, expected, and lawful uses.
The maximum potential GDPR fines and penalties are €20 million (more than $24 million), or 4 percent of the yearly global revenue. For the CCPA, the maximum fine per violation is $7,500 for willful infractions and $2,500 for every subsequent offense. The CPRA will raise the maximum penalties for any breach of the law involving a minor consumer under the age of 16 to $7,500 per incident, whether intentional or unintentional.
While the fines for the CCPA may seem much less than the GDPR, customers can sue firms in class-action lawsuits for $100 to $750 per customer and each event. This cost can accumulate quickly if you consider the volume of customer data that companies may use.
How Do the CCPA and the GDPR Differ?
One key difference is which companies fall under each law’s scope.
The General Data Protection Regulation applies to all companies worldwide that access or process the data of EU citizens currently living in an EU country. The CCPA requirements apply to for-profit organizations that do business in California and either:
- Generate $25 million in gross annual revenue;
- Access the personal information of more than 50,000 California residents; or
- Generate 50 percent or more of their income from the sale of data California residents.
The types of information protected are similar. But the CCPA, unlike the GDPR, protects the data privacy of entire households and data on computing devices in the home, including their applications. The GDPR only protects individuals.
Although the regulations use different languages, both focus on providing users with easy-to-read copies of their collected data and allowing the protected parties to share that information easily.
The GDPR created a new right for data subjects to receive copies of their data from the organization, providing the information in a structured, commonly used, machine-readable format. It also allows persons to request the transmission of their data to other data controllers.
Under the CCPA, when a consumer requests disclosure of the data a business has collected, the company must provide it within 45 days in a readily usable format that allows the consumer to transmit their data easily from one entity to another.
Unfortunately, the two laws also use the same terminology to describe the processing of personal data in different ways. GDPR uses the word “processing” to describe any activity involving data. The CCPA breaks data activity down into “processing,” “selling,” and “collecting.”
The manner of obtaining user consent also differs. The language of the GDPR requires data subjects to opt in to data collection, whereas the CCPA only requires a process for individuals to opt out.
Is the CCPA Stricter Than the GDPR?
Most professionals consider the CCPA to be less stringent than the GDPR. If your company has already undergone the journey to be GDPR-compliant, then adhering to the CCPA regulations should also be an easy adjustment. That said, GDPR compliance does not guarantee CCPA compliance. It’s crucial to understand the requirements of each law to assure that your systems and processes fully comply with both.
Does the GDPR ‘Cover’ the CCPA?
No. Compliance with one law does not equal compliance with both. GDPR compliance for U.S. companies can give you a great head start for CCPA compliance, but the CCPA applies broader regulations to a smaller and separate group of people. The CCPA also requires frequent reviews and a faster turnaround time on customer requests for their data.
What Are the Similarities Between GDPR and CCPA?
Both laws are concerned foremost with data subjects’ rights and are structured to emphasize the rights of consumers rather than the restrictions on businesses. In addition, governments implemented these laws to allow for further transparency into and increased awareness of a person’s data lifecycle.
Each law guarantees a set of rights to data subjects. The GDPR guarantees eight rights, while the CCPA mentions only five. Four of the rights in the CCPA directly overlap with the GDPR:
- Right to know or be informed. Data subjects have the right to know that businesses plan on collecting their data before it happens.
- Right to access. Data subjects have the right to make access requests for their personal information.
- Right to erasure. Also known as the right to be forgotten, data subjects can request the deletion of their data.
- Right to object. There is a slight divergence in this right. The CCPA allows Californians to object to selling their personal information, while the GDPR enables subjects to object to direct marketing and automated profiling.
The CCPA expressly includes the right to service without discrimination. The GDPR does not, although experts say this requirement is implied in the GDPR. The GDPR allows for the right to rectification and rejects the use of automated decision making and profiling. Currently the CCPA does not, but these requirements are covered in the CPRA enhancements that go into effect in 2023.
Automate GDPR and CCPA Compliance with ZenGRC
GDPR and CCPA compliance require internal controls, technology safeguards, comprehensive audits, and documentation. ZenGRC is a comprehensive platform to help you implement and maintain compliance with all your regulatory frameworks.
Automated workflows streamline requests to ensure efficient follow-through to completion (a critical capability to meet the CCPA’s 45-day timeline). Tedious activities are simplified for reviewing and maintaining opt-out and opt-in controls.
ZenGRC acts as a single source of truth so that all employees involved in GDPR and CCPA compliance can access the same documentation and reporting to support audits.
ZenGRC goes beyond checking the box. Contact us to schedule a demo and start down the worry-free path to GDPR and CCPA compliance.