CCPA vs. GDPR – How Do They Compare?
Don’t be under the impression that you are automatically in the clear of California Consumer Privacy Act (CCPA) requirements if you’ve already updated your site to be General Data Protection Regulation (GDPR) compliant. Of course, comparing the CCPA vs. GDPR is complex and confusing to understand, especially when the CCPA is sometimes referred to as “California’s GDPR.”
There’s no wonder a lot of companies are left scratching their heads.
While it’s true that there are some similarities between the CCPA and the GDPR, there are also some crucial differences as well. So, while companies already GDPR compliant will have a leg-up on becoming CCPA compliant, there’s still work to do.
We have done some research to compare and contrast the CCPA vs. GDPR. Below, we’ll share our findings with you. However, we strongly suggest you consult with your legal and data security teams to answer any questions you may have while determining the best game plan for your CCPA compliance project.
A Quick Overview of the CCPA
Regardless of their location, certain businesses that collect personal information from California residents, vendors, and/or employees must meet specific requirements outlined in the CCPA. The legislation was passed in California in 2018 and officially went into effect on January, 1st 2020.
In the language of the legislation, personal information is explained in depth. Under the CCPA identifying information such as names, email and physical addresses, phone numbers, IP addresses, browsing history, and a long list of other data types are covered.
For a comprehensive list, read section 1798.140. (o) (1) of the CCPA.
RELATED: What is the California Consumer Privacy Act?
Further, the CCPA provides California residents with certain rights concerning their personal information that has been collected by businesses covered under the CCPA. For example, California residents have the right to access their personal information, in addition to the right to opt-out of allowing covered businesses to sell their information.
They may also request a covered business to delete the respective consumers’ personal data. Beyond that, the CCPA also grants California residents the right to a class action, as well as statutory damages, should a covered company be the victim of a data breach.
A Quick Overview of the GDPR
The GDPR (short for General Data Protection Regulation) is European legislation covering all twenty-eight member states. It became effective in May of 2018. and covers all twenty-eight member states.
The GDPR controls how companies (including organizations and websites) collect and use personal consumer data. Similar to the CCPA, the GDPR includes names, addresses, location data, and other types of personal information.
According to Cookiebot, the GDPR applies to any website, whether located in the EU or not, so long as the website is accessible by visitors from the EU.
CCPA vs. GDPR: A General Comparison
It’s not uncommon to hear people comparing the CCPA vs. GDPR. Fundamentally, they have similar goals–to provide access and deletion rights to consumers regarding their personal information and to require companies to be transparent about how they intend to use consumer data.
Let’s take a look at some of the key comparisons between the CCPA and the GDPR.
What Companies Need to Be CCPA and/or GDPR Compliant?
CCPA
For-profit companies that do business in the state of California (whether they are based there or not) and meet at least one of the following thresholds:
- Earns $25M or more in annual gross revenue
- Collects, buys, sells, or shares personal information of 50,000 or more California consumers, households, or devices for business purposes
- Fifty percent or greater of their annual revenue is derived from the sales of personal information
Further, the CCPA applies to businesses that control or are controlled by other businesses covered under the CCPA. by a covered business. This includes entities that share brandings, such as a name or trademark.
Lastly, certain parts of the CCPA apply specifically to third-party vendors and service providers.
GDPR
According to Baker Law Firm, the GDPR applies to “data controllers and data processors.” The GDPR also adds the following statements regarding who must become GDPR compliant:
Data controllers and data processors established in the EU and who process personal information whether the data is processed in the EU or not.
Data controllers and data processors that are not based in the EU but do process the personal data of the EU subject to provide goods or services in the EU. Or uses personal data as a means of monitoring their behavior.
CCPA vs. GDPR Covered Businesses Comparison
The key takeaway is that the GDPR is broader in what types of businesses, organizations, and websites must comply.
RELATED: Who Must Be CCPA Compliant? Does It Apply To Me?
Who Does The CCPA Protect Compared to the GDPR?
The Future of Privacy Forum (FPF) states that the CCPA and GDPR are “fairly inconsistent” regarding who the pieces of legislation protect. However, this likely doesn’t come as a big surprise given that they come from two different countries.
“The CCPA protects “consumers” who are natural persons and who must be California residents in order to be protected, whilst the GDPR protects “data subjects,” who are natural persons and does not specify residency or citizenship requirements.”
Future of Privacy Forum
How Does The CCPA vs. GDPR Define Personal Information?
CCPA
The CCPA defines personal information as:
“Personal information” means information that identifies relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information includes personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
GDPR
Article 4(1) of the GDPR defines “personal data” as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
GDPR
CCPA vs. GDPR Personal Information Comparison
The CCPA and GDPR are very similar in what is considered personal information, according to Laura Jehl and Alan Friel, LLP. The biggest difference is that the CCPA includes personal information linked at the device or household level.
How Do The Privacy Policy Requirements Differ Between The CCPA and GDPR?
To help explain this a little better, we’ll refer once again to Baker Law, which explains the difference and similarities regarding privacy policies. Their take on it is that the CCPA and GDPR have “similar disclosure requirements, but differences in the specific information required and the delivery methods.”
One example they give is how the CCPA only covers the one-year (12 months) timespan that preceded the request on personal data that was sold or disclosed to third parties. This requirement essentially means a business must update its privacy policy annually in regards to the CCPA.
Further, Pilsbury Law explains that the CCPA explains, “The CCPA requires different privacy policy disclosures compared to the GDPR, including data sales using a broad definition of ‘sale.’”
Pilsbury aw also notes that both CCPA and GDPR state that privacy policies must describe the purposes or uses for information a covered company collects.
However, one difference is that the CCPA is a bit more extensive. It requires a company’s privacy policy to state whether or not a business sells personal information expressly. This is in addition to a description of the third parties who receive personal information via a sale.
Do the CCPA and GDPR Have Different Security Requirements?
First, know that different primary regulators regulate the CCPA and GDPR. The GDPR is enforced by the Data Protection Authority, whereas the California Attorney General governs the CCPA.
They provide consumers similar rights if their personal information is affected in the event of a data breach. For example, they both give consumers the right to an action for data security breaches.
Positive Technology notes that the CCPA states consumers can claim fines ranging from $100 to $750 per violation. Companies can also be fined $2,500 per violation, or $7,500 if the violation is found to be willful. However, the Attorney General must give companies 30 days’ notice for any noncompliance claim before actions and fines can be claimed.
The GDPR, however, offers fines as high as €20 million, or 4-percent of the company’s global revenue—whichever is larger.
RELATED: What Happens If I Violate the CCPA?
What Are The Opt-Out Rights For the CCPA vs. GDPR?
There is actually a stark contrast in the opt-out right provided by the CCPA vs. GDPR. While it’s true that both require covered companies to receive customer consent, the methodology behind the two is different.
Login Radius states that the CCPA only requires businesses to provide consumers with the right to opt out. In contrast, the GDPR states consumers must opt-in before a business can collect their personal information.
How Do The GDPR and CCPA Handle Personal Information of Minors?
When comparing the CCPA vs. the GDPR, you’ll find that both have their own set of requirements regarding collecting personal information from children (minors). As Workable notes, the two pieces of legislation are significantly different in this respect.
The CCPA mirrors the United States Children’s Online Protection Act, also known as COPPA. Parental consent is required for businesses to collect personal information on anyone aged 13 years or younger. For children 13 to 16 years of age, the minors themselves can provide consent for a company to sell their personal data.
Contrastingly, the GDPR sets their age of consent to 16 years of age. So, according to GDPR standards, companies must obtain parental consent to collect personal information from anyone under the age of 16.
RELATED: Are There Any CCPA Exemptions Available?
Final Thoughts On The CCPA vs. GDPR
During our research, we unearthed many interesting contrasts between the CCPA vs. the GDPR. One thing was obvious, both the CCPA and GDPR are extensive and complex.
We’ve said it once, but it bears saying again:
If you have any concerns or questions about CCPA or GDPR requirements, talk with your legal team in addition to your data security team. They will have a more thorough understanding of the requirements and what they mean for your company specifically.
When you’re ready to update your website reach out to one of the web design experts here at 3 Media Web.