CCPA vs GDPR: just another sort of GDPR or something completely different?

Thought Leadership 5 min read

We're getting close now to the launch of the California Consumer Privacy Act (CCPA) on Jan 1st, 2020. CCPA is being considered the strictest privacy law in the US to date.

And although the CCPA is very similar to GDPR, both laws are very distinct in many ways.

It is a fact that both legislations aim at bringing greater consumer privacy and enhancing control over personal information. Both laws concern the way "personal information" is being "processed". Both laws apply "internationally" and protect "individuals".

From the makers of GDPR Checklist, have a look at the CCPA Checklist

But there are some significant differences in the scope, the requirements of each law and the impact they will have.

Key differences in "who" both laws apply to

GDPR applies to "data controllers", basically anybody (a business, but equally a government body, a charity, and even any individual) who decides why and how personal information is being processed.

CCPA applies to businesses only when they either:

  • Generate revenues above $ 25 million annually
  • Make 50 % of revenues from selling or sharing consumer personal data
  • Deal with personal information of at least 50,000 consumers, households and/or devices in California during 12 months (includes buying, selling, receiving or sharing of the data)

Key differences in "how" each law applies

Although the CCPA is a major achievement for US privacy law, the GDPR is a much more significant, extensive and robust piece of legislation.

In a nutshell, the main pain point the CCPA handles is that it regulates the sale of consumer personal information. The CCPA requires businesses to publish up-to-date information about what types of personal information they have sold or shared for commercial purposes.

The CCPA also requires businesses to provide specific processes (e.g a toll-free phone number or its website having a “Do Not Sell My Personal Information” page that lets consumers opt-out easily of the "sale or share" of their personal information. Both your Privacy Policy and homepage must link to this page.

The GDPR has got a much broader scope :

  • The GDPR regulates the activities of data processors (known as “service providers” in the CCPA, which does not regulate their activities)
  • It aims to bring more consistent privacy and data protection standards across the geographic area over which it applies
  • It provides a set of six principles to which all processing of personal information must adhere, e.g. “data minimization” and “purpose limitation”
  • The GDPR provides a set of six legal bases under which all personal information processing must take place (like where the consent of the individual has been gained, or where there is a legal obligation).
  • The GDPR also specifies a set of generic measures that should be taken regarding data security
  • Some organizations are required to appoint a data protection officer
  • The GDPR empowers local in-country data protection authorities to enforce privacy law
  • It defines procedures to set up data protection certification schemes and codes of conduct
  • It details the conditions under which data can be transferred overseas

At the same time, the CCPA also includes some specific demands on businesses that are not included in the GDPR.

The ComplianceBoard Privacy Policy

Main differences in detail in the Privacy Policy

Both CCPA and GDPR require organizations to have an easily accessible and readable Privacy Policy. Failing to adhere is considered a violation.

CCPA Privacy Policy

The CCPA Privacy Policy requirements handle the trading of personal information. Businesses need to explain how a consumer can :

  • Know what personal data you hold about them
  • Get access to that data without charge
  • Understand whether you sell or share their data (to/with whom)
  • Demand that you don’t sell their data
  • Demand that you delete their data
  • Get access to the same services at the same price without sharing personal data

A business should explicitly declare that they are not selling or sharing personal information.

GDPR Privacy Policy

The GDPR requires a data controller to disclose some information in their Privacy Policy that is not mentioned in the CCPA, of which some of the most important ones are :

  • The name and contact details of the data controller and its data protection officer
  • Any third parties with whom personal information might be shared
  • How long personal information will be stored

It's all about control over Personal Information

Both laws state that individuals are the owners of their personal information and should be able to control it. The GDPR provides a broader set of rights that allow individuals a high degree of control over their personal information. The CCPA provides some of these rights, but with more exemptions for businesses.

There is the right of access for any consumer to request what categories and which specific pieces of personal information are being processed. Why and to whom the personal information is being shared/sold. The CCPA allows consumers to request the deletion of personal information.

The CCPA requires a business to enable consumers to opt-out of the sale of their information. The GDPR works the opposite way, with getting consent in advance. Under the GDPR, businesses should not assume that they have permission to do certain things with the personal information they process.

The CCPA takes the same approach towards children, who have the automatic “right to opt-in” to the sale of their personal information, and cannot be assumed to have consented to it.

And finally, Key Differences in Penalties & Fines

There is a major difference in how the GDPR and the CCPA handle Penalties and Fines. The CCPA can be enforced via:

  • Penalties issued via civil cases brought by the Attorney General:
    • Up to $2,500 per unintentional violation
    • Up to $7,500 per intentional violation
  • Private legal claims brought by consumers, where they can recover amounts between $100 and $750 per incident for the loss of their personal data.

The GDPR can have Penalties issued via data protection authorities:

    • Warnings and other non-financial penalties
    • For some violations, up to 10 million euro or 2 % of the company’s annual worldwide turnover – whichever is higher
    • For more serious violations, up to 20 million euro or 4 % of a company’s annual worldwide turnover – whichever is higher
  • Private legal claims against data controllers, processors or data protection authorities. There are no maximum penalties specified.

Make sure to check out the CCPA Compliance Checklist.

For more detailed information we would advise you to get specialized legal advice. This document is not meant as legal guidance nor was it ever intended to be 100% complete.