GDPR and CCPA Comprehensive Comparison
GDPR and CCPA Introduction
The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) took effect on May 25, 2018 and replaced the EU Directive and its member state implementing laws.
On June 28, 2018, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). Given their comprehensiveness and broad reaches, each law may have significant impact on entities that collect and process personal data.
The CCPA grants California resident’s new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR or where the GDPR goes beyond the CCPA requirements.
GDPR and CCPA Key Requirements Comparison
Who is Regulated under GDPR and CCPA?
Who is Regulated under GDPR
Data controllers and data processors:
- Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
- Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.
Who is Regulated under CCPA?
Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that either:
- Controls or is controlled by a covered business.
- Shares common branding with a covered business, such as a shared name, service mark, or trademark.
Who is Regulated under GDPR and CCPA Comparison
The scope and territorial reach of the GDPR is much broader. Substantially different in parties regulated.
Who is Protected under GDPR and CCPA?
Who is Protected under GDPR?
Data subjects, defined as identified or identifiable persons to which personal data relates.
Who is Protected under CCPA?
Consumers, defined as California residents that are either:
- In California for other than a temporary or transitory purpose.
- Domiciled in California but are currently outside the State for a temporary or transitory purpose.
Consumers include:
- Customers of household goods and services.
- Employees.
- Business-to-Business transactions.
Who is Protected under GDPR and CCPA Comparison
Substantially different in approach, but similarly broad in effect.
Both laws focus on information that relates to an identifiable natural person, however the definitions differ.
Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider.
Aggregated Data
Anonymous, Deidentified, Pseudonymous, or Aggregated Data.
Aggregated Data in GDPR
Pseudonymous data is considered personal data. Anonymous data is not considered personal data.
While the GDPR does not mention deidentified data, the CCPA definition is similar to GDPR’s concept of anonymous data.
Aggregated Data in CCPA
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated.
However, the CCPA establishes a high bar for claiming data is deidentified or aggregated.
Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information.
Aggregated Data in GDPR and CCPA Comparison
The CCPA and GDPR pseudonymization definitions are very similar and both require technical controls to prevent reidentification to qualify.
The CCPA primarily discusses pseudonymization in the context of using personal information collected from a consumer for other purposes, for research. It does not appear to help businesses generally avoid the CCPA’s requirements.
Privacy Notice / Information Right
Privacy Notice / Information Right in GDPR
Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.
Privacy Notice / Information Right in CCPA
Businesses must inform consumers about:
- The personal information categories collected.
- The intended use purposes for each category. Further notice is required to:
- Collect additional personal information categories.
- Use collected personal information for unrelated purposes.
The CCPA requires that businesses provide specific information to consumers and establishes delivery requirements.
Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.
Privacy Notice / Information Right in GDPR and CCPA Comparison
Similar disclosure requirements, but differences in the specific information required and the delivery methods.
The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request.
Security
Security in GDPR
The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Security in CCPA
The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.
Security in GDPR and CCPA Comparison
Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organization’s circumstances and regulator interpretation.
Opt-Out Right for Personal Information Sales
Opt-Out Right for Personal Information Sales in GDPR
The GDPR does not include a specific right to opt-out of personal data sales. However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances. For example, it does permit data subjects, at any time, to:
- Opt-out of processing data for marketing purposes.
- Withdraw consent for processing activities. This allows data subjects to opt-out of third-party sales that support marketing purposes or rely on consent for their legal processing basis.
Opt-Out Right for Personal Information Sales in CCPA
Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses.
Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.
Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.
Opt-Out Right for Personal Information Sales in GDPR and CCPA Comparison
Substantially different.
Children Protection
Children Protection in GDPR
The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.
Children must receive an age appropriate privacy notice.
Children’s personal data is subject to heightened security requirements.
Children Protection in CCPA
The CCPA prohibits selling personal information of a consumer under 16 without consent.
Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.
Importantly, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.
Children Protection in GDPR and CCPA Comparison
Substantially different requirements, other than ages involved. The CCPA only requires parental consent for personal data sales, while GDPR’s parental consent requirement applies to all processing consent requests.
Right of Disclosure or Access
Right of Disclosure or Access in GDPR
Data subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing.
Right of Disclosure or Access in CCPA
Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information.
Right of Disclosure or Access in GDPR and CCPA Comparison
Broadly similar rights of disclosure/access. The CCPA’s right is only to obtain a written disclosure of the information.
The GDPR allows broader access, which is not limited to a written disclosure in a portable format.
Right of Data Portability
Right of Data Portability in GDPR
The GDPR includes a new right to data portability to:
- Receive a copy of the personal data in a structured, commonly used and machinereadable format.
- Transmit the personal data to another data controller (including directly by another data controller where possible).
Right of Data Portability in CCPA
In response to a request for disclosure, a business must provide personal information in a readily useable format to enable a consumer to transmit the information from one entity to another entity without hindrance.
Right of Data Portability in GDPR and CCPA Comparison
Broadly similar rights. The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller.
Right to Deletion / Erasure (The Right to be Forgotten)
Right to Deletion / Erasure (The Right to be Forgotten) in GDPR
Data subjects have the right to request erasure of personal data under six circumstances (the right to be forgotten). Data controllers must also take reasonable steps to inform any other data controllers also processing the data.
Right to Deletion / Erasure (The Right to be Forgotten) in CCPA
A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions. The business must also instruct its service providers to delete the data.
Right to Deletion / Erasure (The Right to be Forgotten) in GDPR and CCPA Comparison
Similar data deletion rights.
The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad.
However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR.
The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader.
Right of rectification
Right of rectification in GDPR
The GDPR grants data subjects the right to:
- Correct inaccurate personal data.
- Complete incomplete personal data.
Right of rectification in CCPA
None.
Right of rectification in GDPR and CCPA Comparison
Substantially different.
Right to Restrict Processing
Right to Restrict Processing in GDPR
Right to restrict processing of personal data, under certain circumstances.
Right to Restrict Processing in CCPA
None, other than the right to opt-out of personal information sales.
Right to Restrict Processing in GDPR and CCPA Comparison
Substantially different.
Right to Object to Processing
Right to Object to Processing in GDPR
Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
Right to Object to Processing in CCPA
None, other than the right to opt-out of personal information sales.
Right to Object to Processing in GDPR and CCPA Comparison
Substantially different.
Right to Object to Automated Decision-Making
Right to Object to Automated Decision-Making in CCPA
None.
Right to Object to Automated Decision-Making in GDPR
Data subjects have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions.
Right to Object to Automated Decision-Making in GDPR and CCPA Comparison
Substantially different.
Non-Discrimination
Non-Discrimination in GDPR
It is implicit in the GDPR that organizations cannot discriminate against a data subject that exercises his rights, for example by references prohibiting processing that adversely affects the rights and freedoms of data subjects.
Non-Discrimination in CCPA
A business must not discriminate against a consumer because they exercised their rights.
However, a business may charge differently if that difference reasonably relates to the value provided by the consumer’s data.
Businesses may also offer financial incentives if they are disclosed in terms or online privacy policy, and require opt-in consent.
Non-Discrimination in GDPR and CCPA Comparison
Similar idea, different obligations.
Responding to Rights Requests
Responding to Rights Requests in GDPR
A data controller must:
- Verify the identity of a data subject before responding to a request.
- Respond to requests without undue delay and at the latest within one month., extendable for up to two more months if necessary after data subject notice.
- Give reasons if the data controller does not comply with any requests. Requests do not have to be free to data subjects.
Responding to Rights Requests in CCPA
A business must:
- Comply with a verifiable consumer request (as defined in Cal. Civ. Code 1798.140(y)).
- Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification.
- Inform the consumer of the reasons for not taking action.
- Provide the information free of charge, unless the request is manifestly unfounded or excessive.
Consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limits on deletion and do not sell requests.
Responding to Rights Requests in GDPR and CCPA Comparison
Substantially similar.
Penalties (Private Rights of Action)
Penalties (Private Rights of Action) in GDPR
The GDPR establishes a private right of action for material or non-material damage caused by a data controller or data processors breach of the GDPR.
Penalties (Private Rights of Action) in CCPA
The CCPA establishes a narrow private right of action for certain data breaches involving a sub-set of personal information. However, the CPPA grants companies a 30-day period to cure violations, if possible.
Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.
Courts may also impose injunctive or declaratory relief.
Penalties (Private Rights of Action) in GDPR and CCPA Comparison
Substantially different in scope, but violations of either may potentially result in significant economic liability.
Penalties (Civil Fines)
Penalties (Civil Fines) in GDPR
Administrative fines can reach EUR20 million or 4% of annual global revenue, whichever is highest.
EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.
Penalties (Civil Fines) in CCPA
The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. However, the CCPA also grants businesses a 30-day cure period for noticed violations.
Penalties (Civil Fines) in GDPR and CCPA Comparison
Approach to calculating fines differs, but violations of either may potentially result in significant economic liability.