CCPA vs GDPR: How is CCPA different from GDPR?

Importance of Data Protection Regulations

With every business and individual moving online, data has become extremely valuable. The abilities and prospects of retrieving distinct categories of personal data are also advancing at a terrifying pace. Irresponsible or unauthorized collection, management, or processing of information can result in disaster for individuals (data subjects) as well as companies. Therefore, it is crucial to have data protection regulations in place and its compliance. Non-compliance with these regulations may bring along hefty monetary or other penalties. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two such regulations.

GDPR went into effect on 25 May 2018 and CCPA) came into effect on 1 January 2020. Both regulations aim to guarantee the robust security of people regarding their personal data. These regulations apply to all the businesses that collect, use, or share consumer data irrelevant to the collection method (online or offline).

Both the laws bear many similarities including things like the definition of certain terminologies, the inclusion of rights to access personal data, and the establishment of added data security for people who are below 16 years of age.

CCPA differs from GDPR in many significant ways like rules related to accountability, extent, and nature of data collection limitations, and the scope of application. Let us dig into these similarities and differences in detail for better understanding. This information will help you in staying updated with the latest laws and regulations and revise your business policies accordingly.

Image Credit: Riskonnect

Similarities & Differences between CCPA and GDPR

Similarities in Scope – Personal, Territorial & Material

• Both the CCPA and the GDPR has extraterritorial scope.
• The GDPA and CCPR both protect individuals as a natural person and not a legal person.
• Under both the regulations, a controller or a covered business is defined by the fact that it establishes the means and purpose of processing.
• GDPR and CCPA may apply to businesses providing services to law enforcement or national security agencies but none of them is applicable in the law enforcement and national security areas.

Differences in Scope – Personal, Territorial & Material

• Any organization that fits under the definition of a business (example: deals with the data of 50,000 Californians or more annually, annual revenue is more than $25 million or half of its annual revenue is earned by selling data of California residents.) is obligate to comply with the CCPA. GDPR applies to all the websites and companies (data controllers) if they provide goods or services to people within Europe.
• CCPA protects individuals who fall under its definition of a consumer as being a California resident. It covers only those individuals who are permanent residents and not temporary or transitory. GDPR protects any individual or data subject who is present in the European Union at the time of data collection or processing.
• CCPA applies only for businesses that are for-profit while GDPR applies to data controller either for profit or not.

Similarities in Definitions

• GDPR and CCPA both have broadly defined the definitions of Personal Data.
• GDPR and CCPA both have a similar definition of “Pseudonymisation.” It is the processing of personal information or data in a manner that it can no longer be attributed to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
• GDPR defines a data controller as a body that determines the purpose and means of processing consumers’ personal information. CCPA has a similar definition of a business (a for-profit entity).
• GDPR’s data processor and CCPA service provider is defined as authority or individual that processes the data on behalf of the controller or CCPA-covered business respectively.
• Both regulations provide data subjects with the right to bring an action against the processor in case the controller of service provider has failed in their contractual obligations.
• Neither GDPR nor CCPA has a definition of a child. However, under both the regulations consent is needed to sell the information of people below 16 years of age.
• The CCPA and GDPR both broadly define the term research. Both the regulations provide for further processing of data if it is compatible with the initial business purpose.

Differences in Definitions

• GDPR has a specific definition of sensitive data (special categories of data) and it also forbids processing of such data, unless one of the specific exemptions applies. The CCPA defines “biometric data,” which has certain elements of the GDPR’s definition of sensitive data. Information like DNA, fingerprints, and iris scans. The CCPA does not create an extra protective scheme for this category of data.
• As per GDPR, the controller has to reidentify a dataset by providing additional information enabling identification of the data subject to comply with the requests for the rights of the data subject. According to CCPA business is not required to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
• Under GDPR, data processors are obligated to keep records of data processing activities, implement appropriate technical and organizational data protection measures, undertake data protection impact assessments before the processing, appoint a data protection officer, and notify data controller in case of a data breach. Under CCPA, the service provider must not further collect, sell, or use the data of the consumer except as necessary to perform the business purpose.
• The CCPA stipulates an exception for businesses that did not have actual knowledge of a child’s age. GDPR does not provide for an exception for a controller that is unaware if they are catering services to a child.
• GDPR applies to clinical trials. CCPA excludes clinical trials from its scope of application.

Similarities in Legal

• GDPR and CCPA both allow data subjects to opt-out. Under both the regulations if individuals withdraw the consent, then businesses will not be able to disclose or sell the data further.

Differences in Legal

• The GDPR states that data controllers can only process personal data when there is a legal ground for it. The CCPA does not list the legal grounds based on which businesses can collect and sell personal information.

Similarities in Rights

Right to Erasure:

• Under both the GDPR as well as the CCPA individuals can request the deletion of their personal information, unless exceptions apply.
• As per GDPR and CCPA, the scope of this right is not limited to the data controller or business, but also impacts third parties, such as recipients, data processors, sub-processors or to whom data has been sold/ passed on. This right can be exercised free of charge.
• The GDPR and CCPA both specify that data controllers must have mechanisms in place to ensure that the request is made by the data subject whose personal data is to be deleted.
• As per GDPR and CCPA, the privacy notice must inform consumers that they are entitled to ask for the deletion of their personal information.

Right of Access:

• In both the regulations, when responding to an access request, a service provider or data controller needs to specify the purposes of the data processing, the categories of personal data concerned, the third party to whom personal data have been disclosed, and sources from which data was collected.

Right not to be subject to discrimination for the exercise of rights:

• The CCPA clearly specifies the right not to be subject to discrimination for the exercise of rights. The GDPR doesn’t mention this right explicitly, however, some obligations can be found in the GDPR that are based on the same principle.

Right to data portability:

• Both regulations provide data subjects or individuals with the right to receive their data processed based on contract or consent in a “structured, commonly used, and machine-readable format” and with the right to transmit that data to another service provider without limitation.

Differences in Rights

Right to Erasure:

• In GDPR, the right to erasure applies when consent is withdrawn and there is no other legal base for processing, or when data is no longer necessary for the intent for which it was collected. The CCPA does not limit the scope of this right to specific situations, categories of personal information, or purposes.

Right to Information:

• In CCPA, the right to information states that information about the categories of personal information collected/sold/disclosed for business purposes in the previous one year must be provided to individuals. If no personal information was sold, that should be mentioned in the privacy policy. GDPR provides a detailed list of things that needs to be shared with the data subjects.This list includes the identity of the controller, contact details of the data protection officer, the legitimate interest of the data controller or the third party, the recipients or categories of personal data, transfer of data to third parties, data retention period, the right to withdraw consent at any time, the right to complain to a supervisory authority and more.

Right to object (right to opt-out)

• According to GDPR, the data controller would have to stop using the subject’s personal data unless it proves that there are convincing legitimate grounds to continue the processing. However, in CCPA, the service provider will not be able to sell data in case the individual withdraws the consent.
• In CCPA businesses have to use the language provided by the regulation. The homepage of their website must have a link titled ‘Do Not Sell My Personal Information.’ In GDPR, there is no such restriction.

Right of Access

• In CCPA, the right of access applies only to personal information collected in the 12 months before the request. In GDPR, the right of access applies to all the personal data collected and processed about the individual making the request.

Similarities in Enforcement

• Both laws mention the possibility of monetary penalties to be issued in cases of non-compliance.
• Both the GDPR and the CCPA provide individuals with a cause of action to seek damages for violation of privacy laws with regards to security measures violations and data breaches.

Differences in Enforcement

• In GDPR administrative fines can be directly issued by a data protection authority. In CCPA, the penalty is issued by a court.
• In CCPA, the monetary penalty of a maximum of $2,500 for each violation or up to $7,500 for each intentional violation can be levied. This exact amount of fine will depend on the violation occurred. In GDPR, depending on the violation the penalty may be up to either 2% of global annual turnover or €10 million, whichever is higher or 4% of global annual turnover or €20 million, whichever is higher.
• In GDPR, the data protection authorities have investigatory and corrective powers. In CCPA, the attorney general has the power to assess alleged violations and to bring an action before the court for civil penalties, which include monetary penalties and injunctions.
• Any violation of the GDPR can trigger the claim for judicial remedies. Data subjects can claim both material and non-material damages. In CCPA, the judicial remedy is only allowed when non-encrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of security obligations.

What needs to be done for CCPA if you are already compliant with GDPR?

As GDPR came into effect before CCPA, many businesses whose customers cater to European regions are compliant with GDPR but not CCPA. In case your business is within the defined parameters of GDPR, then you need to take the following measures to update your business operations and policies as per the CCPA regulation:

Privacy Policy Disclosures

Businesses need to revise their privacy policies and clearly specify the kind of information that is being collected about the consumers. They need to add the purpose for which they are collecting the said information. CCPA also requires websites to update their privacy policy every year and the disclosures must include the activities of the prior 12 months.

Data Sales Practices and Opt-Out

The home page must have an opt-out checkbox or hyperlink that is clearly visible and clickable showing the message “Do Not Sell My Personal Data”. CCPA defines sale as any form of data disclosure, in any format, to any other third party in exchange for money or other valuable consideration.

“Other valuable consideration” extends the definition of sale to many indirect activities like sharing data for analytics and paying the third party for that service. It requires businesses to facilitate and honor individuals’ requests to opt-out of such sales.

Additional On-Demand Disclosure Rights

A separate landing page must be created for data subjects for raising requests on accessing, altering, or erasing their personal information. Businesses must provide at least two methods for the consumers to raise any such request. Businesses are required to authenticate the identity of requesting individuals and respond to such requests within 45 days.

In case, they aren’t able to respond within the designated period or will not be able to fulfill the request of the data subjects, they will have to provide appropriate reasoning for the same otherwise the subjects will have the right to file a judicial case.

Data Collection Practices

As per CCPA policies, businesses must disclose their data collection practices along with providing the appropriate reasons for requesting an individual’s specific personal data. The disclosure must include:

• Description of the categories of personal information collected by the business in the 12 months prior to the request,
• Sources of the data, whether the data was shared for a business purpose or sold, and
• Categories of third parties receiving the data.

Non-discrimination and Enforcement

A non-discrimination guarantee along with the data collection policy must be provided. CCPA also protects those consumers who use their rights under the statute by prohibiting a business from discriminating against such individuals.

As per CCPA, businesses cannot deny any services or products, or offer different rates or discounts to these consumers. The CCPA is enforced by the California Attorney General. People have a right to sue a business under the CCPA to enforce violations relating to a data security breach.

All the above-mentioned requirements of CCPA are not applicable in cases of “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules.

Data collected, processed, sold, or disclosed under the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act is also exempted from CCPA rules and regulations.