CCPA and GDPR: An Overview and Comparison of the Laws

Does your online business revolve around consumer data in any manner? Then several concerns about the data protection legislation like the CCPA and GDPR might have been in your mind all the time — at least when your business starts growing.

You already might have an idea about them. However, you may still have few misconceptions or might want to clear up various queries like “is it really essential to appoint a data protection officer”, “whether GDPR covers CCPA”, etc.

So let me help you sort things out through a comparative summary!

CCPA and GDPR: At a glance

California Consumer Privacy Act (CCPA)

CCPA was signed by Gov. Kate Brown on 28 June 2018, and took effect on January 1, 2020.

CCPA is the first state-wide data privacy law in the United States that ensures data privacy, security, and personal information protection rights to California residents.

Here’s the basic criteria that helps you become aware whether the CCPA applies to your business.
  1. An organization whose annual gross revenues surpassing twenty-five million dollars ($25,000,000).
  2. A business that buys, sells, shares, or receives alone or in combination, the personal information of a minimum of 50,000 California consumers, households, or devices annually.
  3. An organization earning 50% or more of the annual revenues from selling the personal information of the consumers residing in California.
Click here to know in detail whether your organization is subject to the CCPA.

The penalty for non-compliance with the CCPA may range from $2500 for any unintentional violation to $7500 for an intentional violation.

Click here to learn more about the CCPA.

General Data Protection Regulation (GDPR)

GDPR was introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016, and became effective on 25 May 2018.

The legislation aims at ensuring all businesses across the EU operate in a regulated environment with the intention to provide maximum protection for the personal data of their customers and website users.

Remember, your business does not have to be physically located in the EU to be subject to the GDPR. If you offer any kind of goods or services to the EU, or if your website manages the EU-based customer data, you must comply with the GDPR requirements.

The violators of GDPR may be fined up to €20 million or 4% percent of the annual global turnover of the preceding financial year.

Click here to learn more about the GDPR.

CCPA and GDPR: Side-by-side comparison

Key Factors

CCPA

GDPR

Enforcement

January 1, 2020 May 25, 2018

To whom the legislation applies?

Any for-profit organization that process California consumers’ personal information and falls under any of the conditions below are subject to the CCPA regulations:
  • An organization whose annual gross revenues surpassing twenty-five million dollars ($25,000,000).
  • A business that buys, sells, shares, or receives alone or in combination, the personal information of a minimum of 50,000 California consumers, households, or devices annually.
  • An organization earning 50% or more of the annual revenues from selling the personal information of the consumers residing in California.
Any organization (regardless of whether located inside and outside the EU) that processes personal data of the citizens and residents of the European Union.

What kind of personal information/personal data is protected?

According to the California Civil Code Section 1798.140 (o) (1-2) of the CCPA,
  • Personal information” is any information that identifies, relates to, describes, is reasonably capable of being associated with, directly or indirectly, with a particular consumer or household.
  • Personal information does not include “publicly available” information that is lawfully made available from federal, state, or local government records.
According to the Art. 4 GDPR, “Personal data” is any information relating to an identified or identifiable natural person (data subject), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Penalties for non-compliance

Range from $2500 for an unintentional violation to $7500 for an intentional violation. For severe violations, 4% of the annual global turnover of the prior financial year or €20 million, whichever is higher.
Less severe violations will be subject to 2% of annual global turnover or €10 million, whichever is higher.

Consumer rights/ Rights of the data subject

Rights of the consumers under CCPA:
  • Right to access.
  • Right to portability.
  • Right to deletion.
  • Right to notice.
  • Right to opt-out.
  • Right to non-discrimination.
Rights of the data subject under GDPR:
  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure (Right to be forgotten).
  • Right to restriction of the processing.
  • Right to data portability.
  • Right to object and automated individual decision-making.

Is prior consent necessary?

CCPA does not demand for prior consent to handle personal information.
However, the organizations must compulsorily have an opt-out option on their websites.
Any business organization must obtain prior consent from the data subjects before processing their personal data.

Opt-out rights

According to the California Civil Code Section 1798.135 (a) (1) of the CCPA,
Businesses must provide an easily accessible link on their websites, titled “Do Not Sell My Personal Information,” in order to help consumers opt-out of the sale of their personal information.
Data subjects must be allowed to withdraw or refuse consent easily through an opt-out option at any time.

Cookie consent requirement

CCPA does not oblige organizations to obtain opt-in cookie consent. However, it requires them to disclose what information is being collected by the cookies and how they are used. Under GDPR, websites are required to obtain opt-in cookie consent from the users to use any kind of user tracking mechanisms apart from the “strictly necessary” cookies.

Protection of Children’s online data

Requires:
  • An opt-in consent for selling personal information of minors between the age of 13 and 16 years.
  • Parental consent for children under the age of 13 years.
Requires parental consent for:
  • Children under the age of 16 years, outside the EU member states.
  • Children under the age of 13 years, inside the EU.

Handling of data breaches

Any state agency (California Civil Code Section 1798.29 (a)) or person/business (California Civil Code Section 1798.82 (a)),
  • must notify the California residents if their personal information has been acquired by anyone illegally.
  • requiring to notify more than 500 California residents, must submit a single sample copy of that notification to California’s Attorney General.
Organizations must notify the Information Commissioner’s Office (ICO) and the data subjects within 72 hours of becoming aware of the data breach.

Conclusion

The online data privacy laws like the CCPA and GDPR have revolutionized the way businesses operate across the web. It is undeniable that the GDPR has a drastic, long-lasting impact on the data practices of online businesses around the globe. Similarly, the CCPA is also likely to have a global impact, since the California economy takes up the fifth position in the world, as of date.

If your business is GDPR-compliant, then you are almost compliant with the CCPA, taking into account the fact that GDPR is one of the most comprehensive and severe data protection laws in the world to date. However, if your business falls under the scope of both CCPA and GDPR, ensure you become lawful to both.


Disclaimer:
This article is intended to be used for informational purposes only and does not constitute any form of legal advice. You shall seek a subject matter expert or your own attorney for any legal advice on the CCPA and GDPR legislation.