April 25, 2019

GDPR vs. CCPA: Understand the Differences


Thanks to the growing cases of data breaches around the globe, data privacy laws have become a hot topic in any data security conversation. Whether in the EU General Data Protection Regulation (GDPR) or in the soon to be implemented California Consumer Privacy Act (CCPA), protection of consumer data has become a key area of concern, especially for businesses that rely heavily on customer data.

Soon after the GDPR came into force last year, California’s Governor Jerry Brown signed the CCPA to enact the most robust consumer data privacy law the US has ever seen. While it’s true that 2018 proved itself to be a landmark year for data protection laws, actual reported cyber attacks jumped by 32 percent during the first three months of 2018 as compared to 2017, according to Positive Technologies report.

This report indicates that data breach incidents are likely to continue to escalate further in the coming months, and yet a considerable number of businesses are not clear how to be ready for new privacy laws. What is the CCPA all about? How is it different from GDPR? And does GDPR compliance mean the same thing as CCPA compliance? Since CCPA bears a lot of resemblance to Europe’s GDPR (at least regarding their definition of certain terminology, the establishment of additional protections for individuals under 16 years of age, and the inclusion of rights to access personal information), many organizations are under the false impression that by complying with the GDPR they are ensured compliance with the CCPA. Unfortunately, that is not the case.

Since there are prevalent, key differences (especially relative to the scope of application, the nature and extent of collection limitations, and rules concerning accountability), businesses should prepare ahead of time to ensure their CCPA compliance prior to it becoming effective next year. In this article, we discuss how the CCPA is different from the GDPR in terms of applicability, collection limitations, and accountability.

What Is the GDPR?

The European data privacy regulation was created in 2016 and came into force on May 25, 2018. Here are some of its key aspects:

  • Firming up of individuals’ privacy rights across Europe
  • Enhancing responsibilities for business establishments
  • European privacy supervisor levying fines of up to 20 million euros
  • Consumers awareness of what happens to data they share

Referred to as revolutionary in data privacy law, the GDPA has pushed significant changes for WordPress websites (like display of cookie notification on those sites, drawing up of privacy policy, mandatory processing agreements, allowing the users to request/remove their personal information, and many more). It has also redefined key business roles, such as the Chief Information Officer (CIO) and Chief Marketing Officer (CMO).

Simply put, the GDPR has played a pivotal role in the way industry players managed customer data–from financial services players to healthcare providers and beyond.

Businesses that come under the GDPR scope are compelled to follow data protection policies, implement data impact reviews, and make documents available on how all data is processed. Organizations with over 250 employees must have documentation that explains why people’s information is being collected, how the information is being stored, the time duration for which the information is being stored, and the security measures in place that are being used to prevent misuse.

What Is the CCPA?

Scheduled to become effective early next year, the CCPA was signed into law on June 28, 2018. Believe it or not, in order to responsibly address critical data privacy concerns, the CCPA was drafted and passed within a week. According to many, the CCPA has been the most significant development in privacy legislation in the US in years. After the CCPA comes into force, it is expected that data breach incidents like recent ones of Target, Equifax and Cambridge Analytics, which impacted millions of people, won’t be repeated going forward.

Referred to as the toughest consumer privacy laws in the US, the CCPA will help to protect the consumer rights of Californians, promote stronger privacy, and improve transparency in general. Moreover, it will also empower Californians to request any business to disclose or delete their personal data that the business collects.

With the CCPA, Californians will be allowed to:

  • Know and access what personal data any organization is collecting, and request it be deleted
  • Know if their personal information is being shared with any third party vendor, and if so, with whom
  • Decline the sale of their personal information
  • Receive the same service and price, whether or not they decide to exercise their privacy rights

According to the CCPA, companies won’t be allowed to sell the personal information of consumers who are 13–16 years of age (unless the consumer opts-in) and, for the customers who are 13 years or younger, companies will have to obtain consent from a parent or guardian. Also, organizations have to update their privacy policy at least once every 12 months.

The CCPA vs. the GDPR: An In-Depth Comparison

There’s no denying that the CCPA has been inspired by the earlier enacted laws of the GDPR and may appear similar to its European counterpart; however, the core legal framework of each is different.

Here are some of the notable differences:

  • Definition of personal information: While the CCPA covers “residents of California” only, the GDPR applies to “EU data subjects” with no mention about the citizenship or residency requirements of those individuals. While the CCPA offers protection of data linked to a specific household, the GDPR is concerned about the information related to individuals only.
  • Covered entities: According to the GDPR, all organizations (businesses, public institutions, and non-profit companies) must comply to avoid penalty. The CCPA applies to “for-profit companies” that meet these criteria:
    • Annual gross revenues over $25 million
    • Dealing with personal data of over 50,000 consumers, devices or households
    • Minimum 50 percent of annual revenue made from selling customer data
    • Collect and process customer’s data
    • Doing business in California, although the CCPA does not offer clarity whether or not the company must be located in the state or fulfill particular profit thresholds
  • Data: While all categories of personal data come under the scope of the GDPR, the CCPA applies to data not covered by the current federal privacy laws, such as Health Information Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
  • Transparency obligations: Both the GDPR and the CCPA need organizations to reveal what they do with the consumer’s personal data they’ve collected. While the CCPA requires that businesses divulge details related to data sales and the data processing activities of the last 12 months, the GDPR does not bind organizations by such a limitation.
  • Right to delete: While the CCPA’s right to delete personal data is only applicable to the data collected from the consumer, the GDPR applies to all data concerning a subject matter, no matter where it came from.
  • Rights of the consumers: According to the GDPR, a business must take prior permission from data subjects for data processing and allowing third-party access to their data. In the CCPA, Californians can opt-out of the data sale if they wish, and businesses must share a visible link in their homepage for this purpose.
  • Data portability: Both the privacy laws offer the right to data portability, which means the consumer data has to be provided in a machine-readable format that can be transmitted to another entity. While under the GDPR organizations are obliged to transfer a data subject’s information to another data controller if requested, in the CCPA companies do not need to follow any such obligation and should offer consumers the information electronically in a readily useable format.
  • Penalties for non-compliance: Under GDPR, the fines are 4 percent of the annual turnover or €20 million (whichever is higher), and they are directed through an assigned data protection authority such as the Information Commissioner’s Office in the UK. A CCPA violation means the organization will be paying a $7500 fine plus $750 per individual involved and that it will be directed through the Attorney General of California.

Parting Words

The differences between the GDPR and the CCPA solidify our stance that data is a broad area and different laws address different or only some parts compared to the other. So, if you think that you can relax with your CCPA preparation, remember: Many requirements of the CCPA demand businesses to look back 12 months. Say, for instance, if your customer on January 1, 2020, wants to know what personal data your organization holds about them, you will have to review the data collection and processing activities for the whole prior year, back to January 1, 2019.

So, what are you waiting for? Buckle up, start your CCPA preparations right now and be future ready. Get your free demo now to get started.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024