GDPR vs. CCPA: What you need to know about privacy regulations

Data privacy has become increasingly more serious and regulated in the past couple of years.

Specifically, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the U.S. are the two biggest players when it comes to privacy regulations.

They both impact how personal data is collected and handled by businesses, and most businesses typically have to comply with both laws.

The need for regulation is there. Specifically, more than 3,800 publicly disclosed breaches happened in the first six months of 2019 that exposed 4.1 billion compromised records, which was a 54 percent increase over the first six months of 2018, according to Security.org.

Let’s dive into what each law is in general, what they have in common, as well as how they differ.

What is the GDPR?

The GDPR is Europe’s data privacy and security law that went into effect on May 25, 2018. It includes 88 pages of requirements for organizations (not including the accompanying directives) across the world. In other words, you don’t have to be located in Europe to be impacted by the GDPR.

This law is one of the most comprehensive data privacy laws to date.

The goal of the GDPR is to guarantee strong protection for individuals regarding their personal data and how businesses collect, use and/or share consumer data. This applies to both online and offline data collection.

The GDPR features enforcement as well in the form of big fines, with penalties up to tens of millions of euros.

The law has seven principles for data processing:

  • Must be lawful, fair, and transparent to the data subject.
  • Must be done for the legitimate purposes you’ve specified explicitly when you collect it.
  • Only collect and process as much data as absolutely necessary for the purposes you’ve stated.
  • Personal data must be accurate and up to date.
  • Only store personally identifying data for as long as necessary for the stated purpose.
  • Must be done in such a way as to ensure appropriate security, integrity and confidentiality. This can include using encryption.
  • You are responsible for being able to demonstrate GDPR compliance with all of the other principles.

The GDPR also includes privacy rights for individuals that include:

  • Being informed
  • Having access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • The right to object
  • Rights related to not be subject to decisions based on automation

We put together a separate post dedicated to GDPR.

Organizations that process the personal data of or offer goods or services to EU citizens and residents must follow the GDPR. Because of the global nature of the “worldwide web,” it really does apply to more businesses than you might assume.

Find out more about the GDPR (including a checklist for organizations), or read the 88-page regulation in PDF form.

What is the CCPA?

The United States, on the other hand, does not have a comprehensive federal privacy law like the GDPR. Thus, the CCPA (nicknamed “California’s GDPR”) is one of the most significant privacy laws in the country.

The CCPA, which went into effect on Jan. 1, 2020, applies to certain businesses (no matter where they are located) that collect personal information about California residents. However, because California is the fifth-largest global economy, it also has a worldwide impact (just like the GDPR).

The law expands the definition of personal information to include (in addition to names or phone numbers) such aspects as:

  • IP address
  • Device identifiers
  • Biometric, audio and location information

Also under the CCPA, California residents have the right to access their personal information, have it deleted and/or opt out of its “sale,” which is defined to include any disclosure in exchange for something of value.

The CCPA also enables California residents to bring a civil action lawsuit against companies that do not abide by the law. The state also can bring charges to a company directly with a $7,500 fine for any violation that is not addressed within 30 days.

Find out more about the CCPA, including a list of frequently asked questions.

How do these privacy laws compare?

Terminology

Both the GDPR and the CCPA are similar in their definition of certain terminology key to the discussion of data privacy.

Minors

They also have additional protections for anyone 16 years old or younger.

Rights for access

Plus, they both include rights for the access of personal information. This means that, upon request, businesses must give users access to what information has been collected about them, what information is being shared or sold and to whom that information is being shared or sold.

How do these privacy laws differ?

Who does it apply to?

When it comes to who specifically needs to comply with each law, the GDPR applies to any business that collects or processes the data of EU citizens or residents. The CCPA, on the other hand, applies to any company doing business with California residents that:

  • Has an annual revenue of $25 million
  • Collects, shares, buys or sells data of more than 50,000 California residents
  • Makes at least 50 percent of its revenue from the sale of Californian consumer data

Fines

Fines also differ. Specifically, the GDPR threatens fines of up to 4 percent of a company’s annual gross revenue or 20 million euros. The CCPA threatens fines of $750 per person per violation.

Specific rights

There is a slight variation of rights between the two laws as well. The GDPR identifies the eight rights described above, while the CCPA focuses on the right to access, knowledge of sale, objection of sale, as well as equal price and service (if users act on their privacy rights).

User consent

Obtaining user consent also differs between the GDPR and the CCPA. The GDPR has its principles for data processing as described above, but when collecting data based on those legal guidelines, you still need to get clear permission from a user to collect his or her data. In addition, when collecting “sensitive information” (like race, ethnicity, religion, etc.) under the GDPR, you again have to get clear permission. With the CCPA, users have to right to withdraw their consent to the sale of data at any time. Organizations must have a link specifying “Do Not Sell My Personal Information” on their homepage alongside their posted privacy policy. The CCPA does require explicit consent to sell the data of anyone younger than 16.

Data protection

When it comes to data protection and security, the GDPR is very specific. It underlines the requirement to:

  • Keep data encrypted, confidential and accessible
  • Notify users when/if a data breach occurs
  • Perform a Data Protection Impact Assessment (DPIA) before processing personal data

The CCPA is a little more open-ended in this regard. However, the Attorney General’s Office can bring forth lawsuits for breach of privacy if a company’s data is mishandled or infiltrated. Therefore, the responsibility falls on the organization to prevent such a thing from happening.

It is important as an organization to understand not only the requirements of the GDPR and CCPA but how they apply to your business. Personal data privacy and consumer rights will continue to be pushed across the world. Set your action plan now.