Get 4 FREE months of Conformio to implement ISO 27001

The differences between the California Consumer Privacy Act and the GDPR

Almost two years after the GDPR came into force, a new data privacy regulation has come from the land where some of the world’s leaders in the development of new technologies were born and have their current main establishments. We are talking about the California Consumer Privacy Act (CCPA), the comprehensive privacy law enacted in the state of the California in June 2018 and which became effective on January 1, 2020.

Known as the American counterpart to the European Union General Data Protection Regulation (GDPR), the CCPA grants people who live in California rights regarding the use of their personal information and establishes requirements for companies that conduct business inside the state of California. The CCPA and the GDPR have similarities, such as sharing fundamental concepts like the right to data deletion and data portability and the same rationale, to give people control over how their personal data are used online. However, there are some differences that will be useful to highlight.

Here’s a summary of the differences:

The differences between the California Consumer Privacy Act and the GDPR

Let’s explain these things in more detail…

Data subject vs. consumer

While both of these laws refer to any natural person identifiable by a set of specific terms, such as name and so on, under the California Consumer Privacy Act the consumer is any natural person defined as a California resident.

The differences between the California Consumer Privacy Act and the GDPR - Advisera

Definition of personal data

Although both the GDPR and CCPA refer to this term as any information which can identify a natural person, the CCPA is a little bit more specific in saying that personal data could be also commercial information such as those relating to “personal property, services and products purchased.” That is, a consumer could be also a customer of a household.

Territorial scope

Differently from the GDPR, the CCPA only regulates companies doing business in the state of California, and satisfying one or more of these thresholds:

  1. They have annual gross revenues of $ 25,000,000.
  2. They process the personal information of 50,000 or more consumers, households, or devices annually.
  3. They derive 50% or more of their annual revenue from the processing of Californians’ personal information.

Read more here: Is the GDPR applicable to our company?

User’s rights

In establishing the user’s rights, both the General Data Protection Regulation and the California Consumer Privacy Act establish:

  • The right of the data subject/consumer to know the categories of personal information collected by the company and their use purposes, including any third parties with which it shares this information (article 15 of the GDPR, right to access).
  • The right of the data subject/consumer to obtain the deletion of personal information regarding himself or herself. Both laws establish exceptions to this right (article 17 of the GDPR, right to erasure).
  • The right of the data subject/consumer to have data concerning him or her in a structured, machine-readable/readily usable format as to enable the transmission of the same data to another controller without hindrance (article 20 of the GDPR, right to data portability).

Regarding differences, the California Consumer Privacy Act establishes the right to opt-out, which, from a certain point of view, could recall the right to object established by the GDPR in article 21.

According to the CCPA, Californians are given the right to opt-out of the selling of their personal information to third parties. “To sell” here refers to any kind of processing of a consumer’s personal information “for monetary or other valuable consideration.”

Read also: 8 data subject rights according to GDPR.

Penalties

Both the GDPR and the CCPA establish penalties for non-compliance, whether as fines resulting in private right of action or as fines imposed on controllers. In the first case, both laws establish that an individual can exercise a right of action because of a security breach or a violation that occurs during the processing of personal data. However, the CCPA’s right seems to be more restricted than the GDPR’s, granting every company a 30-day period to cure the violation, where feasible, in order for the private civil action to be prevented. Regarding administrative fines, a different approach in calculation of fines is clear and has been described in the table above.

Privacy as a business achievement?

More could be said about points of contact between the GDPR and the CCPA. Surely, more could be said about the sobering prospects opening for the companies operating globally: each one of them is required to revise their data protection policies in order to be compliant with laws holding them accountable if they do not protect their clients’ data, even outside the European Union. Maybe it’s time for companies to start considering data privacy a business achievement rather than a mere requirement to be compliant with.

To find out which documents need to be covered to be fully compliant with the GDPR, download this free Checklist of Mandatory Documentation Required by EU GDPR.

Advisera Francesca Lucarini

Francesca Lucarini

Francesca Lucarini is a cybersecurity advisor, ISO 27001 qualified auditor, and expert in communicating GDPR and information security themes, as well as the suggestion of tools to help people and companies increase their awareness of the risks that can occur with the use of technology.
Read more articles by Francesca Lucarini