CCPA vs. GDPR
CCPA vs GDPR: how do these two laws differ? Well, many of the privacy regulations spawning all around the globe have numerous similarities (including the ostensibly similar acronyms) and several key differences. If you’re wondering about the CCPA and GDPR comparison, let’s take a look.
First, what are GDPR and CCPA?
Recently, California passed its own privacy law, CCPA or the California Consumer Privacy Act, set to take effect in January 2020. The CCPA law gives rights to consumers regarding how their personal information is collected, sold or shared by organizations.
One of the most discussed – and possibly stricter – privacy laws, the EU GDPR, or General Data Protection Regulation, has been in effect since May 2018. To strengthen people’s privacy rights, it restricts the collection and processing of personal data by organizations.
CCPA vs GDPR
Let’s start with the similarities: both laws oblige organizations to follow certain guidelines when handling personal information of natural persons; namely, being transparent and acting to the best interest of the people whose information they collect. For example, both involve following disclosure requirements such as informing people about what personal information they collect and about their rights according to CCPA/GDPR.
But, how is CCPA different from GDPR? Here’s a breakdown of basic differences (note that this list isn’t exhaustive):
|Applies to businesses, headquartered inside or outside of California, that collect personal information of California State Residents and that satisfy at least one of three conditions:
||Has extra-territorial effect: it might cover all companies that process EU data whether they’re established in the EU or not, and regardless of where the actual data processing takes place.|
|Protects California residents (whether they’re currently in the state or not)||Protects EU residents and data subjects whose data are collected by covered companies|
|Refers to ‘personal information’ that identifies, relates to, describes, and is linked to or associated with a consumer or household||Refers to ‘personal data’ that is related to an identified or identifiable data subject|
|May not apply to job candidates and employees (according to amendment Assembly Bill 25)||Applies to job candidates and employees|
|The right to disclosure / access||The right to disclosure / access|
|Right to deletion||Right to erasure (‘to be forgotten’)|
|Requirements for sale of personal information of children:
||Where the child is below the age of 16 years, processing of their personal data shall be lawful only if and to the extent that consent is given or authorized by the legal guardian.
Member states can set a lower age provided that the lower age isn’t below 13 years.
|Right to object only to the sale of personal information||Right to restrict processing|
|The right of data portability||The right of data portability|
|–||Right to rectification|
|Direct right of action||Compensation claims and right to lodge a complaint with a supervisory authority|
|Right to recover damages ($100 to $750)||Right to receive compensation for material or non-material damages|
|Puts disclosure requirements for collection, selling and sharing of personal information||Puts disclosure requirements and restricts collection and processing of personal data|
|Doesn’t impose a lawful basis as a requirement for the purposes of handling personal information||Requires companies to have a lawful basis to handle personal data|
|Obliges businesses to comply with a verifiable consumer request within 45 days||Obliges data controllers to comply with a verifiable data subject request within a month|
Fines & consequences
|Fine for violation is $2,500 to $7,500||Fine for violation is up to 20 million euros or 4% of annual revenue/turnover, whichever is greater|
|$100 to $750 per consumer per incident after civil action||Compensation for material or non-material damages to the data subject|
|Businesses have 30 days to cure violations and inform consumers that they have done so||No grace period|
Terminology & descriptions
|Refers to “businesses” in general||Distinguishes between “data collectors” and “data processors”|
|Refers to “consumers”||Refers to “data subjects”|
|Addresses “personal information”||Addresses “personal data”|
|Applies to devices and households as well as consumers||Applies to natural people only|
- If your company complies already with the GDPR, you might find it easier to comply with CCPA as well (although companies shouldn’t assume that their GDPR compliance efforts will necessarily satisfy the requirements of the CCPA).
- CCPA places criteria based on the ‘gain’ companies get from consumer’s personal data or their overall revenue.
- CCPA applies to households and devices as well as natural people, unlike GDPR
- Both CCPA and GDPR can protect consumers or data subjects regardless of where they are at any given time.
- Both laws protect the same types and categories of information of natural persons. CCPA may protect more information such as information linked to a device (e.g. browsing activity).
- Both laws have disclosure and transparency requirements.
|This article is meant to provide general guidelines and should be used as a reference. It’s not a legal document and doesn’t provide legal advice. Neither the author nor Workable will assume any legal liability that may arise from the use of this article. Always consult your attorney on matters of compliance with each law.|
If you liked this CCPA vs GDPR article and would like to learn more about commonly compared terms, see our HR terms section.