CCPA vs. GDPR: The Basics
The European Union’s General Data Protection Regulation (GDPR) created a domino effect in the world of data privacy. It influenced many countries to implement “GDPR-like” laws to protect their citizens’ personal data. The US followed suit with the California Consumer Protection Act (CCPA) which has many similarities and differences with GDPR. Here we will take a look at all of the prominent CCPA vs GDPR points in this article.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
CCPA vs GDPR: 9 differences between the laws
Here is how both laws differ from each other.
For-profit entities that collect personal information from California residents and meet any of the following thresholds:
- At least $25 million in gross annual revenue
- Buys, sells, or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes or
- Derives more than 50% of its annual revenue from the sale of personal information
Businesses that are:
- established in the EU and process EU data subjects’ personal data in or outside the EU, or
- not established in the EU but offer goods and services in the EU by processing EU data subjects’ personal data.
#2 Personal data covered
This regulation covers all personal identifying information (PII), that is: “Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” E.g. name, social security number, email address, purchase records, browsing history, geolocation data, fingerprints, and inferences from other personal data.
It does not include publicly available information from federal, state, or local government records.
Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”. E.g. identification number, location data, an online identifier, or data related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. It does not include publicly available information.
#3 Data rights
Under both laws, people get certain data rights that they can exercise.
- Right to know about and access personal information
- Right to delete personal information
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising the CCPA rights
- Right to access personal data
- Right to rectify personal data in case of inaccuracy
- Right to erase personal data under certain circumstances
- Right to restrict processing of personal data
- Right to port data to another controller
- Right to object to data processing
- Right to not subject to automated data processing, including profiling
CCPA mandates opt-out rather than opt-in. To sell or share any personal information, you must offer an opt-out option for users.
You must add a “Do Not Sell My Personal Information” link clearly and conspicuously on your website’s homepage.
You must wait for 12 months before selling or sharing the personal information after the user opts out.
GDPR requires you to give both opt-in and opt-out options for users to process their personal data.
#5 Age of consent
You cannot sell the personal information of a user under 16 years of age without consent. Children under the age of 13 require parental consent.
The federal regulation Children’s Online Privacy Protection Act (COPPA) applies to children’s personal information along with the CCPA.
The age of consent in GDPR is 16 and for those below 16, you require parental consent for all types of processing. Individual EU member states can lower the age to 13.
#6 Website cookies
Cookies are categorized as unique identifiers. Therefore, they are personal information. You do not require an opt-in for using cookies on your website. However, the website must disclose what data is being collected by cookies and why. And you must give the right to opt-out of the sale of personal information for CCPA compliance.
Like CCPA, the GDPR also categorizes cookies as personal data. As per the regulation, the website must provide both opt-in and opt-out for cookies that collect personal data and track users. The users must be able to withdraw the GDPR cookie consent at any time. The website requires a cookie consent banner or pop-up for both GDPR and CCPA. It must block third-party cookies before consent for GDPR cookie compliance. For websites that wish to outsource their cookie management, it’s possible to license cookie consent tools such as CookieYes is a cookie consent tool to collect and manage cookie consent on your website.
#7 Website notices
Businesses must provide information about the collection and processing of personal data. It must clearly specify whether third-party processors are involved in data collection and if so, why.
Up to $2,500 for each violation and $7,500 for each intentional violation.
Statutory damages from $100-$750 per violation.
It gives a 30-day cure period for rectifying the violation.
Up to €10 million or 2% of annual global turnover, whichever is highest, for less severe violations.
Up to €20 million or 4% of annual global turnover, whichever is highest, for severe violations.
#9 Supervisory authority
The responsibility of enforcing and supervising the compliance matters is upon the California Attorney General.
The law is enforced by the data protection authorities of EU member states. They can adopt the GDPR standards in their own state’s data protection laws.
Here are the 9 differences between CCPA and GDPR. There are a lot of similarities, so if you want to make your business compliant with both, it would not take a lot of effort. However, these differences are something to be aware of and taken into consideration while readying your business for compliance.