Both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) aim to protect individuals’ privacy rights, but there are some key differences between the two. In this blog post, we’ll look at some of the important distinctions between the CCPA vs. the GDPR.
Only in the GDPR
Only in the CCPA
In addition to differences in their core concepts, the CCPA and GDPR have variances in terminology.
Consumer (CCPA) vs. data subject (GDPR)
Under the CCPA, a consumer is a natural person who must be a California resident. According to the GDPR, a data subject is any identified or identifiable natural person, that is, a person who can be identified directly or indirectly. In contrast to the CCPA’s residency requirements, a data subject under the GDPR does not necessarily need to be an EU citizen or resident.
The GDPR applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored. It covers “processing” of personal data, defined to include any operation performed on personal data, including collection.
Personal information (CCPA)
The CCPA broadly defines personal information (PI) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household.
Personal data (GDPR)
The GDPR defines personal data as any information relating to an identified or identifiable person, by reference to an identifier. In fact, an individual can be both a consumer and a data subject if an EU-established company processes personal data of California residents.
The CCPA classifies the following as a business:
The GDPR defines the controller the organization that determines the purposes and means of the processing. The GDPR applies under the following circumstances:
Right to opt-out vs. the right to object and the right to withdraw consent
Under the CCPA, the Right to Opt-Out means:
Under the GDPR, the Right to Object means:
Under the GDPR, the Right to Withdraw Consent means that:
The CCPA does not explicitly list legal grounds that businesses must rely upon to collect and use personal information. However, individuals have the right to opt-out of the sale after collection and can instruct businesses to stop selling their personal information.
Under the CCPA, there are several instances where businesses are required to collect the consent of the consumer. These include where the consumer is entering into a scheme that offers financial incentives based on the personal information provided. The CCPA allows businesses to sell minors’ data on the basis of valid consent, but consent is not required for the collection of the information.
The GDPR sets out 6 legal bases under Article 6 that organizations can rely upon to lawfully collect and use personal data. Processing personal data is considered lawful under the GDPR if at least one of the following applies:
What is a violation under CCPA?
The CCPA outlines monetary penalties for unintentional and intentional violations. These range from $2500 per unintentional violation to $7500 per intentional violation with no maximum penalty outlined by the law. Violations of the CCPA are assessed and penalties recovered through civil action brought by the California Attorney General and issued in court.
On March 17, 2021, the establishment of the California Privacy Protection Agency (CPPA) was announced. The board will oversee, implement, and enforce the CCPA and the CPRA, a role previously fulfilled by the California Attorney General.
What are the types of GDPR breaches?
Breaches of the GDPR’s provisions are typically bucketed into two categories each with different levels of monetary penalty attached. Depending on the nature, gravity, and duration of the infringement, the penalty for non-compliance with the GDPR may be up to either:
In general, the lower penalty amount is issued for breaches of controller or processor obligations. Breaches of data subjects’ rights and the GDPR’s data protection principles will result in fines from the higher tier being issued.
Both the GDPR and the CCPA grant individuals rights that enable them to protect their privacy. Regardless of where you are in your privacy program, it’s never too late to start preparing for the CCPA. For more information on our CCPA Same Day Fast Track Implementation Program or to request a live OneTrust for CCPA software demo, visit www.onetrust.com/ccpa-compliance or email info@OneTrust.com.