In this article, we are looking at the similarities and differences of the GDPR versus the CCPA. In today’s highly digitized world, the collection and processing of personal data play an increasingly important role. For numerous companies, data has become a currency. Jane Barratt, Chief Advocacy Officer at MX is only one of many thought leaders, sharing the notion that data has become the “new oil”. “If you go back just 10 years and look at the market caps of the top 10 companies globally, those companies made products and services. Today 50% of the top 10 companies are data-based platforms — Google, Facebook, Alibaba, Tencent — it is a fundamental shift in terms of the way the market views the value of data.”, said Barratt on the Knowledge@Wharton radio show on SiriusXM in 2019. With data playing such a crucial role in our modern economies and our day-to-day lives, it is all the more necessary to implement a transparent system of rules and regulations for processing this valuable commodity. Both the EU and California have recognized this as an urgent desideratum and adopted data protection regulations. In this article, we want to give you a quick overview of the European General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA). Furthermore, we want to juxtaposition their similarities and differences and help you understand what to consider to comply with these regulations, especially when doing business in both the EU and California.
General Data Protection Regulation (GDPR)
In May 2018, the General Data Protection Regulation (GDPR) came into effect. The GDPR is a law in the European Union (EU) regulating data protection and privacy. This legislation addresses protection requirements of personal data for the European Union and the European Economic Area (EEA). The GDPR aims to regulate the processing of personal data by private and public data processors in the EU. It supersedes the 1995 Directive 95/46/EC on the protection of individuals concerning the processing of personal data and on the free movement of such data.
California Consumer Privacy Act (CCPA)
Since January 1, 2020, the California Consumer Privacy Act (CCPA)has been in effect in California. The CCPA is a state statute designed to improve the privacy and consumer protection rights of California residents in the United States. The act was passed by the California state legislature and signed into law on June 28, 2018, to amend Part 4 of Section 3 of the California Civil Code, officially designated as AB-375.
Let’s take a look at the framework of the GDPR before diving into the key differences to the CCPA.
What exactly does the GDPR cover?
The GDPR regulates all aspects regarding the processing of personal data. The regulations apply to all data management processes, such as the collection, recording, classification, storage, modification, use, transmission, dissemination, or deletion of personal data. Any information that can directly or indirectly identify a person is considered personal data. Direct identification can be a name, identification number, or location. Additionally, physical or cultural characteristics can indirectly identify a person and are therefore also included under the regulations.
Who must comply with the regulations of the GDPR?
Perhaps contrary to what one would assume, the scope of application of European data protection law is not tied to the location of data processing. Rather, the GDPR applies whenever operations which include personal data occur in the EU. Hence, the site of data processing is not the deciding factor. Therefore, the regulations also apply to non-European companies, insofar as they offer goods and services to customers within the European Union.
What criteria must a GDPR-compliant website meet?
The GDPR follows two principles: “privacy by design” and “privacy by default.” The idea behind the concept of “privacy by design” is to collect only as much personal data as is necessary for the respective use. For example, if the focus of data processing is on recognizing trends and correlations, the data collected should be anonymized as early as possible.
The principle of “privacy by default,” on the other hand, is about data protection-friendly default settings. The aim is to ensure that data protection requirements are met from the first use – even if the user does not change the default settings.
This means for the operator of a website which collects data, user’s authorization must be obtained through a declaration of consent. The authorization of data collection must provide information on both the purpose and scope of the processed data in easily accessible, transparent, and simple language. Additionally, the user must be informed of their right to withdraw consent at any time.
GDPR versus CCPA: Prior consent versus the right to opt-out
With some fundamental differences, the California Consumer Privacy Act (CCPA) is a Californian equivalent of the GDPR. The CCPA pursues the approach of creating more transparency in the collection of personal and household data, empowering consumers to control their usage of their personal data.
Thus, the recently designated rights give Californian consumers the ability to request companies to disclose, delete or refrain from selling collected data to third parties.
In comparison with the GDPR, there are three crucial differences:
- the territorial scope of the data protection regulation,
- the definition of the protected information,
- and the “opt-out” right regarding the sale of the information.
The scope of the CCPA extends to all consumers who reside in California. Therefore, persons who are not long-term residents of the state, such as vacationers, are excluded from the CCPA.
The CCPA also defines personal information differently than the GDPR. While the GDPR considers data that can be attributed to a single individual, the CCPA also defines personal data as that which can be used to identify household.
The third major distinguishing aspect is the right to “opt-out”, which corresponds to an explicit disagreement regarding the sale of the data. In contrast to the European data regulations, under the CCPA, it is not necessary to obtain the consent of a data subject before collecting the data. Nor does the sale of such data require prior consent. Rather, the user must be given the opportunity to object to this procedure. To do so, a website must have a visible link where users can exercise their right of non-consent (“Do Not Sell My Personal Information”).
Summary: GDPR versus CCPA
When looking at the core functionalities of the GDPR versus CCPA legislation, the main differences are: The GDPR is a broader privacy law that provides a data protection framework for the EU. It is based on the prior consent of EU users so that privacy is respected in principle and from the outset. The GDPA also gives users the right to access, deletion, and information, as well as the right to withdraw consent.
In comparison, the CCPA is a smaller law that gives California residents the right to request access or deletion of data from companies (as defined by the CCPA) that own the data, or to refuse to sell the collected data to third parties.
