In 2018 two major data privacy laws came into being – the EU General Data Protection Regulation (GDPR) came into effect in May and the California Consumer Privacy Act (CCPA) was signed into law in June.
The GDPR was created to have a uniform data privacy law for all the member countries of the EU and to provide greater protection and rights to individuals. The CCPA is an outcome of the GDPR’s reaching influence. Although the CCPA shares many similarities to the GDPR, they also have some notable differences.
GDPR vs CCPA: What’s the difference?
01 Who they apply to
GDPR
The GDPR applies to any organization inside or outside of the EU that offers goods or services or monitors the behaviour of EU residents. GDPR does not apply only to businesses – any organization, including non-profits, are subject to the law.
CCPA
CCPA applies to organizations “doing business in California” that meets at least one of the following criteria:
- Annual gross revenue over $25 million
- Buy, receive, or sell the data of over 50,000 consumers, devices, or households in California
- Derive at least 50% of their annual revenue from selling data
02 Who they protect
The GDPR protects “data subjects” who are natural persons and does not specify residency or citizenship requirements. GDPR clarifies that a data subject is any identified or identifiable natural person.
The CCPA protects “consumers” who are natural persons and who must be California residents.
03 What’s personal data
Both GDPR and CCPA considers personal data as any data that directly or indirectly relates to an identified or identifiable individual. It broadly refers to identifiers such as a name, an identification number, location data, online identifiers like IP addresses and cookies.
However, the CCPA definition also includes information linked at the household or device level.
GDPR
Personal data under the GDPR covers publicly available. This means if a business collects personal data from a publicly available source, it will be subject to the GDPR.
CCPA
Personal information under the CCPA does not cover publicly which is lawfully made available from federal, state, or local government records.
04 Types of data exempted
GDPR
While the GDPR does not exclude specific categories of personal data from its scope of application, there are cases when it does not apply. These include:
- Anonymous data that do not include any identifying information.
- Data processing is non-automated and is not going to be filed.
- Data processing by individuals for their own personal purposes.
CCPA
The CCPA provides several specific exemptions from its scope of application, these include:
- Medical information
- Information collected as part of a clinical trial
- Sale of information to or from consumer reporting agencies
- Personal information under the Gramm-Leach-Bliley Act
- Personal information under Driver’s Privacy Protection Act
- Publicly available personal information, which is made available lawfully
05 What constitutes data processing
GDPR’s definition
The definition of processing in GDPR covers any operation performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration use, restriction, erasure.
CCPA’s definition
CCPA also maintains a broad definition of what it considers data processing and applies to the collecting, selling or sharing of personal information.
Collecting refers to any buying, renting, gathering, obtaining, receiving, or accessing any personal information relating to a consumer. Selling includes renting, disclosing, releasing, disseminating, transferring, or communicating any personal information for monetary or other valuable consideration.
06 What are consumer rights
GDPR Rights
Right to be informed
Users have the right to be informed about the collection and use of their personal data.
Right to access
Users have a right to access their personal data, including to receive a copy and to obtain information about the data processing.
Right to rectification
Users have the right to correct inaccurate or incomplete personal data.
Right to erasure
Users have the right to request the erasure of personal data i.e. they have the right to be forgotten.
Right to restrict processing
Right to restrict processing of personal data, under certain circumstances.
Right to data portability
Users have the right to receive a copy of the personal data in a commonly used and machine-readable format.
Right to object to processing
Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
Rights to object automated decision making
Users have the right to not be subject to automated decision-making, including profiling.
Right to non-discrimination
It is implicit in the GDPR, but not stated as a right.
CCPA Rights
Right to be notice
Consumers have the right to be informed at or before the point of collection what categories of personal information will be collected and the purposes for which they will be used.
Right to disclosure
Similar to GDPR’s right to access. The CCPA’s right is only to obtain a written disclosure of the information.
Right to rectification
None
Right to erasure
Consumers have the right to deletion of personal information a business has collected, subject to certain exceptions.
Right to restrict processing
None, other than the right to opt-out of personal information sales.
Right to data portability
CCPA gives users the same right as the GDPR, except in GDPR, users have the right to request a business to transfer their personal data to another business.
Right to opt-out of sale
Consumers have the ability to direct a business not to sell their personal information to a third party
Rights to object automated decision making
None
Right to non-discrimination
A business must not discriminate against a consumer because they exercised their rights.
Right to be informed
Users have the right to be informed about the collection and use of their personal data.
Right to notice
Consumers have the right to be informed at or before the point of collection what categories of personal information will be collected and the purposes for which they will be used.
Right to access
Users have a right to access their personal data, including to receive a copy and to obtain information about the data processing.
Right to disclosure
Similar to GDPR’s right to access. The CCPA’s right is only to obtain a written disclosure of the information. .
Right to rectification
Users have the right to correct inaccurate or incomplete personal data.
None
Right to erasure
Users have the right to request the erasure of personal data i.e. they have the right to be forgotten.
Consumers have the right to deletion of personal information a business has collected, subject to certain exceptions.
Right to restrict processing
Right to restrict processing of personal data, under certain circumstances.
None, other than the right to opt-out of personal information sales.
Right to data portability
Users have the right to receive a copy of the personal data in a commonly used and machine-readable format.
CCPA gives users the same right as the GDPR, except in GDPR, users have the right to request a business to transfer their personal data to another business.
Right to object to processing
Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
Right to opt-out of sale
Consumers have the ability to direct a business not to sell their personal information to a third party.
Rights to object automated decision making
Users have the right to not be subject to automated decision-making, including profiling.
None
It is implicit in the GDPR, but not stated as a right.
Right to non-discrimination
A business must not discriminate against a consumer because they exercised their rights.
07 What are the provisions for children
GDPR
The GDPR provides specific provisions for protecting children’s personal data and is subject to heightened security requirements. For children under the age of 16, the parent/guardian must provide consent. Individual member states can lower the age from 16 to 13. Children must also be provided with age-appropriate privacy notice.
CCPA
The CCPA also provides special provisions for minors and the protections provided by the federal Children’s Online Privacy Protection Act (COPPA) will apply on top of the CCPA’s requirements. The CCPA prohibits selling the personal information of a consumer between 13 to 16 without consent. For children under 13, parental consent is required.
08 What is the penalty for non-compliance
GDPR fines
Administrative fines can be issued by a data protection authority, that includes two tiers of fines. The first tier of GDPR fines can go up to €10 million or 2% of annual global turnover. The second tier of GDPR fines can go up to €20 million or 4% of annual global revenue.
The GDPR also gives data subjects the right to sue if their rights were violated. Anyone who has suffered damage (material or non-material) as a result of a GDPR violation has the right to receive compensation from the controller or processor for the damage.
CCPA fines
Civil penalties can be issued by a court. Any violation of the CCPA is assessed and recovered in a civil action undertaken by the Attorney General.
Depending on the violation that occurred the penalty may be up to $2,500 for each violation or up to $7,500 for each intentional violation.
The CCPA also gives consumers the right to private action against businesses that fail to implement security standards to protect the consumer’s information. A consumer may recover either statutory damages between $100 and $750 per consumer per incident, or actual damages (i.e. the true damages suffered by the consumer), whichever is greater.
GDPR and CCPA compliance with CookieYes
If your business falls within the scope of GDPR and CCPA, then you can use a free cookie consent solution like CookieYes to comply with the laws. With over 1.3 million user base, CookieYes is a market leader in compliance technologies.
CookieYes has a single dashboard for all your cookie consent management.
With CookieYes, you can display a cookie consent banner, track and record all user consents, block third-party scripts till the user takes action, auto-translate the banner/opt-out notice in 30+ languages. You can also scan your website and generate a cookie policy for foolproof GDPR compliance.