Hey, so given that I created a GDPR Cheat Sheet and a CCPA Cheat Sheet, let’s combine them together and get a Detail Comparison of the world’s foremost privacy laws! If you want a more executive summary comparison of GDPR and CCPA, see this blog post.
|Category||Topic||GDPR Provision||CCPA Provision|
|Scope||Effective Date||May 25, 2018||January 1, 2020, with two caveats:|
(1) enforcement actions taken by California AG to not occur til July 1, 2020; and
(2) collection of personal data of a job applicant and/or employee and/or contractor by a business not in scope til January 1, 2021
|Scope||Who is Regulated?||Applies to “Controllers” (entities who determine the purposes and means of the processing of personal data) and “Processors” (third parties that process personal data on behalf of the controller) who are either: (a) established in the EU, regardless of whether the processing takes place in the EU or not, or (b) not established in the EU that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects. [Article 3]|
Small and medium-sized enterprise (“SMEs”) that process personal data as described above do have to comply with the GDPR. However, if the processing isn’t a core part of a SME’s business and their activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to them (e.g. appointment of a Data Protection Officer).
|A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds:|
(1) gross revenue greater than $25 million OR
(2) buys/sells/shares personal information on over 50,000 consumers, households or devices; OR
(3) derives 50% or more of its revenue from selling consumer personal information.
Also covers any entity that controls or is controlled by a business and “shares common branding” with the business. [§ 1798.140(c)]
|Scope||Who is Protected?||An identified or identifiable natural person (i.e. a real person, not a corporation, and not a deceased person), regardless of whether they are a resident of the EU. Also referred to as a “data subject.” [Article 4(1)]||A “Consumer” that is a natural person who is California resident. [§ 1798.140(g)] Resident defined per Cal. Rev. Code § 17014 as|
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
|Scope||Do Children Get Special Protection?||Yes. In general children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. [Recital 38].|
Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. EU states may provide by law for a lower age but not below 13 years. [Article 8] And children must be able to receive privacy notices in clear and plain language for them to understand. [Article 12].
|Yes, “a business shall not sell the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale. For children under 13, a business requires parental consent to the sale of their child’s personal data. [§ 1798.120(c)-(d)]|
Note that “the law is intended to supplement federal and state law,” so existing Federal privacy laws re: children (e.g. COPPA) still apply. [§ 1798.196]
|Scope||Covers Employees?||Yes. EU states “may by law or by collective agreements also provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.” [Article 89]||No, not until January 1, 2021. [§ 1798.145(h)] Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee” and “this subdivision shall become inoperative on January 1, 2021.”|
|Scope||What Information is Protected?||“Personal data” which means “any information relating to an identified or identifiable natural person (i.e. “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” [Article 4]||“Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household. It then lists specific examples such as:|
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA; and
(9) Inferences drawn from any of the information above
It does not include publicly available information or information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(o) and 1798.145(c)-(f).]
|Scope||Additional Restrictions on Sensitive Data?||Yes. “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9]||N/A|
|Scope||Exemptions?||The GDPR does not apply to the processing of personal data in the context of (a) purely personal or household activity; (b) deceased individuals; (c) if it in unstructured hardcopy format; and (d) national security and/or law enforcement. [Article 2]||There are several exemptions for both businesses and types of personal data collected. |
(1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(c)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§ 1798.145(c)-(f)]
(2) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(3) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(h)]
(4) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(5) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(6) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
|Scope||Lawful Bases to Process Personal Data?||GDPR has six legal bases for processing data: 1. Performance of a contract; 2. Legal obligation; 3. Performance of a task in the public interest; 4. Consent from the individual; 5. Legitimate interest; and 6. Protect the vital interests of an individual. [Article 6]. Specific to consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data, and have a record of when the consent was given. Consent shall be presented in a manner which is clearly understood. It must informed consent, freely given (i.e. “opt-in”) and can be revoked. [Article 7]||No. The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CCPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).|
|Scope||Law is Protected from Watering Down?||N/A||N/A.|
|Individual Rights||Right to be Informed (aka Right to Know or Right to be Notified)||At the time personal data is obtained, the controller must provide the data subject detailed information about its data collection and protection activities, including the legal basis for the processing, as well as instruct the data subject on their individual rights vis a vis their personal data. The controller must also provide notice regarding personal data collected by third parties. [Articles 13, 14]||“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” [§ 1798.100(b)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)]|
|Individual Rights||Right to Access||“Data subjects have the right to obtain from the controller whether or not personal data about the subject is being processed, and if that is the case, be able to access that personal data” as well additional information such as the purposes of processing, the categories of personal data, the recipients of that data, how long that data will be stored, etc. [Article 15]||“A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” [§ 1798.100(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. [§ 1798.100(c)] Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.” But “a business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.100(d)]|
|Individual Rights||Right to Correct (aka Right to Rectification)||The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed. [Article 16] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being rectified. [Article 19]||N/A|
|Individual Rights||Right to Delete (aka Right to Erasure or Right to be Forgotten)||Data subjects have the right to obtain from the controller the erasure of personal data under six different scenarios including the personal data is no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent and there is no other lawful bases for processing and the personal data have been unlawfully processed. [Article 17] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being erased. [Article 19]||“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records. [§ 1798.105(c)] There are 9 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, for security purposes, debugging, the exercise of free speech, and engage in research in the public interest.|
|Individual Rights||Right to Restrict Processing||GDPR lets a data subject to have the right to restrict the controller’s processing of the data subject’s data under a few scenarios including the accuracy of the personal data is contested by the data subject or the processing is unlawful. [Article 18] Furthermore, the controller must take steps to inform other recipients of that subject’s personal data being restricted. [Article 19]||N/A, with exception of the right to opt-out of the selling of personal information (see below).|
|Individual Rights||Right to Data Portability||The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. [Article 20]||Once a consumer requests access to their personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.” [§ 1798.100(d)]|
|Individual Rights||Right to Object to Processing||“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.” Objections can be based on concerns over profiling, direct marketing, scientific and other matters. [Article 21]||N/A, with exception of the right to opt-out of the selling of personal information (see below).|
|Individual Rights||Right to “Opt Out” of Sale and Sharing of Personal Information (aka Right to Say No)||This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but GDPR does provide other rights that can net the same result. e.g. the right to object: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” [Article 21] In addition, data subjects could revoke their right of consent as part of their right of erasure vis a vis direct marketing. [Article 17]||“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” [§ 1798.120(a)]|
|Individual Rights||Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)||This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA and CPRA), but this is an implicit right in that the use of sensitive personal information is prohibited: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” However, this will not apply in a number of cases including if the data subject gives explicit consent; is done in the context of labor or employment laws; is done for social security legislation; is done in the vital interest of the data subject, and others. [Article 9] For other categories of personal information that are found in the CPRA definition of sensitive data, GDPR provides the right of restriction and objection (see above).||N/A|
|Individual Rights||Right to Reject Automated Decision Making and Profiling||“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Exceptions include the data subject’s explicit consent or the performance of a contract. [Article 22]||N/A|
|Individual Rights||Right of No Retaliation (aka Right to not be Discriminated Against)||This is not one of GDPR’s formally defined rights per se (was added to this cheat sheet to benchmark against CCPA), but GDPR is implicit that discrimination is not allowed. e.g. “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to … rise to discrimination”. [Recital 75]||The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):|
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
|Obligations||Data Protection by Design and Default||Controllers must implement data protection by design and by default. e.g. “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner.” Furthermore, “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” [Article 25]||N/A, with the exception that a business must identify what data is personal in the design of their systems and apps so as to provide proper notification.|
|Obligations||Written Contracts with Processors / Service Providers / Contractors / Third Parties||“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” [Article 28]||This is implied that a contract is in place with a service provider given the definition of “service provider” that is an entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.” [§ 1798.140(v)]|
|Obligations||Maintain Records of Processing Activities||“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” [Article 30]||Not really. The proposed CCPA regulations that are drafted as of March 2020 do assume there will be some documentation of consumer requests re: their personal information.|
|Obligations||Respond to Rights Requests||“The controller shall facilitate the exercise of data subject rights … and shall not refuse to act on the request of the data subject for exercising his or her rights … unless the controller demonstrates that it is not in a position to identify the data subject.” Furthermore, “the controller shall provide information on action taken on a request … to the data subject without undue delay and in any event within one month of receipt of the request.” [Article 12]||A business must respond to a “verifiable consumer request.” [§ 1798.140(y)]. The proposed CCPA regulations document how these requests should be logged. Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)] This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.100(c)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]|
|Obligations||New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)||N/A||A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” [§ 1798.135(a)]|
|Obligations||Implement Appropriate Security Measures||“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” including “pseudonymisation and encryption of personal data” as well “ensure the ongoing confidentiality, integrity availability and resilience of processing systems and services.” [Article 32]||Not a direct obligation found in the CCPA. Per the private right of action section [§ 1798.150(a)] it states that “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5]|
|Obligations||Security Breach Notification||Controllers must notify both the supervisory authority and impacted data subjects within 72 hours. There is a carve out with the supervisory authority where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” The carve out with data subjects is if the data were encrypted and not readable. [Article 33, 34]||N/A, but California has an existing (and separate) data breach notification law § 1798.82.|
|Obligations||Data Protection Impact Analysis||“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” [Article 35]||N/A|
|Obligations||Data Protection Officers||Controllers and processors must appoint a Data Protection Officer in specific instances including when their core activities include monitoring of data subjects on a large scale. The DPO should have a certain amount of independence and be the main point of contact with the supervisory authority. Specific tasks are spelled out in Article 39. [Articles 37-39]||N/A|
|Obligations||Adhere to the Rules of Cross-Border Data Transfers||Transfers of personal data outside the EU are restricted with the following exceptions: (1) OK to transfer to countries or territories deemed “adequate” by the European Commission in terms of the protection of personal data (note the US or states such as California do not have an “adequacy decision”; (2) where there is an EU-approved transfer agreement and/or mechanism (e.g. the EU-US Privacy Shield and/or binding corporate rules between a controller and a processor); or (3) there an exception to specific personal data such as explicit consent. [Articles 44-50]||N/A|
|Enforcement||Dedicated Supervisory Authority||Each European Union Member State shall have at least one independent “Supervisory Authority” (SA) [Article 51] that “shall contribute to the consistent application of this Regulation throughout the Union.” [Article 51]. Each SA shall “remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.” [Article 52]. Each SA shall “shall facilitate the submission of complaints” that are “free of charge” for data subjects. [Article 57]. Each SA has a number of investigative and corrective powers as well as authorization and administration powers, including the ability to issue fines. [Article 58] Each SA “shall draw up an annual report on its activities” [Article 59] and cooperate with other SAs [Article 60] and provide mutual assistance [Article 61].|
The European Data Protection Board is an oversight organization that “ensure the consistent application of this Regulation” and provides advisory services to both Member States’ SAs as well as the European Commission [Article 70]. It issues “guidelines, recommendations, and best practices on procedures” related to the GDPR. [Article 69] The Board will be composed of the head of each Member State’s SA [Article 68] and shall act independently. [Article 69]. “The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations.” [Article 71]
|The CCPA did not create a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. [§ 1798.185] “Any business or third party may seek the opinion of the AG for guidance on how to comply with the provisions of this title.” [§ 1798.185] The AG can issue civil fines (see below). Any proceeds from civil actions will go into the Consumer Privacy Fund. This Fund is “created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties.” [§ 1798.160] The AG “shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” [§ 1798.185]|
|Enforcement||Penalties (Civil Fines)||A range of penalties can be issued by Supervisory Authorities including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether. [Articles 83-84]||“A business shall be in violation … if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” [§ 1798.155 (b)]|
|Enforcement||Penalties (Private Rights of Action)||Data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims. Data subjects can also lodge complaints with Supervisory Athorities. [Articles 77-82]||CCPA enables a consumer’s private right of action only in the narrow context of their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” [§ 1798.150(b)]|
Next up in my blogging … taking a look at CCPA V2 — the California Privacy Rights Act (CPRA) that is on the Golden State’s ballot in November of 2020. Will also in future blog posts take a look at the proposed regulations that the California Attorney General is looking to put in place vis a vis the CCPA.