High-Level Comparison of GDPR and CCPA

Now that I have walked through the individual rights of both European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), discussed the CCPA in the context of other US privacy laws, and provided a detail “cheat sheet” for both GDPR and CCPA, lets compare the two at a high level from a scope, individual rights, obligations and enforcement perspective.

But First ….

… before we even get to Scope comparison etc. what is the “helicopter view” of where they are similar and where they are different?

They are similar in that they both give individual’s certain privacy rights vis a vis their personal data that is being collected/processed by various types of organizations. Rights such as the Right to be Informed (i.e. the “Right to Know” in a transparent manner about what privacy rights a person has and what personal data is being collected, the purposes of its collection, and if it is being sold or shared) and the Right to Delete that personal data. And they provide varying levels of “sticks” to enforce those Rights.

Where they are different is that GDPR is much more focused on the accountability and governance aspects of the processing of personal data, while the CCPA is more focused on giving consumers the various tools to limit its sale. But with the CCPA there is no obligation for consumers to use those tools, i.e. CCPA is an “opt-out” system (except for minors) while GDPR is an “opt-in.” So as this MLex report states: “If consumers take no action, under CCPA, there are no restrictions on how businesses use their data.”

Scope Comparison

In terms of effective date, GDPR came into full effect in mid-May of 2018.  CCPA was passed into law in 2018, but did not take effect until January 1, 2020, with a few caveats:  (1) enforcement actions taken by California AG to not occur til July 1, 2020; and (2) collection of personal data of a job application and/or employee and/or contractor by a business not in scope until January 1, 2021.

In terms of who is regulated and who is protected, GDPR regulates “controllers” (entities who determine the purposes and means of the processing of personal data) and “processors” (third parties that process personal data on behalf of the controller) who are either: (a) established in the European Union (EU), regardless of whether the processing takes place in the EU or not, or (b) not established in the European Union that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects.   Controllers can include non-profit businesses.  GDPR protects a natural person (i.e. a real person, not a corporation, and not a deceased person — also referred to as a data subject), regardless of whether they are a resident of the EU.  So, the territorial aspect of the law applies to entities either processing data in the EU or processing the personal data of EU data subjects.

CCPA regulates for profit “businesses” who either have (1) gross revenue greater than $25 million OR (2) buys/sells/shares personal information on over 50,000 consumers or devices OR (3) derives 50% or more of its revenue from selling consumer personal information.  So much narrower in who is regulated, effectively small-to-medium businesses and non-profits are excluded.  CCPA protects consumers who are California residents.  So, the territorial aspect applies to the consumers, i.e. California residents.

The data protected is relatively the same – GDPR calls it “personal data” while CCPA calls it “personal information.”  It’s stuff you expect, e.g. government IDs, credit card info, health records, etc.   CCPA also broadens the definition to include information linked to households and devices.   GDPR has a special category of “sensitive data” that includes racial, ethnic, political beliefs, sexual orientation, etc. that cannot be processed with a few exceptions including consent by the data subject and/or in the context of fulfilling legislation.  The CCPA has delayed implementation of the protection of personal data involving employment until January 1, 2021.

Finally, in the case of the GDPR, personal data can only be processed if there is a lawful basis, which includes implicit consent as well as to fulfill a contractual obligation.  So, the focus on GDPR is about giving data subject’s the ability to “opt-in” to allow entities to process their personal data based on notice and consent.   In contrast, in the US a recent Supreme Court ruling (Sorrell v. IMS Health Inc. in 2011) interpreted the US Constitution’s 1st Amendment as letting businesses collect data without having to specify a purpose.  So CCPA supports “opt-out” with the exception for minors, who are “opt-in” for the sale of their personal information (i.e. by default business are not allowed to sell personal data) if aged 13-16 or with parental consent with children under 13.

Individual Rights

The totality of rights found in the GDPR and CCPA are the following, with √ = yes/supports and X = N/A (if you are not sure what one of these mean, refer to either the GDPR or CCPA cheat sheets in prior blog posts):

Right to …GDPRCCPA
… be Informed
… Access
… RectificationX
… Erasure
… Restrict ProcessingX *
… Data Portability
… Object to ProcessingX *
… “opt out” for Third Party Sales√ **
… Reject Automated Decision Making and ProfilingX
… not be Discriminated Against√ **

* = except to opt-out of sales of personal data to third parties

** = implied

Obligations

The below table discusses the legal obligations that a “controller” (GDPR) or “business” (CCPA) has vis a vis processing of personal data/information. Think of this as “accountability” that the controller/business has vis a vis to protecting personal data.

ObligationGDPRCCPA
Privacy Policy Disclosure
Date Protection by Design and DefaultX
Written Contracts with Processors / Service Providers
Maintain Records of Processing ActivitiesX
Respond to Rights Requests
New Homepage Link RequiredX
Implement Appropriate Security Measures√ *
Security Breach Notification√ *
Data Protection Impact AnalysisX
Data Protection OfficersX
Adhere to the Rules of Cross-Border Data TransfersX

* = implied via other California law(s)

Enforcement

There is a very big difference between CCPA and GDPR vis a vis enforcement — the CCPA is in the “light slap on the hand” category compared to GDPR.  This is a big problem for both consumers and security professionals as I discussed in this blog post on the “Problems with the California’s AG on Data Breach Reporting,” as many breaches are being swept under the rug in terms of consumers are not being notified and security professional not fully knowing the full extent of our data breach problem.

In terms of Civil Fines, i.e. regulatory penalties, GDPR enables Member States’ “supervisory authorities” to hand out a range of penalties including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether.  

CCPA on the other hand allows the California Attorney General to go after a business if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance.  But after 30 days, if the business or service provider is still in violation, they can be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.

Specific to individuals’ private rights of action, i.e. a business’ liability to impacted individuals, the GDPR is much broader.  In the EU under GDPR, data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims.  

With the CCPA, there is a private right of action but only in the narrow context of consumers “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”  Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.”  Key here is there is not another rights of actions beyond a breach occurring.  Furthermore, the definition of “personal information” is from a narrower definition of personal information found in Cal Civic Code § 1798.81.5, i.e. another law.

Part of the vision behind CCPA Version 2.0 aka the California Privacy Rights Act (that will be on the ballot in California in November of 2020) is to beef up CCPA’s enforcement through a new regulatory agency called the California Privacy Protection Agency (I assume it will be called the CPPA, which will confuse people with CCPA and CPRA also being referenced).  Anyway, that will be a good segue for me to drill down on the CPRA very soon in an upcoming blog post.

3 comments

  1. […] California has a law that a ballot initiator can agree to take their initiative off the ballot within 30 days of the initiative being certified by the Secretary of State.  Members of the legislature were interested in passing privacy legislation, so starting in May through June 2020 Alastair et al negotiated with the California legislature, and within hours of the 30 day window closing, a deal was struck and Assembly Bill (AB) 375 passed unanimously in both houses and was signed by Governor Brown in June of 2018.  This became what is known universally as the California Consumer Privacy Act (CCPA).   Industry tried to chip away at it via legislation that watered it down, but in the end 6 amendments to the CCPA were passed over the next year that preserved the main intent of the CCPA, which I detailed in a series of prior blog posts. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s