23 April 2020
The EU General Data Protection Regulation (GDPR), often said to be the world's toughest privacy law, took full effect in May 2018. The California Consumer Privacy Act (CCPA), easily the strictest general privacy law in the United States, passed soon after in June 2018. It took effect in January 2020.
The CCPA is unashamedly similar to the GDPR in many ways. In fact, parts of the GDPR appear to have been lifted and inserted verbatim into the CCPA.
That being said, the laws are distinct in many ways. They both share the goal of bringing greater consumer privacy and control over personal information. But the scope, impact, and requirements of each law are very different in practice.
Before we look at what's different about the two laws, it's important to mention a couple of key similarities that will put these differences in context.
Both laws concern the way "personal information" is "processed."
Beyond the international reach of both laws, there's a big difference in who is required to comply with them.
The CCPA is only aimed at businesses, and not just any business - a typical small ecommerce store or marketing startup, for example, would not be required to comply with CCPA.
For the purposes of the CCPA, a "business" is defined as a legal entity that "determines the purposes and means" of processing personal information, does business in California and conforms with one or more of the following:
Most of the requirements in the GDPR are placed on data controllers. "Data controller" is defined in Article 4 of the GDPR. A data controller can be anyone - an individual, a charity, a government body, a website admin, a business.
The key is that a data controller "determines the purposes and means of the processing of personal data [...]" - they decide why and how personal information is processed.
You can tell which of the two laws is more demanding by looking at their length. The CCPA comes in at over 10,000 words, but the GDPR is over five times longer.
There are many provisions in the GDPR that are not included in the CCPA. We'll look at some of these in more detail below. But broadly speaking, unlike the CCPA, the GDPR:
In a nutshell, while the CCPA is a big achievement for legislators in the context of US privacy law - which has historically been very weak - the GDPR is a much more significant and robust piece of legislation.
The CCPA's main concern is to regulate the sale of consumers' personal information. It achieves this by taking some of the GDPR's legislative controls and implementing them in specific ways.
For example, unlike the GDPR, the CCPA:
As we've seen, the GDPR and the CCPA do cover many common areas. Within these, the CCPA also makes some specific demands on businesses that the GDPR doesn't make. We'll explore some of these below.
Any business that falls under the CCPA will also need to comply with CalOPPA - and in many cases, the GDPR itself. So, you're likely to see some of these features in the Privacy Policies of many US businesses.
The CCPA shares some requirements with the GDPR in this respect. For example, businesses must explain how consumers can access their rights under the law. But there are some requirements under the CCPA which are not made by the GDPR.
If the business hasn't sold or shared any personal information it must declare this.
Additionally, businesses are required to display a link reading "Do Not Sell My Personal Information" in a conspicuous location on their home page, to alert consumers to their "right to opt out." We'll cover more on this right below.
Both the CCPA and the GDPR provide individuals with rights over their personal information. Individuals are the owners of their own personal information and should be able to control it.
This is part of what makes the CCPA so reminiscent of the GDPR - but, conversely, it's also what accentuates the contrast between the two laws.
The GDPR provides a greater number of these rights, and there are also some specific areas of differences within some of these rights.
The right of access allows individuals to request a copy of their personal information that is being processed by a business (or any data controller under the GDPR). This is the right that looks the most similar under both laws, but it's worth considering the differences.
For example, the GDPR requires data controllers to comply with a request within one month, with an exceptional extension of an additional two months. The CCPA allows 45 days, which can be extended once by an additional 45 days where reasonably necessary.
The CCPA only requires a business to fulfill this request twice per year. The GDPR doesn't specify a limit, but it does allow data controllers to reject "excessive" requests.
There are also some variations in what can be provided under the right of access.
Data controllers under the GDPR must provide:
Under the CCPA, businesses must provide:
The CCPA's right of access actually incorporates part of the GDPR's right to data portability, which requires that information is provided in a "readily useable format that allows the consumer to transmit this information to another entity without hindrance." Unlike the GDPR, however, the CCPA doesn't require the business to perform this transfer itself.
The GDPR's "right to erasure" is also sometimes known as the "right to be forgotten." This title is a little overblown even in the GDPR's case - and it certainly isn't appropriate for the CCPA.
The CCPA only allows consumers to request deletion of personal information that has been collected from them directly by the business. The source of the personal information is not a relevant factor under the GDPR.
An individual can request that their personal information is deleted under either law. What differentiates the two laws is the conditions under which a deletion request can be refused.
The GDPR gives five such exemptions, and these are all shared by the CCPA with one exception - where maintaining the personal information is necessary for reasons of public health.
The GDPR's exemptions for when a deletion request can be refused are:
A deletion request can also be refused under the CCPA where the personal information is required:
These exemptions severely weaken this provision under the CCPA.
The CCPA requires businesses to allow consumers to opt out of the sale of their information. There is no such explicit right in the GDPR - but there doesn't really need to be. Both laws can allow consumers to prevent the sale of their personal information, via very different routes.
Because of the way that consent operates under the GDPR, businesses are not allowed to assume that they have the permission to do certain things with the personal information they process.
Not all processing of personal information requires consent under the GDPR. Selling personal information, however, is very unlikely to be justifiable on any legal basis other than consent.
So whereas the CCPA requires businesses to allow consumers to opt out of the sale of their personal information, the GDPR effectively forbids businesses to sell individuals personal information unless they have opted in, by giving informed consent. Further, any individual who has consented to such a practice is subsequently able to withdraw that consent.
The GDPR's approach in this regard is actually the approach taken by the CCPA towards children, who have the automatic "right to opt in" to the sale of their personal information, and cannot be assumed to have consented to it.
The GDPR is well-known for its potentially brutal fines. The CCPA may not go quite as far, but it does introduce some much tougher penalties than other privacy laws in the US.
The CCPA can be enforced via:
The GDPR can be enforced via:
The similarities between the CCPA and GDPR are mostly obvious - but in some places, they serve to highlight their differences.