The EU General Data Protection Regulation (GDPR), often said to be the world's toughest privacy law, took full effect in May 2018. The California Consumer Privacy Act (CCPA), easily the strictest general privacy law in the United States, passed soon after in June 2018. It took effect in January 2020.
The CCPA is unashamedly similar to the GDPR in many ways. In fact, parts of the GDPR appear to have been lifted and inserted verbatim into the CCPA.
That being said, the laws are distinct in many ways. They both share the goal of bringing greater consumer privacy and control over personal information. But the scope, impact, and requirements of each law are very different in practice.
Some Fundamental Similarities
Before we look at what's different about the two laws, it's important to mention a couple of key similarities that will put these differences in context.
Both laws concern the way "personal information" is "processed."
- Personal information ("personal data" in the GDPR) is any information that can be used, directly or indirectly, to identify an individual. This could be anything from a person's name to their IP address. The laws both take a very broad approach to defining personal information (particularly the CCPA).
- Processing personal information means performing any operation or set of operations on it. So, for example - storing it, sending it, selling it, etc. The definition of "processing" in both laws is practically identical.
Both laws:
- Apply internationally - to anyone who does business within each law's jurisdiction.
- Protect individuals - "consumers" in the CCPA and "data subjects" in the GPDR.
Who the Laws Apply To
Beyond the international reach of both laws, there's a big difference in who is required to comply with them.
CCPA - Businesses
The CCPA is only aimed at businesses, and not just any business - a typical small ecommerce store or marketing startup, for example, would not be required to comply with CCPA.
For the purposes of the CCPA, a "business" is defined as a legal entity that "determines the purposes and means" of processing personal information, does business in California and conforms with one or more of the following:
- It has annual gross revenues of over $25 million;
- It buys or receives for its own commercial purposes, or sells or shares for commercial purposes, personal information from at least 50,000 devices, households or consumers per year;
- It makes at least 50 percent of its annual revenues from selling or sharing consumers' personal information.
GDPR - Data Controllers
Most of the requirements in the GDPR are placed on data controllers. "Data controller" is defined in Article 4 of the GDPR. A data controller can be anyone - an individual, a charity, a government body, a website admin, a business.
The key is that a data controller "determines the purposes and means of the processing of personal data [...]" - they decide why and how personal information is processed.
How Each Law Applies
You can tell which of the two laws is more demanding by looking at their length. The CCPA comes in at over 10,000 words, but the GDPR is over five times longer.
Provisions Exclusive to the GDPR
There are many provisions in the GDPR that are not included in the CCPA. We'll look at some of these in more detail below. But broadly speaking, unlike the CCPA, the GDPR:
- Aims to bring more consistent privacy and data protection standards across the geographic area over which it applies
- Regulates the activities of data processors (known as "service providers" in the CCPA, which does not regulate their activities)
- Provides a set of six principles to which all processing of personal information must adhere, for example, "data minimization" and "purpose limitation"
- Provides a set of six legal bases under which all personal information processing must take place. (For example, where the consent of the individual has been gained, or where there is a legal obligation.)
- Sets out specific measures that should be taken regarding data security
- Requires some organizations to appoint a data protection officer
- Empowers data protection authorities to enforce privacy law
- Sets out procedures for professional bodies to set up data protection certification schemes and codes of conduct
- Provides specific conditions under which data can be transferred overseas
In a nutshell, while the CCPA is a big achievement for legislators in the context of US privacy law - which has historically been very weak - the GDPR is a much more significant and robust piece of legislation.
Provisions Exclusive to the CCPA
The CCPA's main concern is to regulate the sale of consumers' personal information. It achieves this by taking some of the GDPR's legislative controls and implementing them in specific ways.
For example, unlike the GDPR, the CCPA:
- Requires businesses to publish up-to-date information about what types of consumers' personal information they have sold or shared for commercial purposes
- Requires businesses to provide a specific process by which consumers can opt out of the sale of their personal information
As we've seen, the GDPR and the CCPA do cover many common areas. Within these, the CCPA also makes some specific demands on businesses that the GDPR doesn't make. We'll explore some of these below.
Privacy Policy Requirements
Both laws require organizations to disclose extensive information about the personal information they collect in an easily accessible Privacy Policy. Failing to do this where required is unlawful.
GDPR Privacy Policy
The GDPR requires a data controller to disclose some information in their Privacy Policy that is not mentioned in the CCPA, including:
- The name and contact details of the data controller (i.e. the organization that created the Privacy Policy) and its data protection officer (if relevant)
- The legal bases on which personal information is being processed
- Specific information about the legal bases that are being relied on (e.g. a Legitimate Interests Assessment, or how individuals can withdraw consent)
- Any third parties with whom personal information might be shared (whether for commercial purposes or not)
- Whether personal information will be transferred overseas, and the conditions surrounding this transfer
- How long personal information will be stored
A GDPR-compliant Privacy Policy actually looks more like a Privacy Policy created to comply with the CCPA's predecessor legislation, the California Online Privacy Protection Act (CalOPPA). This was the first US law that required commercial websites to display a Privacy Policy.
Any business that falls under the CCPA will also need to comply with CalOPPA - and in many cases, the GDPR itself. So, you're likely to see some of these features in the Privacy Policies of many US businesses.
CCPA Privacy Policy
The CCPA Privacy Policy requirements center around the trade of personal information.
The CCPA shares some requirements with the GDPR in this respect. For example, businesses must explain how consumers can access their rights under the law. But there are some requirements under the CCPA which are not made by the GDPR.
For example, the CCPA requires that a business includes three specific lists in its Privacy Policy that disclose:
- The types of personal information that the business has collected in the previous 12 months
- The types of personal information that the business has sold in the previous 12 months
- The types of personal information that the business has shared for commercial reasons in the previous 12 months
If the business hasn't sold or shared any personal information it must declare this.
Additionally, businesses are required to display a link reading "Do Not Sell My Personal Information" in a conspicuous location on their home page, to alert consumers to their "right to opt out." We'll cover more on this right below.
Both the CCPA and the GDPR provide individuals with rights over their personal information. Individuals are the owners of their own personal information and should be able to control it.
This is part of what makes the CCPA so reminiscent of the GDPR - but, conversely, it's also what accentuates the contrast between the two laws.
The GDPR provides a greater number of these rights, and there are also some specific areas of differences within some of these rights.
Right of Access
The right of access allows individuals to request a copy of their personal information that is being processed by a business (or any data controller under the GDPR). This is the right that looks the most similar under both laws, but it's worth considering the differences.
For example, the GDPR requires data controllers to comply with a request within one month, with an exceptional extension of an additional two months. The CCPA allows 45 days, which can be extended once by an additional 45 days where reasonably necessary.
The CCPA only requires a business to fulfill this request twice per year. The GDPR doesn't specify a limit, but it does allow data controllers to reject "excessive" requests.
There are also some variations in what can be provided under the right of access.
Data controllers under the GDPR must provide:
- The categories of personal information being processed
- The reasons for processing the personal information
- The categories of any recipients of the personal information, and whether they are based overseas
- How long the personal information is stored
- Details about the individual's data other data rights
- The sources of the personal information
- Details of any automated decision-making (if relevant)
Under the CCPA, businesses must provide:
- The categories of personal information collected
- Specific pieces of the personal information
- Any commercial reasons for collecting or selling the personal information
- The categories of any recipients of the personal information
- The categories of sources of the personal information
The CCPA's right of access actually incorporates part of the GDPR's right to data portability, which requires that information is provided in a "readily useable format that allows the consumer to transmit this information to another entity without hindrance." Unlike the GDPR, however, the CCPA doesn't require the business to perform this transfer itself.
Right of Erasure/Deletion
The GDPR's "right to erasure" is also sometimes known as the "right to be forgotten." This title is a little overblown even in the GDPR's case - and it certainly isn't appropriate for the CCPA.
The CCPA only allows consumers to request deletion of personal information that has been collected from them directly by the business. The source of the personal information is not a relevant factor under the GDPR.
An individual can request that their personal information is deleted under either law. What differentiates the two laws is the conditions under which a deletion request can be refused.
The GDPR gives five such exemptions, and these are all shared by the CCPA with one exception - where maintaining the personal information is necessary for reasons of public health.
The GDPR's exemptions for when a deletion request can be refused are:
- When the right of freedom of expression and information is being exercised
- If you're legally obligated to process the data for the exercise of official authority or for public interest
- If you're processing the data for reasons of the public interest in public health
- If you're processing the data for archiving purposes related to the public interest, scientific or historical research, or statistical purposes
- If processing the data is necessary for establishing, exercising or defending legal claims
A deletion request can also be refused under the CCPA where the personal information is required:
- To perform a contract (e.g. complete a transaction)
- To repair and debug errors
- To comply with the California Electronic Communications Privacy Act
- For any internal purposes that the consumer might reasonably expect based on:
- Their relationship with the business
- The purposes for which they provided the information
These exemptions severely weaken this provision under the CCPA.
Right to Opt Out/Consent
The CCPA requires businesses to allow consumers to opt out of the sale of their information. There is no such explicit right in the GDPR - but there doesn't really need to be. Both laws can allow consumers to prevent the sale of their personal information, via very different routes.
Because of the way that consent operates under the GDPR, businesses are not allowed to assume that they have the permission to do certain things with the personal information they process.
Not all processing of personal information requires consent under the GDPR. Selling personal information, however, is very unlikely to be justifiable on any legal basis other than consent.
So whereas the CCPA requires businesses to allow consumers to opt out of the sale of their personal information, the GDPR effectively forbids businesses to sell individuals personal information unless they have opted in, by giving informed consent. Further, any individual who has consented to such a practice is subsequently able to withdraw that consent.
The GDPR's approach in this regard is actually the approach taken by the CCPA towards children, who have the automatic "right to opt in" to the sale of their personal information, and cannot be assumed to have consented to it.
Penalties
The GDPR is well-known for its potentially brutal fines. The CCPA may not go quite as far, but it does introduce some much tougher penalties than other privacy laws in the US.
Enforcement of the CCPA
The CCPA can be enforced via:
- Penalties issued via civil cases brought by the Attorney General:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- Private legal claims brought by consumers, where they can recover amounts between $100 and $750 per incident, or actual damages - but only for the unlawful loss of their personal data.
Enforcement of the GDPR
The GDPR can be enforced via:
- Penalties issued via data protection authorities, including:
- Warnings and other non-financial penalties
- For some violations, up to 10 million euros or 2 percent of a company's annual worldwide turnover - whichever is higher
- For more serious violations, up to 20 million euros or 4 percent of a company's annual worldwide turnover - whichever is higher
- Private legal claims against data controllers, processors or data protection authorities. There are no maximum penalties specified.
Summary of Key Differences
The similarities between the CCPA and GDPR are mostly obvious - but in some places, they serve to highlight their differences.
- The GDPR applies to "data controllers" which has a very broad definition. The CCPA applies only to businesses of a very specific size or type.
- Unlike the CCPA, the GDPR covers areas such as:
- Regulating data processors (service providers)
- Principles of data processing
- Legal bases for processing
- Specific data security measures
- Appointing a data protection officer
- Empowering data protection authorities
- Certification schemes and codes of conduct
- Overseas transfers
- Unlike the GDPR, the CCPA requires businesses to:
- Publish up-to-date information specifically about their personal information trading practices
- Specifically allow individuals to opt out of the sale of their personal information
- The GDPR requires data controllers to publish a comprehensive Privacy Policy. The CCPA requires businesses to publish a specific Privacy Policy about their personal information trading practices.
- The GDPR provides a broader set of rights that allow individuals a high degree of control over their personal information. The CCPA provides some of these rights, but with more exemptions for businesses.
- The GDPR and CCPA are enforced via a different system of penalties.
