15 August 2020
It's no secret that the California Consumer Privacy Act (CCPA), which passed in June 2018 and came into force in January 2020, took some inspiration from the EU's General Data Protection Regulation (GDPR). Those who are familiar with the GDPR's right to object might experience a certain sense of deja vu when they hear about the CCPA's right to opt out.
In many ways, the laws are very different. But at their core, both laws share the goal of bringing individuals more control over their personal information. If the hope is to bring data protection standards in the United States a little closer to the European level, then the CCPA looks set to achieve this.
Let's take a detailed look at some of the similarities between the two laws.
Sometimes the GDPR and the CCPA use different language to describe the same things. The terminology is less important than the actual concepts that the laws define.
What the CPPA calls "personal information," the GDPR refers to as "personal data."
Both laws are basically referring to the same thing here - information that can be used to identify a person. Beyond the obvious things like a person's name, email address or ID number, this also includes things such as an IP address or cookies data.
What unites the laws here is that they are both trying to take a very broad approach. If anything, the CCPA is actually broader than the GDPR in this (and only this) area. But one very important phrase is common to both: personal information (or data) is something that can be used, "directly or indirectly" to identify a person.
The word "indirectly" has allowed courts in the EU to decide that many things constitute personal data. It's clear that policy-makers are hoping to allow California courts a similarly wide discretion with the CCPA.
Both laws use the term "processing" to describe exactly the same thing.
In Article 4 of the GDPR, "processing" is defined as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means."
The CCPA lifts this phrase almost word-for-word from the GDPR. The drafters of the CCPA haven't even changed the term "personal data" to "personal information."
It's clear that the CCPA is trying to cover the exact same activities as the GDPR - that is, it is trying to regulate any activity that can be performed on personal information, including collection, storage, sending, etc.
The GDPR is aimed in part at "data controllers." A data controller "alone, or jointly with others, determines the purposes and means of the processing of personal data."
The CCPA is aimed squarely at "businesses." "Business" in the CCPA means a very specific type of business, with very specific characteristics. Some of these characteristics have to do with total annual revenue and/or core activities.
Importantly, one of these characteristics is - you guessed it - that it "alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information."
The significance here is that both laws are trying to regulate the activities of the sorts of companies that decide how and why people's personal information should be processed. This element of control is what unites the definitions.
Where the GDPR says "data processor," the CCPA refers to a "service provider."
A "data processor" in the GDPR is a person or organization that "processes information on behalf of the [data] controller."
A "service provider" in the CCPA is a "legal entity that [...] that processes information on behalf of a business [...]"
The two terms refer to companies that are carrying out the same sorts of tasks. It's important to understand this concept in order to fully understand either law. However, the CCPA does not seek to regulate this type of company, whereas the GDPR does.
The GDPR has led businesses all around the world to examine and publicize their privacy practices. The CCPA looks set to do the same.
The GDPR doesn't shy away from claiming a very broad jurisdiction. Article 3 states that the Regulation applies to anyone that either offers goods or services, or monitors people's behavior in the EU - whether based in the EU or not.
The CCPA says the same thing, but less explicitly. It defines a "business" as a legal entity that, along with other characteristics, "does business in the State of California." The Act doesn't refer only to businesses are established in California, or whose headquarters or in California - it applies to anyone who does business in California.
Complications may arise when trying to enforce these laws against foreign businesses. But the importance of operating unimpeded in these two crucially important markets should provide enough motivation for businesses to comply with the laws.
Another area of similarity is in what the laws apply to. As we've seen, both apply to the processing of personal information, primarily by the people who make decisions about how and why such information is processed.
Both the CCPA and the GDPR are explicit in their aim to protect the privacy of the residents of their respective jurisdictions. Both laws do this partly by requiring businesses to be transparent in how they process personal information, and partly by granting individuals new rights over their personal information.
Check out our free tools for website owners:
We'll look at these rights in more detail below.
Both the GDPR and CCPA have extensive requirements around transparency. While, as is the case in most areas, the GDPR's requirements are more stringent, businesses will still have to do a lot of work to comply with the CCPA.
The CCPA's requirements are mostly derivative of the GDPR's. For example, a business is required to disclose:
Beyond this, the transparency requirements actually look a little different. It's not that the CCPA requires businesses to reveal more than the GDPR does - it's just more specific with regard to the selling of personal information.
The rights and controls that the CCPA grants California residents over their personal information is probably its headline provision. It's also one of the areas most obviously inspired by the GDPR.
In reality, the GDPR's data rights are a lot meatier than the somewhat watered-down rights offered under the CCPA. Still, there are some significant similarities between the rights provided under both laws.
In Article 15, the GDPR gives individuals the right to request access to any of their personal information that a data controller is processing. If exercised, and subject to certain exceptions, the data controller must provide the individual with a copy of their personal information, for free, within a specified time period.
The CCPA contains a very similar provision - California residents should be able to request a copy of their personal information from a business and have it provided, for free, within a specified period. The right of access under the CCPA is narrower in scope, but the principle is the same.
In Article 20, the GDPR allows individuals to request a copy of their personal information in a "commonly used and machine-readable format" so that they can transmit this data to another organization "without hindrance."
Whilst, again, it is somewhat narrower in scope, the CCPA also provides Californians with this right as part of the "right of access" (above). When a consumer requests a copy of their information:
"the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance."
The GDPR's right to erasure, found in Article 17, is sometimes known as the "right to be forgotten." It's one of the better-known provisions of EU law, and it came out of a case called Google Spain v AEPD and Mario Costeja Gonzalez.
Following this case, Google has been required to consider requests from individuals that it removes references to them in its search results. It's why you might sometimes notice the following disclaimer at the bottom of a page of search results:
This is a very powerful right under the GDPR, but there are many exceptions and a data controller will not always have to comply.
The CCPA also grants individuals this right:
"A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer."
Again, there are many exceptions and businesses will not always have to comply. Many of these exceptions are common to both laws. For example, neither the GDPR or the CCPA require a business to delete personal information in certain situations where:
Several of the GDPR's rights relate to the individual's right to request that their personal information is not processed in a particular way. In Article 21, the GDPR gives individuals:
"the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her [...]"
The CCPA's right to opt out (sometimes called the "right to say no") is all about giving individuals the right to object to the sale of their personal information. This is a measure designed to target "data brokers" and other such businesses, for whom trading in information is a primary source of income.
The CCPA has Notice requirements that you'll need to become familiar with as well, which we address in detail in our article: CCPA Notices.
Both the GDPR and the CCPA can be enforced by:
There is a significant difference in how the penalties for infringing the CCPA and the GDPR are calculated.
Despite its narrower applicability and more specific objectives, the CCPA is substantially similar to the GDPR in many ways.
In fact in almost any other context, the EU might have a pretty good case of copyright infringement against the California Legislature. There are some sections and phrases that seem to have been copied and pasted directly from the GDPR into the CCPA - quite clumsily in some cases - resulting in the CCPA slipping in and out of GDPR lingo.