Top 5 Differences Between the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA)
by Alex Gorton
Data use and data collection have become hot topics since the European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Essentially, new privacy legislation like the GDPR views personal data as an individual’s property. In short, you wouldn’t let someone use your car unless they asked you, so someone shouldn’t get to use your personal information unless they receive your permission. Recently, California enacted the California Consumer Privacy Act of 2018 (CCPA). The CCPA, like the GDPR, gives California residents certain rights regarding how their personal information is collected and used. Although the GDPR and CCPA have many similarities, there are several key differences to be aware of.
1. Who it protects
The GDPR protects European Union residents and citizens (“data subjects”). The CCPA protects California residents (“consumers”).
2. Who it applies to
The GDPR applies to any natural or legal person that (1) determines the purposes and means of processing personal data (“data controller”) or (2) processes personal data on behalf of another natural or legal person (“data processor”).
The CCPA applies to “businesses” that (1) collect personal information relating to California residents (2) determine the purposes and means of processing personal information (3) do business in California and (4) meet at least one of the following thresholds: have annual gross revenues in excess of $25 million, annually buy, receive for their commercial purposes, sell or share for commercial purposes personal information relating to 50,000 or more consumers, households or devices or derive 50% or more of their annual revenue from selling consumer personal information
3. Definition of “Personal Information”
Under the GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”), either directly or indirectly.
Under the CCPA, “personal information” is any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
4. Rights Granted
The GDPR grants data subjects 8 rights:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated individual decision making, including profiling
The CCPA essentially grants consumers 5 rights:
1. The right to disclosure
2. The right to deletion
3. The right to access
4. The right to opt-out
5. The right to non-discrimination
5. Penalties For Non-Compliance
Under the GDPR, companies who fail to comply can be fined either 4% of the company’s annual global revenue or up to €20 million (whichever is greater).
Under the CCPA, a consumer can institute a private right action for unauthorized access, theft, or disclosure of personal information in certain situations with possible damage awards of $100 to $750 per consumer and per incident, or actual damages, along with other types of relief.
January 27, 2020