GDPR vs. CCPA: How do they affect businesses across the US?
Many US companies are also active on the European market. Thus, doing business in the European Union and its regulatory landscape raises a lot of questions about the differences and similarities between two core privacy laws – the CCPA and the GDPR. Read the following comparison to quickly find your way around.
To start with – the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) have a lot in common, and even more since the adoption of Proposition 24 that paved the way for the California Privacy Rights Act (CPRA).
Both aim to protect the personal information of individuals and to provide a regulatory framework for organizations on how they may use personal data without breaching privacy rules. Both laws also establish some additional protection for individuals under the age of 16 and both include rights to access personal information.
Thanks to these two regulations, Californians, as well as the users protected by the GDPR, now have the right to know whether and why their personal information is collected or processed and who is operating with it. They can also require organizations to delete their data. That is why organizations must implement data protection measures on both organizational and technical levels.
However, the CCPA and GDPR also differ in some ways, even with the CPRA coming into force on July 1, 2023. Do you know all the details?
1) To whom do these regulations apply?
Let’s start with people. The terminology used by both regulations defines the protected individuals in different ways. While the CCPA is protecting the consumer – a legal person who must be a California resident and meets the residency and domicile requirements – the GDPR applies to a broader scale of data subjects; that is, any person who can be identified by reference to an identifier such as a name, ID number, location data, online identifier and much more. It could be said that the GDPR protects more people from more data processing practices than the CCPA because the definition of “data subjects” allows fewer exceptions from the law.
The CCPA applies to for-profit organizations that do business in California, collect personal information from California-based consumers, and meet at least one of the following thresholds:
- Annual gross revenue over $25 million
- Annually buy, receive, sell or share the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derive 50% or more of their annual revenue from selling consumer personal information
Nevertheless, the CPRA has already changed the definition of what “doing business” actually means. Thus, it increases the CCPA threshold up to 100,000 California residents or households. Moreover, the CPRA distinguishes between two types of advertising: cross-context behavioral advertising and non-personalized advertising. Some businesses that had exchanged personal information, such as cookie data, used some of it to target and serve ads to users across different platforms. With the new condition, they can’t argue that sales are not involved in these cases.
In comparison, the GDPR aims to control any organization that decides how and why it will process personal data – whether it is a large corporation, a nonprofit organization established in the European Union, or any organization outside the EU processing the personal data of EU data subjects.
Therefore, if you come from a US-based company, but your website has visitors from the EU and you – or embedded third-party services like Google or Facebook – process any kind of personal data, the GDPR states that you must first obtain prior consent from the user.
2) How do they define “personal” information?
The CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Accordingly, the CCPA sees personal information also in data that might not seem personal at all. Generally, it includes someone’s behavior as a consumer, such as preferences, characteristics, psychological trends, attitudes, or intelligence. Such information is also perceived as personal. The CPRA has brought more clarity into the category of sensitive personal information, including a strong definition and a clarification of what it means in different contexts: from bank account and login information to generic data, sensitive health information, or sexual preference.
Similarly, the GDPR defines personal data as any information relating to data subjects directly or indirectly, which also has a variety of interpretations. Moreover, the GDPR recognizes a special data category called sensitive personal data, which includes information about the racial or ethnic origin of the data subjects, their political opinions, religious beliefs, and information about physical and mental health, or sexual life. This special category prohibits organizations from processing sensitive data unless specific requirements are met.
3) Who requires prior consent?
Since the GDPR came into effect, all websites, companies, and businesses that aim to process personal data in the EU need the consent of the data subject. California residents can use the right to opt out – and request businesses to stop selling their personal information to third parties. Therefore, businesses should include a Do Not Sell My Personal Information link on their website’s homepage to comply with the CCPA. The Attorney General had clarified that the methods businesses use for registering requests to opt out shall be easy for consumers to execute and require minimal steps, according to the company WireWheel. Therefore, companies shouldn’t use methods that may subvert or impair a consumer’s decision to opt out.
In addition, the CCPA requires businesses to post a notice on their websites that informs users about collecting data. This notice includes categories of information and purpose and should be read by the users before they start any activity on the website. Furthermore, the CPRA has just added a right to opt out of automated decision-making technology and has strengthened opt-in rights for minors.
4) What unique rights apply if you need to comply with both
Besides the right to opt out, the CCPA claims the unique right for non-discrimination, so denying goods and services, charging different rates, or providing lower-quality services is forbidden and everyone has an equal right to opt out. It also provides the right to designate an authorized person or corporate entity to exercise rights granted to them under the CCPA.
One of the GDPR-specific rights was the right for rectification, which allows people to ask organizations to rectify inaccurate or incomplete records of personal data and to restrict organizations from proceeding if they have been unlawfully processed or are of no use anymore. Moreover, the GDPR interferes with algorithms by permitting decision-making by automated means only under certain conditions. This might apply to recruitment aptitude tests, which use pre-programmed (and discriminating) algorithms and criteria. This right has recently become a part of the California data privacy landscape, after the adoption of the CPRA.
5) Do you need a DPO?
According to the GDPR, the majority of data controllers and data processors must appoint a data protection officer (DPO) who will oversee the organization’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The DPO is also a contact point for data subjects in case of any complaints.
On the contrary, the CCPA does not require companies to appoint a DPO or another designated employee to deal with compliance and data protection. Nevertheless, many companies are willing to hire an arbitrator to monitor data processing and protection of consumers' rights.
6) How quickly do you have to respond?
Under the GDPR, you have one month to respond to requests of data subjects, or you can extend the deadline to two months if you notify the data subject. The CCPA specified 45 days and may exercise one 45-day extension when reasonably necessary and if the consumer is notified within the first 45-day period. And the CCPA does not require companies to report security breaches within a narrow 72-hour window as the GDPR does. On the other hand, even though the CCPA does not have a timeline, it says that the disclosure shall be made in the most expedient time possible and without unreasonable delay. So, postponing any report is not a good idea.
7) What is the height of potential fines?
No one likes fines, but if you break the GDPR or the CCPA rules, you can't avoid them. The GDPR fines can reach up to €20 million (over USD $24 million) or 4% of annual global turnover. Under the CCPA, the maximum charge per violation is $7,500 for intentional violations and $2,500 per additional violation. It may seem significantly less, but consumers can also file class-action lawsuits against businesses seeking compensation of $100 to $750 per consumer and per incident – and if you take into account the amount of consumer data companies may work with, the price gets higher. Moreover, the CPRA increases fines to $7,500 for each violation of CPRA involving the personal information of consumers under the age of 16.
8) How are these laws enforced?
In California, financial penalties were issued by the Attorney General of California, but the CPRA is going to establish the California Privacy Protection Agency (CPPA) with a 5-person board that should appoint a Chief Privacy Auditor to conduct audits of businesses. This institution will now have full administrative power, authority, and jurisdiction to implement and enforce the CPRA, according to the WireWheel company. In the European Union, the GDPR is administered by national data protection authorities; each state has its own authority dealing with data breaches and lack of compliance. These entities also have the power to advise organizations on complying with the GDPR.
That will be the task for the new Californian agency as well. The CPPA should promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of personal information. Therefore, it will provide both consumers and businesses with guidelines regarding their duties under the CPRA. It also has the power to award grants from its budget for educational purposes.