Open in app

Sign in

Write

Sign in

CCPA vs GDPR: How is CCPA different from GDPR?

TechAhead | App | AI | Web | Cloud |
6 min readApr 12, 2021

--

Importance of Data Protection Regulations

With every business and individual moving online, data has become extremely valuable. The abilities and prospects of retrieving distinct categories of personal data are also advancing at a terrifying pace. Irresponsible or unauthorized collection, management, or processing of information can result in disaster for individuals (data subjects) as well as companies. Therefore, it is crucial to have data protection regulations in place and its compliance. Non-compliance with these regulations may bring along hefty monetary or other penalties. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two such regulations.

GDPR went into effect on 25 May 2018 and CCPA) came into effect on 1 January 2020. Both regulations aim to guarantee the robust security of people regarding their personal data. These regulations apply to all the businesses that collect, use, or share consumer data irrelevant to the collection method (online or offline).

Both the laws bear many similarities including things like the definition of certain terminologies, the inclusion of rights to access personal data, and the establishment of added data security for people who are below 16 years of age.

CCPA differs from GDPR in many significant ways like rules related to accountability, extent, and nature of data collection limitations, and the scope of application. Let us dig into these similarities and differences in detail for better understanding. This information will help you in staying updated with the latest laws and regulations and revise your business policies accordingly.

Image Credit: Riskonnect

Similarities & Differences between CCPA and GDPR

Similarities in Scope — Personal, Territorial & Material

  • Both the CCPA and the GDPR has extraterritorial scope.
  • The GDPA and CCPR both protect individuals as a natural person and not a legal person.
  • Under both the regulations, a controller or a covered business is defined by the fact that it establishes the means and purpose of processing.
  • GDPR and CCPA may apply to businesses providing services to law enforcement or national security agencies but none of them is applicable in the law enforcement and national security areas.

Differences in Scope — Personal, Territorial & Material

  • Any organization that fits under the definition of a business (example: deals with the data of 50,000 Californians or more annually, annual revenue is more than $25 million or half of its annual revenue is earned by selling data of California residents.) is obligate to comply with the CCPA. GDPR applies to all the websites and companies (data controllers) if they provide goods or services to people within Europe.
  • CCPA protects individuals who fall under its definition of a consumer as being a California resident. It covers only those individuals who are permanent residents and not temporary or transitory. GDPR protects any individual or data subject who is present in the European Union at the time of data collection or processing.
  • CCPA applies only for businesses that are for-profit while GDPR applies to data controller either for profit or not.

Similarities in Definitions

  • GDPR and CCPA both have broadly defined the definitions of Personal Data.
  • GDPR and CCPA both have a similar definition of “Pseudonymisation.” It is the processing of personal information or data in a manner that it can no longer be attributed to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
  • GDPR defines a data controller as a body that determines the purpose and means of processing consumers’ personal information. CCPA has a similar definition of a business (a for-profit entity).
  • GDPR’s data processor and CCPA service provider is defined as authority or individual that processes the data on behalf of the controller or CCPA-covered business respectively.
  • Both regulations provide data subjects with the right to bring an action against the processor in case the controller of service provider has failed in their contractual obligations.
  • Neither GDPR nor CCPA has a definition of a child. However, under both the regulations consent is needed to sell the information of people below 16 years of age.
  • The CCPA and GDPR both broadly define the term research. Both the regulations provide for further processing of data if it is compatible with the initial business purpose.

Differences in Definitions

  • GDPR has a specific definition of sensitive data (special categories of data) and it also forbids processing of such data, unless one of the specific exemptions applies. The CCPA defines “biometric data,” which has certain elements of the GDPR’s definition of sensitive data. Information like DNA, fingerprints, and iris scans. The CCPA does not create an extra protective scheme for this category of data.
  • As per GDPR, the controller has to reidentify a dataset by providing additional information enabling identification of the data subject to comply with the requests for the rights of the data subject. According to CCPA business is not required to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
  • Under GDPR, data processors are obligated to keep records of data processing activities, implement appropriate technical and organizational data protection measures, undertake data protection impact assessments before the processing, appoint a data protection officer, and notify data controller in case of a data breach. Under CCPA, the service provider must not further collect, sell, or use the data of the consumer except as necessary to perform the business purpose.
  • The CCPA stipulates an exception for businesses that did not have actual knowledge of a child’s age. GDPR does not provide for an exception for a controller that is unaware if they are catering services to a child.
  • GDPR applies to clinical trials. CCPA excludes clinical trials from its scope of application.

Similarities in Legal

Differences in Legal

Similarities in Rights

Right to Erasure:

  • Under both the GDPR as well as the CCPA individuals can request the deletion of their personal information, unless exceptions apply.
  • As per GDPR and CCPA, the scope of this right is not limited to the data controller or business, but also impacts third parties, such as recipients, data processors, sub-processors or to whom data has been sold/ passed on. This right can be exercised free of charge.
  • The GDPR and CCPA both specify that data controllers must have mechanisms in place to ensure that the request is made by the data subject whose personal data is to be deleted.
  • As per GDPR and CCPA, the privacy notice must inform consumers that they are entitled to ask for the deletion of their personal information.

Right of Access:

Right not to be subject to discrimination for the exercise of rights:

Right to data portability:

Right to Erasure:

Right to Information:

Right to object (right to opt-out)

  • According to GDPR, the data controller would have to stop using the subject’s personal data unless it proves that there are convincing legitimate grounds to continue the processing. However, in CCPA, the service provider will not be able to sell data in case the individual withdraws the consent.
  • In CCPA businesses have to use the language provided by the regulation. The homepage of their website must have a link titled ‘Do Not Sell My Personal Information.’ In GDPR, there is no such restriction.

Right of Access

Similarities in Enforcement

  • Both laws mention the possibility of monetary penalties to be issued in cases of non-compliance.
  • Both the GDPR and the CCPA provide individuals with a cause of action to seek damages for violation of privacy laws with regards to security measures violations and data breaches.

Differences in Enforcement

  • In GDPR administrative fines can be directly issued by a data protection authority. In CCPA, the penalty is issued by a court.
  • In CCPA, the monetary penalty of a maximum of $2,500 for each violation or up to $7,500 for each intentional violation can be levied. This exact amount of fine will depend on the violation occurred. In GDPR, depending on the violation the penalty may be up to either 2% of global annual turnover or €10 million, whichever is higher or 4% of global annual turnover or €20 million, whichever is higher.
  • In GDPR, the data protection authorities have investigatory and corrective powers. In CCPA, the attorney general has the power to assess alleged violations and to bring an action before the court for civil penalties, which include monetary penalties and injunctions.
  • Any violation of the GDPR can trigger the claim for judicial remedies. Data subjects can claim both material and non-material damages. In CCPA, the judicial remedy is only allowed when non-encrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of security obligations.

Originally published at https://www.techaheadcorp.com.

--

--

TechAhead | App | AI | Web | Cloud |
TechAhead | App | AI | Web | Cloud |

Written by TechAhead | App | AI | Web | Cloud |

29 Followers
26 Following

TechAhead is a frontrunner in the field of Digital Transformation, specializing in crafting data-driven applications and integrating cutting-edge AI.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams