The California Consumer Privacy Act (CCPA) is a state-wide data privacy law regulating how businesses are handling the personal information of California Residents. This is the first law of its kind in the United States, and lawmakers are currently trying to make this law universal for all states. The General Data Protection Regulation (GDPR) is a regulation requiring businesses to protect the personal information and privacy of European Union (EU) citizens for transactions occurring within EU member states. You can see that both the CCPA and GDPR deal with protecting personal data, but they are different in many ways.
Neither CCPA nor GDPR requires you to be based in the area the law governs, so there is no need for your business to be physically in the EU for GDPR or California for the CCPA. Their disclosure requirements and definition of personal data are similar. Both require you to comply with a customer request to gain access to the customer's data. In both laws, customers have the right to have their information deleted from the organization's database.
They both have disclosure and information requirements that need to be incorporated into privacy policies and followed. The CCPA is more expansive on how you use data and who it is being sent to, but it was built from the foundation of the disclosure requirements under Articles 13 through 15 of GDPR.
Both the CCPA and GDPR indicate that businesses must implement cyber security measures to protect personal data without providing any specific guidance. As cybersecurity advisors, we do recommend the use of defense-in-depth cybersecurity protection measures so that you do not risk the privacy of the data you are responsible for protecting.
When it comes to user control, you start to see differences between GDPR and CCPA. The GDPR directs businesses that only collect and process data on at least 1 of 6 bases defined in the legislation. Many companies rely on the support of user consent as users have the right to opt-out of having their data collected before a business collects it.
The CCPA, however, allows the collection of data without the need for consent but gives the customer the right to opt for their personal information being sold. This part of the law has been very controversial for consumers, but it does provide them with the power to stop companies from selling their data.
Penalties for violation of these acts are also different. For violations of the GDPR, up to 4% of a company's annual gross revenue or 20 million Euros could be paid. Violation of the CCPA can range from $2,500 per violation to $7,500 if the non-compliance is intentional.
Under the GDPR, any website, organizations, or companies processing personal information on individuals inside the EU must comply. With the CCPA, only companies or for-profit organizations that meet the law's definition of business need to comply. Under CCPA, a business must either have annual revenue of at least $25 million, collect, share, buy, or sell the data of over 50,000 Californian consumers or make at least 50% of its revenue from sales of Californian Consumer data.
To remain CCPA compliant, you must inform consumers of the type of personal information being collected, stored, or processed. Also, you must clearly state the purpose and outline the reason for the collection of data. You must implement the appropriate measures to respond to individual consumer requests regarding their personal information.
To be compliant with the GDPR, you must state what your business does, how they can contact you, why you are processing their personal data, and implement appropriate measures to respond to an individual consumer request.
GDPR specifies additional requirements for companies handling health data, while CCPA does not. In the US, the Health Insurance Portability and Accountability Act (HIPAA) addresses the security and privacy of protected health information, and there are other regulations in the US that impact health information and its privacy.
In addition, GDPR has some stringent governance requirements, such as the appointment of data protection officers and processes involving assessments. The CCPA does not talk about such governance.
As you can see, both acts, while similar in what they protect, are different. They are both essential to know, as being non-compliant with them can land your business in legal trouble. Even if you do not do business in California, it would be smart to stay informed on this new law since lawmakers are working on making the CCPA universal. Your consumers are gaining more rights making it easier for businesses to act negligently, and it is your job to make sure you honor those rights, so please, stay informed.