What are GDPR and CCPA?
What is the General Data Protection Regulation (GDPR)?
GDPR is a regulatory law created and enforced for the purpose of protecting the personal data of citizens across the European Union.
Any company, residing in the EU or not, must achieve GDPR compliance when handling (even in passing) the data of EU citizens and organizations.
Non-compliance with the GDPR may result in fines. The highest fine can get to €20 million or 4% of the annual revenue of the company. The highest of the two rates applies.
What is the California Consumer Privacy Act (CCPA)?
CCPA is a regulatory law created and enforced for the purpose of protecting the data of California citizens.
CCPA regulations require that organizations inform consumers about how they use the consumer’s data. Organizations are also required to provide consumers with controls over usage of their data.
The purpose of the CCPA is to inform consumers when and if their private information is being sold to third-parties and provide consumers with a way to opt-out.
In this article, you will learn:
- What are GDPR and CCPA?
- CCPA vs GDPR: 4 Key Differences
- Consumer Rights: Differences and Overlaps
CCPA vs GDPR: 4 Key Differences
CCPA is usually compared to GDPR because both laws share common agendas. CCPA and GDPR aim to give individuals rights that enable them to control how their private information is used.
Both laws enable citizens to access and delete their personal information, gain information on how their data is used. Another common regulation is mandating contracts between service providers and organizations.
However, while the CCPA may seem similar to the GDPR, there are four critical differences between the two acts.
Businesses that Must Comply
GDPR regulations apply to all companies processing the data of EU citizens. The location or size of the company does not matter.
CCPA regulations only apply to California-based companies generating a revenue of $25 million or more, or companies selling personal information. The latter criteria was created in response to the Facebook-Cambridge Analytica scandal.
The GDPR enforces fines for data breaches as well as non-compliance. Fines can reach 4% of the company's annual global turnover, or €20 million (whichever is higher). In addition to fines, there are administrative levies .
The CCPA imposes fines for each violation. There doesn’t seem to be any sanction for non-compliance. Fines cannot exceed $7500 per violation and there is no cap.
The CCPA determines violations only when a breach occurs, whereas the GDPR enforces sanctions when a company is at risk of being breached or conducts irresponsibly.
Opt-out vs Opt-in
According to the GDPR, there are six lawful bases for processing the personal data of EU citizens and residents, but the CCPA does not acknowledge any lawful bases for processing data.
GDPR compliance requires companies to account for lawful bases when processing the data of EU citizens, while CCPA compliance lets companies process data unless individuals exercise their right to opt-out.
CCPA opt-out rights are not applicable to any and all data processing. Rather, CCPA opt-out applies only to the selling of personal data of California consumers.
CCPA applies the term “selling” when personal data is transferred to third parties, including giving access to the data, sending the data, releasing the data, communication related to the data, and more, in exchange for monetary value.
On the other hand, GDPR requires that consumers opt-in for any type of data processing, especially when pre-defined lawful bases are not applicable. This gives people more control over the processing of their data.
Exclusion of Data
When comparing CCPA and GDPR, it is important to note that while GDPR is applied to all data of EU citizens, the CCPA is applicable only to specific data types.
Here are data types excluded from the CCPA:
- Medical information.
- Information collected as part of a clinical trial, including research related to treatment or tests conducted on human subjects.
- Personal information under the Gramm-Leach-Bliley Act -Financial Services Modernization Act of 1999
- Selling information to or from consumer reporting agencies. These are independent companies collecting, compiling, and reporting on personal but freely available credit activity, and selling this information to lenders or credit entities investigating the creditworthiness of people applying for credit.
- Personal information under the Driver’s Privacy Protection Act. This is a US federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
- Personal information available publicly.
Consumer Rights: Differences and Overlaps
Differences in Consumer Rights Between CCPA and GDPR
Both regulations endow the consumer with specific rights but there are marked differences that should be noted by any company handling private data. Key aspects are summarized in the below table.
The right to opt out
According to the CCPA, consumers can refuse the disclosure of their private information to third party entities.
The right to opt out applies to any data transaction that benefits the company, whether it is of monetary value or otherwise.
The right to rectification
The GDPR grants individuals the right to tell organizations to rectify inaccurate and incomplete records of personal information.
The right to non-discrimination
The CCPA prevents companies from discriminating against consumers, if and when consumers exercise their privacy rights.
According to the CCPA, companies are not allowed to deny goods and services, charge different rates, or provide lower quality services to consumers who opted out or asked to delete their personal information.
The right to restrict processing
According to the GDPR, individuals can restrict how their personal data is processed. This right is applicable in cases when:
● The data is inaccurate.
● Private data was processed unlawfully.
● The organization doesn’t need the data anymore.
However, restricting data processing does not restrict archiving personal data.
The CCPA enables consumers to ask authorized agents to interact with companies on behalf of the consumer, for the purpose of making CCPA-related requests.
The right to object
The GDPR grants individuals the right to demand that organizations stop using their data for direct marketing. Organizations cannot continue processing this data, unless they have a valid reason to do so.
The CCPA mandates that organizations must inform customers if and when the organization provides financial incentives derived from the usage (including collection, sale, and deletion) of private information.
Automated decision-making and profiling
The GDPR restricts the use of automated decision-making, generated and applied by algorithms and software. This applies to a wide range of actions, including the processing of data for profiling individuals.
Overlap of Consumer Rights Between CCPA and GDPR
While there are certain differences, the two regulatory acts also overlap in certain areas. This means if you already comply with GDPR requirements, you might also be able to comply with the CCPA. Once you understand the areas of overlap, you can create a strategy that applies across areas and can help you dynamically make future changes when needed.
Here are the common aspects shared by the CCPA and GDPR:
- The right to know—CCPA requires companies to disclose, when requested, the personal information the company uses, collects, discloses and sells. The GDPR requires companies to inform individuals of certain aspects during the collections, including letting them know the purpose of using the data, for how long the data will be retained and with whom the data is shared.
- The right to access—both laws grant individuals with the right to access their personal data. Individuals can ask for copies of their personal information verbally or in writing, and organizations need to respond within a month, typically without charging fees for handling these requests.
- The right to portability—the CCPA and GDPR enable individuals to ask for their private data in formats that are machine-readable and accessible. For example, XML, JSON, and CSV files.
- The right to erasure—both laws grant individuals the right to ask that companies delete any and all personal information that was collected and stored. The GDPR adds another element, outlining various circumstances during which individuals gain the right to erase their personal information.
CCPA and GDPR Compliance with NetApp Cloud Compliance
NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the CCPA and GDPR.