The General Data Protection Regulation (“GDPR“) and the California Consumer Protection Act 2018 (“CCPA“) have the same objective, which is to guarantee and provide adequate protection to individuals with respect to the processing of their personal data.
Both GDPR and CCPA apply to persons who, in the course of providing their services, collect, share or in any other way process the personal data of individuals (i.e. their customers and consumers), whether obtained online or offline.
GDPR is currently one of the most comprehensive personal data protection laws in the world. In contrast, there is no comprehensive federal privacy law in the United States, and the CCPA is only the law of California. Therefore, the purpose of the CCPA is not to protect the privacy of all American consumers, but only Californians.
Below we will compare the main provisions of the GDPR and the CCPA to help you ensure compliance with both regulations.
1. Application – Who is Covered by GDPR and CCPA?
The GDPR applies to natural and legal persons, public and local authorities, non-profit organizations, as well as other entities established in the EU that process personal data of natural persons (data subjects). In addition, the GDPR also applies to entities that are not established in the EU but process the personal data of data subjects in the EU (eg. an American startup offers its services to EU citizens).
In contrast, the CCPA only applies to certain Californian businesses that process the personal data of their customers – residents of the State of California. Thus, the CCPA only applies to a Californian entrepreneur whose annual revenues either exceed $ 25 million or who trades with the personal data of at least 50 thousand Californians or at least 50% of its revenue comes from selling personal data of Californians.
The GDPR does not apply to personal data that are processed only for private and personal purposes. In contrast, the CCPA goes even further and does not cover the processing of health data, publicly available data, or other data that is processed under specific regulations (eg. the GLB Act for financial institutions or the HIPAA for healthcare).
It is clear from the above that the GDPR is a more universal piece of legislation that applies to a larger number of entities than the CCPA.
2. Personal Data – What Data Do GDPR and CCPA Cover?
According to the GDPR, personal data are any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”), which can be identified directly or indirectly, but in particular by name, location data, online identifiers (eg. IP address, cookies) or other elements specific to the physical, physiological, genetic, mental, economic, cultural and social identity of the person concerned.
The definition of personal information is approached in a similar way by the CCPA, which considers personal data to be information that identifies, describes, could be reasonably (directly or indirectly) linked to or related to a specific consumer or household.
Overview of personal data processed or not processed according to GDPR and CCPA:
Under GDPR | Under CCPA | |
Personal data which are covered by this regulation | Basic identifiers of a natural person (eg. name, identification number, contact details) Location data Biometric data Online identifiers (eg. IP address, cookies) | Basic identifiers of a natural person (eg. name, insurance or driving license number, IP address) Location data Biometric data Business-related information (eg. consumer shopping behaviour data, web interaction, browsing history) |
Personal data which are not covered by this regulation | Anonymised data and data that cannot be used to identify persons | Health data Publicly available data Anonymised, pseudonymised and data incapable of identification |
3. Processing of Personal Data by Third Parties – What are the Conditions?
A similar regulation applies to the processing of personal data by a third party (so-called processor under the GDPR or service provider under the CCPA) on behalf of an entity (so-called controller under the GDPR or California business under the CCPA) who originally obtained the personal data of the individual. In both cases, a written agreement on the processing of personal data (with specific requirements) must be concluded in advance between these entities (ie. controller and processor under the GDPR, or California business and service provider under the CCPA ) under which a third party may process personal data.
Under GDPR | Under CCPA |
the relationship between the controller and the processor (the processing of personal data of the persons concerned takes place on the basis of a written contract) | relationship between the California business and the service provider (personal data is processed on a contractual basis) |
However, differences can be found in other third party obligations. While according to the GDPR, the list of obligations is relatively extensive, as the processor is obliged to, for example, (i) keep a record of brokering operations, (ii) take appropriate and sufficient technical and organizational measures to ensure the protection of such data, (iii) notify the controller of personal data breaches or in some cases (iv) designate a person responsible for processing personal data (data protection officer). On the other hand, according to the CCPA, the service provider does not have such obligations. The basic obligation of the service provider is to process the data according to the instructions of the California business to which CCPA applies (eg. the service provider is not obliged to comply with the request of the data subject claiming their rights under the CCPA, but only with the request of the California business).
4. Legal Basis – on What Basis Can Personal Data be Processed Lawfully?
The GDPR provides six legal bases for the lawful processing of personal data. If there is no applicable legal basis, the processing of personal data under the GDPR is considered illegal. The most common bases include (i) the consent of the person concerned, (ii) the fulfilment of contractual obligations arising from the contract between you and the person concerned, and (iii) a legal obligation (eg. the Labour Code may provide a basis for processing data related to employee qualifications and professional experience and data which may be significant for the work to be performed by the employee).
The CCPA does not set out a list of legal bases that Californians must follow, it only provides an opt-out mechanism under which Californian customers may request that a California business not trade in their personal information or they may request their deletion.
5. Rights of Data Subjects – What Are my Rights under the GDPR and the CCPA?
Identically, the GDPR and the CCPA grant data subjects a number of rights that they can exercise against the entity (eg. the GDPR controller and processor or the California business and the service provider under the CCPA) that processes their personal data. Such as the following rights:
- The right to be forgotten (deletion) – According to the GDPR, it can be exercised in specific cases, eg. if the data subject revokes their consent to the processing of personal data and there is no other legal basis for the processing or the data were obtained by the controller illegally or the purpose of their further processing has expired. It should be noted that the right to be forgotten is not an absolute right, ie. it cannot be complied with in cases of application of certain exceptions to the right to be forgotten which legalise further data processing, such as cases where such processing is necessary to fulfil a legal obligation, or for reasons of public interest in the area of public health, for archiving purposes, or research in the public interest. Conversely, the CCPA does not specify the scope of the specific cases in which the data subject may exercise this right, and therefore the consumer always has the right to request the California business to forget (deletion of personal data), however, the California business does not have to comply if there are legitimate reasons – eg. in the case of an ongoing business relationship established by a contract or the performance of another legal obligation.
- The right to revoke consent to the processing of personal data – According to the GDPR, it can be exercised when the processing of data was on the basis of consent.
- The right to object to the processing of personal data – Includes the right to object processing for the purpose of fulfilment of a task in public interest or processing for legitimate interests pursued by the controller under the GDPR or the right to object to the sale of data under the CCPA.
- The right of access to personal data – The right of the data subject to request a copy of the data processed by the controller under the GDPR or the right to request free access to his data under the CCPA.
- The right not to be discriminated against on the basis of the exercise of one’s rights – This right expressly belongs only to the residents of California under the CCPA.
- The right to portability of personal data – Both pieces of legislation allow individuals to request an extract of the processed data in a structured, commonly used and legible form for the purpose of transfer to another controller.
- The right to be informed about the processing of personal data – Entities which process personal data of data subjects have an obligation to inform those persons of such processing.
6. Enforceability and Sanctions for Breaches of the GDPR and the CCPA
Both regulations provide for the possibility of imposing financial penalties in the event of a breach. However, the nature of the sanctions, their amount and the procedure to be followed differ significantly.
A breach of the GDPR results in the initiation of administrative proceedings in which the competent data protection authority may impose (depending on the extent and seriousness of the breach) a fine of up to 4% of the controller’s (infringer’s) worldwide turnover or up to EUR 20 million, whichever amount is higher.
In contrast, a violation of the CCPA provisions results in civil proceedings being initiated by the Attorney General of California, who may impose a fine of up to $ 2,500, or up to $ 7,500 if the violation was intentional, for each violation. In other words, if there is an intentional violation of rights of eg. 1,000 consumers you may face a fine of up to $ 7.5 million.
7. Conclusion
It is clear that both the GDPR and the CCPA are extensive pieces of legislation whose main objective is the protection of individuals with regard to the processing of their personal data. However, due to the geographical and cultural differences between the EU and the United States (California), these regulations strive to achieve this goal in different ways despite some overlaps. In order to prepare the necessary documents according to the GDPR and the CCPA, as well as to comply with this legislation, we recommend contacting experienced data protection advisors.
Contact Sparring, we are here for you 🙂