On January 1, 2020, California passed the California Consumer Privacy Act (CCPA), marking the first intensive state-wide privacy legislation in the US. The CCPA followed the traction of the European General Data Protection Regulation (GDPR) that passed on May 25, 2018. Both the CCPA and the GDPR give individuals the right to be informed, the right to access, and the right to portability, meaning the flexibility to transfer or delete information. Beyond requiring access, transparency, and deletion, the acts necessitate contracts between businesses, service providers, and individual users that have hugely impacted online data and security. While the two laws share fundamental components, the scope and impact of the CCPA and GDPR present crucial differences. These differences are most apparent in regards to their focus and company requirements, compliance, guaranteed rights, the scope of personal data and user consent, and penalties of non-compliance.
While the primary components of the two acts overlap in regards to user privacy, their focuses diverge. The GDPR concentrates on creating a ‘privacy by default’ legal framework for the EU. On the other hand, the CCPA aims to enforce transparency in California’s data economy for its users. The GDPR creates a door for EU users to lock prior to data processing while the CCPA creates a window for Californian users to open and understand the use of their data. Furthermore, under the GDPR, websites, companies, and businesses must have a legal basis for processing personal data. Contrarily, under the CCPA, businesses, and websites do not need prior consent before processing or selling their data. The two acts vary in how they protect companies, websites, and users, and more specifically, which parts of data processing they target.
In terms of compliance, the GDPR requires that any business that processes the data of EU citizens or residents follows its regulations. This includes, for example, that a website in California that has EU users must comply with the GDPR’s requirements for personal data processing. The CCPA applies to companies with over twenty-five million in annual revenue, earns more than half of its revenue by selling personal consumer data, and buys, receives, shares, or collects the personal information of over fifty thousand Californian customers for commercial purposes.
Under the GDPR and CCPA, the companies that comply with the aforementioned requirements must guarantee certain rights to their users. Under the GDPR, users have the right to access, rectification, erasure, restriction of processing, data portability, and not to be subject to decisions based on automation. Under the CCPA, users have the right to solicit their information, to opt-out of the sale of their data, and to request its deletion. The two regulations vary most in their guarantees of access, deletion, and opting-out.
While the GDPR allows users to know how long their information has been retained, the CCPA enables users to access personal data and how it is being used, but only within the previous twelve months. While the GDPR ensures the deletion of all data concerning a given subject, the CCPA’s right to deletion only applies to data collected from the consumer. Lastly, unlike the GDPR, the CCPA grants users the option to opt-out of a business’s data collection at any time.
The similarities and differences of the GDPR and CCPA are distinguished by the basic definition of data collection, selling, and processing. Both the GDPR and CCPA define personal data as any information that can directly, or indirectly, represent an identifiable person (neither law covers anonymous data). The GDPR considers the processing of personal data to be any action performed on a data subject’s information, which includes the initial act of collecting user data, structuring and storing information, making it available for others to access, and its removal. In contrast, the CCPA splits its data-relevant terminology into separate definitions: collecting, meaning the gathering of personal information through any method; processing, which is when collected data is acted upon further; and selling, as in any transfer or disclosure of personal information.
The penalties of non-compliance vary under the two acts. Under the GDPR, companies must pay a fee of up to four percent of their gross annual revenue or twenty million euros. Under the CCPA, the resulting penalty is up to seven hundred fifty dollars per person, per violation. While the scope of these two sanctions is incomparable given the differing populations, governments, and economies of the EU and California, both GDPR and CCPA have harsh violation penalties, rendering them a force to not be overlooked.