GDPR and CCPA – Two Approaches to Privacy
This post compares the EU’s General Data Protection Regulation and the California Consumer Protection Act of 2018 (GDPR and CCPA).
It includes much of a Quora answer that I wrote on this topic. Please see How does the California Consumer Privacy Act of 2018 compare to GDPR?
Disclaimer: This comparison, of necessity, is limited to the broadest generalizations. While the California Consumer Privacy Act or 2018 (“CCPA”) is of a respectable length, the EU’s General Data Protection Regulation (“GDPR”) has 99 Articles, most with several Sub-articles – and that’s preceded by 173 lengthy paragraphs of recitals! Consequently, most of what follows is, in reality, subject to significant additional details, qualifications and exceptions that are too numerous to include here.
Now available for download: A four-page GDPR-CCPA comparison table that includes many more details than are in this post.
Where GDPR and CCPA Are Similar
Who is Protected
Both protect identifiable natural persons within their jurisdictions (CCPA “consumers”, GDPR “data subjects”).
Information that Is Protected
GDPR protects any information relating to a data subject.
CCPA protects information that identifies or relates to a given consumer or household, but excludes information that is made available lawfully from governmental records.
Where GDPR and CCPA Are Different
Effective Date
The GDPR already has taken effect (as of May 25, 2018).
The CCPA is scheduled to take effect on January 1, 2020 (and could be amended before then).
Who Must Comply
CCPA: “Businesses” of substantial size (by revenue or number of consumers affected) that collect and determine the processing of consumers’ personal information.
GDPR: “Controllers” that determines the purposes and means of the processing of personal data and “processors” that processes personal data on behalf of controllers.
Most Important Rights of Protected Individuals
CCPA:
- To request that a business disclose to the consumer the categories and specific pieces of personal information the business has collected, sources of the information, third parties that received the information
- To request that a business delete any personal information about the consumer
- To direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information
GDPR:
- The controller must identify itself and provide contact information; explain the purposes and the legal basis for the processing personal information; identify recipients of the personal information; state how long the information will be stored; explain the data subject’s rights to gain access to, rectify or erasure of personal data or restrict or to object to processing and the right to data portability.
- When data have not been obtained from the data subject, the right to know the source of the personal data, including whether from a publicly accessible source
- The right to access personal (and related) data from the controller
- The right to rectify personal data and to complete incomplete personal data
- The right to have personal data erased
- The right to restrict processing of personal data
- The right to receive a machine-readable copy of personal data and transmit it to another controller
Most Important Enforcement Mechanisms
CCPA:
- Consumer civil suit: Statutory damages of $100-750 per consumer per incident, or actual damages if greater; injunctive or declaratory relief; other relief; statutory damages or class action only if the business does not cure within 30 days of receiving notice of violation
- Attorney General must be notified and has the right to pre-empt or quash the suit.
GDPR:
- Right to an effective judicial remedy against a supervisory authority
- Right to an effective judicial remedy against a controller or processor
- Right to receive compensation from the controller or processor for damage suffered
- Imposition of administrative fines by supervisory authorities
Summary
As concerns who is protected and the information that is protected, GDPR and CCPA are in the same ballpark.
As concerns the rights of protected individuals and enforcement mechanisms, GDPR goes far beyond CCPA.
Existing California law focuses on the need for privacy policies, and their content, rather than substantive privacy requirements. Please see If You Want Personal Info from CA Residents, You Need a Privacy Policy.
Dana H. Shultz, Attorney at Law +1 510-547-0545 dana [at] danashultz [dot] com
This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact a lawyer directly.
Privacy