GDPR vs. CCPA
The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018 is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive federal privacy law in the U.S., the California Consumer Protection Act (CCPA) is considered to be one of the most significant legislative privacy developments in the country. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA will take effect on January 1, 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.
Understanding the Key Differences Between GDPR & CCPA
While the CCPA bears a resemblance to the GDPR, there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance.
GDPR
Under GDPR, the definition of personal information (or PII) is limited to only information relating to the customer (and does not include information or data that relates to his or her household).
GDPR requires disclosure of, among other things, the identity and contact information of the controller entity, the purpose and legal basis of processing, legitimate interests (if applicable), recipients of the personal data, and whether the controller intends to transfer data to a third country.
GDPR breaks down six grounds that give the data subject the right to request deletion (i.e., data no longer necessary, consent withdrawn, objection made, unlawful processing, compliance with EU law, data collected in relation to the offer of services to a child).
Under the GDPR, the right of portability is not absolute. It applies only if the lawful basis for processing the information is consent or contractual necessity.
CCPA
Under the CCPA, the definition of personal information (or PII) includes information that relates to the consumer or his or her household. The CCPA personal information definition includes inferences drawn from data. Further, unlike the GDPR definition, the CCPA personal information definition includes inferences drawn from data.
Under the CCPA, businesses are required to disclose and deliver the sources of information, the categories of information and the specific pieces of consumer information that are collected, sold or disclosed for a business purpose, as well as provide special notice to a particular consumer (above and beyond the privacy policy).
Under the CCPA, the consumer holds the right to make a deletion request for any reason and at any time.
Under the CCPA, once the consumer’s request has been verified, the business must disclose and deliver free of charge the required information within 45 days of receiving the verifiable request. The information is to be delivered in a readily useable format so that the consumer may readily transfer his or her information to another business.