CCPA vs. GDPR
- Annual revenue over $25 million
- Processes the personal information of at least fifty thousand Californians per year
- 50% or more of yearly revenues are from the sale of personal information
- Offers goods or services to, or monitors the behavior of data subjects located in the EU.
- Has a website that is accessible to anyone living in or visiting the EU.
- Easy to read and understandable to consumers.
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a format that makes the policy readable, including on smaller screens, if applicable.
- Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.
- Be reasonably accessible to consumers with disabilities.
- Be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application.
- The categories of personal information businesses collect about consumers.
- The purposes for which they use the categories of information.
- Information on identity and contact details of the controller, the controller’s representative where applicable, and the controller’s data protection officer where applicable
- The purposes of the processing
- The lawful basis of the processing
- The recipients or categories of recipients of personal data
- If the controller intends to transfer personal data outside the EU along with the mechanism used for the transfer as well as information necessary to ensure fair and transparent processing.
- Easily accessible
- In clear and plain language
- The identity and contact details of the controller, controller’s representative, and DPO, where applicable.
- The purpose and the legal basis of the processing.
- The legitimate interests pursued by the controller or by a third party where the processing is based on legitimate interest.
- The categories of personal data collected.
- The recipients of the personal data
- If the controller intends to transfer personal data to a third country or international organization where applicable, they must disclose this, along with reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
- The information necessary to ensure fair and transparent processing whether or not the personal data is collected from the data subject. This information includes the duration of data storage, the controller’s legitimate interests, and the existence of the rights to access, erasure, rectification, restriction of processing, data portability, and file a complaint with a supervisory authority.
- Infomation in case of the existence of automated decision-making, including profiling, at the time when personal data was obtained.
- The categories of personal information collected
- The categories of sources from which personal information is collected
- The business or commercial purpose
- The categories of third parties with which the business shares personal information
- The specific pieces of personal information the business holds about a consumer.
- If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed
- The purpose of the processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom personal data has been disclosed.
- The retention period or if not possible, the criteria used to determine that period.
- The existence of data subjects’ rights.
- The source of personal data where the personal data is not collected from the data subject and any available information.
- The right to file a complaint to the supervisory authority.
- The existence of data transfers
- The existence of automated decision-making.
- When the personal data is no longer necessary for the purposes it was collected.
- When consent is withdrawn by the data subject.
- When the data subject objects to data processing based on legitimate interest.
- When the data subject objects to data being processed for direct marketing purpose.
- When the personal data is unlawfully processed.
- When personal data has to be erased for compliance with a legal obligation.
- When a child wants to erase data in case of the provision of information society services to a child.
- Encryption and pseudonymization of personal data
- Ensuring integrity, confidentiality, and availability of processing system
- Restoring the availability and access to personal data promptly
- Assessing and evaluating the effectiveness of technical and organizational measures.
California's CCPA vs. Europe's GDPR
The EU’s GDPR and California’s CCPA were both drafted to give people more control over their personal data. They both impose strict requirements on you as a business when you collect data, but they take different approaches. Let's compare some of the provisions they have in common and look for key points of difference.
CCPA: January 1, 2020
GDPR: May 25, 2018
Click on the chart to view some highlights 👇
CCPA: Protects California residents, even when they are out of state. Regulates for-profit organizations doing business in California that meet any one of the following conditions:
Any company based anywhere in the world that fits under the definition of a business in the CCPA must comply with the CCPA.
GDPR: Protects persons in the EU (regardless of nationality) and regulates organizations established in the EU, as well as organizations located outside the EU if the organization:
All websites, companies and organizations (data controllers) in the world must comply with the GDPR if they offer goods or services to individuals within the EU.
Key point of difference: The GDPR applies to any website, company or organization. The CCPA does not apply to nonprofit organizations or government agencies, and may not apply to some very small companies.
Tip: Use DataMapper to find and track all the sensitive data you store about your customers and, or search a specific name or list of names (e.g., lists from a region/country).
CCPA: Fines are applied per violation, up to $2,500 per unintentional violation and $7,500 per intentional violation.
GDPR: Up to €20 million or 4 percent of worldwide turnover for the preceding financial year, whichever is higher.
Key points of difference: There is no limit set for total fines in the CCPA, so businesses found in breach could rack up fines even higher than those of the GDPR. But the GDPR allows sanctions before an actual violation, when procedures are considered non-compliant/data is deemed at risk.
Types of data protected
CCPA: Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
GDPR: Any information related to an identified or identifiable natural person. Anonymized data is excluded.
Key point of difference: The CCPA does not exclude anonymized or pseudonymized data.
Sensitive data defined
CCPA: Does not use the term “sensitive personal information"
GDPR: Sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Key point of difference: Unlike the GDPR, the CCPA does not classify certain types of data as “sensitive”. However, it does require special handling of certain items like Social Security numbers and Driver’s License numbers, genetic data, biometric data, and more.
Where is your company’s sensitive data? DataMapper quickly identifies high-risk data. It uses advanced AI and machine learning algorithms find and track all the data your team stores whether it is saved on users’ desktops, buried in email folders, or stored in the company cloud. Sensitive data is automatically sorted by risk level and you can monitor it from one dashboard.
CCPA: Does not require that your company obtain consent before collecting or using their personal information. However, consent is needed if you intend to sell the information to a third-party.
GDPR: Consent must be obtained as a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Key point of difference: While the GDPR clearly defines and requires explicit consent before processing personal data, the CCPA does not. However, the CCPA does require companies to make it easy for users to opt-out at any time.
CCPA: Businesses must provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. It must be:
California consumers have the right to know about the personal information a business collects about them and how it is used and shared. Businesses must give consumers certain information in a “notice at collection” listing:
GDPR: Organizations are required to provide certain information to data subjects prior to the processing of their personal data, whether or not personal data is collected directly from data subjects. It should include:
To comply with the GDPR, all privacy notices must be:
When the processing involves a child, the information must be presented in such clear and plain language that the child can easily understand.
Data Subject Rights Fulfillment
CCPA: Businesses are responsible for verifying requestor identity. Confirm receipt of the requests within 10 business days. The deadline to respond to a privacy request is 45 days from the receipt of the consumer’s request. The deadline can be extended when reasonably necessary. Personal information disclosure requests that businesses must comply with are limited to 2 requests per 12 month period.
GDPR: Data controllers should respond to data subjects’ rights requests 'without undue delay' and usually within one month of the receipt of the request. The response time may be extended to two further months in case of complex requests.
Key point of difference: 30-day deadline for GDPR requests and a 45-day deadline for CCPA requests.
Right to be informed/Right to know
CCPA: Covered businesses will need to disclose the categories and specific pieces of personal information the business has collected about a consumer upon their request.
GDPR: Any relevant information in connection to the data processing must be given in a concise, transparent, intelligible, and easily accessible form, using clear and plain language to the data subject. Data controllers must provide:
✓ GDPR's 'Right to be informed' and CCPA's 'Right to know' are similar in principle, and both require a detailed response to the related data requests.
Right to access
CCPA: Consumers have the right to request that a business disclose:
GDPR: Data subjects have the right to obtain confirmation from the controller as to whether or not personal data is being processed and access to the personal data. GDPR states that, when responding to an access request, a data controller must indicate the following:
Requests to obtain a copy of personal information may be refused if granting it will adversely affect the rights and freedoms of others.
Right to Deletion/ Blocking/ Restriction
CCPA: The consumer has a right to request the deletion of their personal information collected by the business. The business should respond promptly to inform the consumer if their request has been fulfilled.
GDPR: The right to deletion of personal data applies in the following instances:
Key point of difference: The GDPR's right to deletion only applies if the request meets one of six specific conditions while the CCPA right is broad and unrestricted (although it can be challenged by companies).
Right to data portability
CCPA: In response to consumer requests, a business must securely provide personal information in a readily useable format that makes it easy for the consumer to transmit the information from one entity to another entity without hindrance.
GDPR: The data controller should send data requested in a structured, commonly used, and machine-readable format and to transmit the data to another controller without any hindrance, when it is technically feasible to do so. The GDPR limits the exercise of the right to data portability where it adversely affects the rights and freedoms of others.
Key point of difference: The GDPR provides an additional specific right for consumers to request companies to transfer their data directly to another data controller.
Right to object to automated decision making
GDPR: The GDPR provides data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. The prohibition against automated decision-making does not apply if the processing is authorized by law, necessary for the preparation and execution of a contract, or done with the data subject’s explicit consent. In such situations, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Right of rectification
GDPR: Data subjects have the right to request rectification of inaccurate personal data and to have incomplete personal data completed. This right has close links to the accuracy principle of the GDPR (Article 5(1)(d)) that requires data controllers to keep personal data accurate.
Right to object
CCPA: None, however, the consumer does have the right to opt-out of the sale of their data.
GDPR: The GDPR provides data subjects with the right to object and withdraw consent to personal data processing. Data subjects have the right to object to the processing of their personal data where the processing is based on legitimate interests, public interest, or the consent of the data subject. As a consequence of a valid objection, the data controller must no longer process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing. These grounds must be sufficiently compelling to override the interests, rights, and freedoms of the data subject. Data subjects also have the right to object to their data being processed for direct marketing purposes.
Right to opt-out
CCPA: Consumers have the right to direct businesses that sell personal information about the consumer to third parties to stop this sale, at any time. Businesses must wait at least 12 months before asking consumers to opt back in to allow the sale of their data.
GDPR: None, however, the Right to object can be used in a similar way.
Security Measures and Data Breaches
CCPA: The CCPA does not directly impose data security requirements. It does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.
GDPR: Requires organizations to adopt appropriate technical and organizational measures to ensure personal information processing security. These measures may include the following:
Under the GDPR, organizations must notify supervisory authorities of any personal data breach that is likely to result in a risk to natural persons’ rights and freedoms without undue delay and not later than 72 hours after becoming aware of the breach. The information may also be provided in phases, and a justification must accompany any delay. Organizations are also required to notify impacted data subjects of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, without undue delay.
Key point of difference: The CCPA does not explicitly require encryption, the GDPR does. However, encryption reduces a company’s liability arising out of a data breach under both laws. If a company suffers from a breach but the data was encrypted, some or all of the company’s liability can be reduced.
Data protection officer (DPO) requirement
CCPA: Not required
GDPR: Organizations are required to appoint a data protection officer where data processing activities are carried out by a public authority (except for courts in their judicial capacity), where the core activities of the organization consist of regular and systematic monitoring on a large scale, or where the core activities of the organization consist of the sensitive personal data or personal data relating to criminal convictions and offenses. Organizations must publish the contact details of the DPO and communicate them to the supervisory authority.
Key point of difference: The CCPA does not require a company DPO as the GDPR does. If you do choose not to appoint a DPO, you should have a plan for data protection and compliance that includes data management/compliance software to help you complete the tasks usually assigned to a DPO.
DataMapper can help: Since the role of DPO already requires technical, legal, and business skills, the data management/compliance software you choose should be easy-to-use without IT support, high security, and have the ability to coordinate and monitor data processing across the entire company.
Records and documentation of data processing and requests
CCPA: A business shall maintain records of consumer requests made pursuant to the CCPA and how it responded to the requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records. (c) The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.
GDPR: Data controllers are required to maintain a record of processing activities. This obligation does not apply to organizations with fewer than 250 persons unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offenses. For the purposes of demonstrating compliance, data controllers are also required to document personal data breaches and consent statements where data processing is based on data subjects’ consent.
✓ Both regulations require extensive documentation.