California Consumer Privacy Act vs GDPR

Written by
Published 03/07/2019

Heralded as the US version of the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) may be the catalyst for an all-new approach to privacy for companies. However, merely assuming that the CCPA is a GDPR-for-US can leave you stranded and, possibly, non-compliant.


Who is regulated?

The first significant difference between the GDPR and CCPA lies in the entities regulated.

The GDPR creates a broad privacy law governing all data controllers and data processors established in the EU and outside the EU who have contact with EU citizen personal data.

The CCPA focuses only on for-profit entities doing business in California who meet one of the following three requirements:

  • Gross revenue greater than $25 million
  • Annually buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices for commercial purposes
  • Earns 50% or more of annual revenue from selling personal information

Of note, CCPA also applies to entities controlled by or shares a common branding with a business that meets the above requirements.

Thus, the two privacy laws differ substantially in their breadth of regulated entities, with CCPA being more limited.

Who is protected?

Although both laws focus on data privacy over a natural person’s information, they differ in their approach and definitions.

The GDPR focuses on data subjects which it defines as identified or personally identifiable people to whom personal data can be connected.

The CCPA focuses on consumers which it defines as either people living in California for more than a temporary period or California residents whose primary residence is in the state but residing outside the state for a temporary period. It can, however, also include customers of household good and services, employees, or business-to-business transactions.

Of specific note, businesses outside the original jurisdictions must review the way that the laws impact them.

What information is protected?

While the types of information protected are similar, the CCPA drills down further than the GDPR to include households and devices.

The GDPR focuses on personal data related to identified or identifiable data subjects and prohibits processing that information under a defined set of categories.

The CCPA defines consumer data as personal information that identifies, relates to, describes, can be associated with, or may be directly or indirectly linked to a specific person, household, or device. The CCPA lists specific categories of personal information.

Of note, the CCPA specifically incorporates devices thus including apps linked to smartphones and tablets.

What are the Opt-Out Rights?

This is where the differences between the two regulations start to show. The GDPR does not create a specific right to opt-out of personal data sales while the CCPA focuses an entire section of the law on how to give consumers ease of opt-out.

The GDPR contains rights such as opting out of processing data for marketing purposes or withdrawing consent for processing activities. While this creates an avenue for data subjects to opt-out of information sharing, the GDPR focuses less on having opt-out as a distinct measure of data privacy.

Meanwhile, the CCPA makes a consumer’s opt-out rights visible. As part of the compliance process, businesses need to create a “Do Not Sell My Personal Information” link on their homepage that makes opt-out clear and conspicuous. Moreover, they cannot ask a consumer to authorize sales for 12 months after the opt-out notification.

While GDPR offers provisions that lead to opting out of data collection for sales purposes, the CCPA requires businesses to give consumers easy access to opt-out services.

What are the Rights of Data Portability?

Both privacy laws focus on similar data portability rights.

The GDPR created a new right to receive copies of personal data in a structured, commonly used, machine-readable format and transmission of the personal data to other data controllers.

Under the CCPA, a consumer can request disclosure at which point a business must provide, within 45 days, information in a readily useable format that allows the consumer to transmit data from one entity to another easily.

Ultimately, although the regulations use different language, they both focus on providing users easy-to-read copies of the collected data that enables the protected parties to share that information easily.

What do the regulations say about security?

As privacy laws, the GDPR and CCPA focus on giving people control over data collection and use. However, both regulations arose from concerns over data security.

The GDPR requires companies to take the organizational and technical measure that ensure a level of security risk mitigation. People can sue companies for damages arising out of a data breach, whether they cause material or non-material damage.

The CCPA does not impose data security requirements, but it does establish private rights of action in the event of a data breach. As part of the California Civil Code, the CCPA allows residents to sue companies when their lack of security controls lead to a data breach that impacts consumer information. Additionally, courts can impose injunctive as well as declaratory relief to remedy problems.

Although the two data privacy laws require appropriate security controls and enable private lawsuits, they differ significantly in the types of remedies available.

What other significant differences exist between GDPR and CCPA?

As regards children, the CCPA only requires parental consent for personal data sales, while the GDPR focuses on all data processing.

The CCPA requires no rights to object, rights to restrict processing (other than opt-out), right to object to automated decision making, or rights to rectification like the GDPR requires.

How ZenGRC Enables CCPA Compliance

CCPA compliance will require documentation collection, storage, and retrieval. Additionally, with more people interacting with vendors who interact with consumer data and employees monitoring consumer requests, CCPA compliance will require more communication between internal and external stakeholders.

With our workflow tagging, organizations can delegate tasks and follow progress to ensure appropriate completion. Particularly crucial for CCPA’s 45-day timeline, businesses can monitor consumer request fulfillment activities to maintain compliance.

Our task prioritization mechanism allows businesses to review workflows so that they can mitigate cyber risks as well as review controls within the organization necessary for maintaining opt-out and opt-in information.

Finally, ZenGRC acts as a single-source of information so that all workforce members involved in CCPA compliance can access the same information and documentation to support audits.

Categorized in: