CCPA vs GDPR compliance: Similarities and Differences

You are here because you are now comparing the General Data Protection Regulation(GDPR) & the California Consumer Privacy Act (CCPA) and are trying to understand the scope of work. We get that. 

In this article, we’ve done an in-depth analysis of CCPA vs GDPR compliance.

The focus is on their similarities, differences, who they apply to, and the things you’d need to do to become compliant with either or both.

Are you in the process of becoming compliant and looking for GDPR vs CCPA requirements? This is for you.

CCPA and GDPR are compliance laws that aim at protecting user data from unauthorized access and processing. CCPA has often been called the ‘GDPR lite’ version in the compliance communities and there is a fairly supportive logical reasoning to that debate. Not going to get into that here and now! Maybe another piece on that later!

Though this article focuses on the differences between both frameworks, it’s important to cover the similarities first and then move on to identify the differences.
So, here’s a quick summary of the similarities.

GDPR and CCPA – Introduction

CCPA:

The CCPA imposes rules on businesses (the “covered entities”) that handle sensitive information. It also grants consumers new privacy rights and protections. The CCPA enhances consumer privacy rights in several ways:

• CCPA Requires greater transparency.
• CCPA gives consumers broad access to their personal information.
• CCPA provides consumers with the right to opt-out of data collection.
• CCPA imposes new restrictions on how covered entities collect, share, and sell consumers’ personal information.

Both CCPA and GDPR focus on obtaining GDPR cookie consent from users. But the way they do it is significantly different.

CCPA was rolled out in July 2020, and on August 14, 2020, the CCPA regulations were in effect.

CCPA extends their data users the right to request businesses to delete their personal information or opt out from selling their personal information to third parties.

GDPR:

The GDPR became effective in May 2018 across the 27 member states of the European Union.

GDPR dictates how businesses, through their website and mobile applications, should handle customer information. Attributes like name, email ID, location, data from wearables, IP address, and more are categorized as personal information under GDPR.

Under GDPR, the Data Subject (user) is given controlling power to decide how businesses use their personal information.

As a business, you are responsible for collecting user consent before collecting any personal information of a Data Subject.

Here’s an example of a general GDPR consent form.

What do GDPR and CCPA stand for?

GDPR stands for General Data Protection Regulation, a legislative framework within the European Union designed to safeguard the privacy and data protection rights of EU inhabitants. Conversely, the CCPA, short for California Consumer Privacy Act, represents a state law enacted in the United States to uphold the data and privacy rights of individuals residing in California

5 Differences between CCPA VS GDPR

Let’s talk about the key differences between CCPA and GDPR in detail:

Who They Affect:

GDPR:

All businesses and their entities (website and mobile application) that personally process data of people in the European Union(EU) must comply with the GDPR law. This includes non-profit businesses and e-commerce companies.

GDPR compliance also applies to every Data Subject (user) in the EU regardless of their citizenship, residence nature, and more.

CCPA

CCPA is only applicable to legal residents of the California region.

CCPA only applies to businesses that meet at least one of the three listed criteria:

• Businesses whose gross annual revenue is greater than $25 million
• Collects, buy, or share data of more than 50,000 users
• Half (50%) of the  revenue is generated from selling said user data

While these are the conditional qualifiers, for businesses to fall under the scope of CCPA regulation, they must also qualify for two additional criteria.

• They operate in the California Region
• They collect data from users in California and have stated the purpose and means for their data processing operations.

Types of data protected

GDPR is stricter when compared to the CCPA, and this reflects in what they consider protected data and its exemptions.

GDPR covers all kinds of data processing regardless of the intent and process of processing. The only two exceptions are:

• When the data is processed in a non-automated manner(no electronic methods are used)
• When individuals process data for their interests

Also check: Sensitive Personal Data – Special Category under the GDPR Article 9

The scope of CCPA, however, is not that broad. For instance, under GDPR, users are required to ‘Opt-in’ if they wish to have their data processed, while CCPA only stresses the ‘opt-out’ feature. With ‘Opt-out’, users can choose not to share their information for processing or data sharing/selling.

CCPA does not apply to:

• Any user data that is already made available
• Medical information protected by HIPAA certification and CMIA
• User data that is covered by CCPA’s DPPA (Department of Public Policy and Administration)
• Other data sets protected by supervisory authorities

The route to compliance with CCPA is a little tricky. That said, if you are following the best practices for GDPR, you will likely comply with CCPA as well. The policies and procedures required to become GDPR compliant can be used for CCPA as well. Overall, there is an 80-90% similarity in controls and policies.

What is considered data collection, sale, and processing?

Both frameworks consider personal data as information that can be used to identify a person.

GDPR:

The term processing in GDPR applies to activities like taking consent for data processing, informing the users about the intent for collection and how it will be processed, informing users about their data rights, and the removal/erasure of data.

CCPA:

CCPA has defined its stages of data collection and processing in three segments.

1. Collection refers to collecting data from users, vendors, and third-party data providers.
2. Processing is when the business acquired the data and has started working with the data for gains.
3. Selling is when the collected data is transferred to another business entity

Information Shared with Data Subjects:

GDPR – Rights of data subjects

Individuals have a relatively higher degree of control over what happens to their data under GDPR as compared to CCPA.

In GDPR, the Data Subject is when their data is collected directly from them or when their information is acquired from another source.

• Businesses must inform users how long their data will be stored with them and how they intend to process it.
• Businesses are also required to give detailed information on reasons for profiling and inform the users about their data rights, specifically the right to erasure. This right empowers them to withdraw their consent to data processing at any point in time.

In CCPA, businesses are required to send Data Subjects a report of how their data was collected, how it was processed, and to who it was sold after 12 months from the date of data acquisition.

• Individuals must also be notified when their information is sold to third parties and if the third-party business sells it to another third-party entity.

Penalties

In the CCPA vs GDPR comparison, GDPR’s administrative fines are definitely on the higher side.

If a business is non-compliant, it could be levied with a fine of $20 million or 4% of its annual turnover, whichever is higher.

The penalties of CCPA are on the lighter side as the maximum fines for violations are relatively much less. Here’s the breakdown:

• $2500 for unintentional violations
• $7500 for intentional violations
• $100-750 in damages in civil court

CCPA vs GDPR Compliance – Who do the laws apply to?

CCPA vs GDPR: Scope 

GDPR protects any Data Subject in the European Union. 

For example: If a tourist from Asia is travelling in the EU and their data is processed during their stay, they are protected by the GDPR law.

If companies out of Asia are processing the tourist’s data, they would need to comply with GDPR to avoid any hefty administrative fines.

The definition of an individual is restricted and defined under CCPA.

An individual is in the State for other than a temporary or transitory purpose” or an individual “who is domiciled in the State who is outside the State for a temporary or transitory purpose.”

Extraterritorial scope:

Both CCPA and GDPR present extraterritorial scope in their framework

Any business around the world will need to be CCPA compliant if they are processing data of more than 50,000 Californians annually.

GDPR also requires businesses to comply with the law if they offer goods or services to users in the EU region. But, again, this is regardless of where they are conducting their processing activities. 

CCPA does and leaves no scope for entities to be non-compliant.

Also check out: Best CCPA compliance tools

Businesses (CCPA) vs. data controllers (GDPR)

Businesses and Controllers

Business is common jargon in CCPA. According to CCPA, a business is an entity that is for-profit and exhibits one of three conditions mentioned below:

• Whose gross annual revenue is greater than $25 million

• Collects, buys, or shares data of more than 50,000 users

• If half (50%) of your revenue is generated from selling said user data

Controller or Data Controller is GDPR jargon for an entity that collects data and processes data in the EU.

GDPR’s scope for categorizing an entity that processes data is broad as it does not qualify them like CCPA does and leaves no scope for entities to be non-compliant.

What rights are given to people by CCPA and GDPR laws?

The table here gives you an insight on the rights each compliance law empowers its users with; it is noticeable that there is a significant overlap between the two.

In this section of the CCPA vs GDPR comparison, we dive deep into the rights data users/individuals are entitled to. Both CCPA and GDPR extend these rights:

• Right to Knowledge:

Organizations must make it clear to the user(s) how their data is collected and what it would be used for

• Right to Access:

Users can request to receive a copy of their data

• The right to Opt-out:

Users can request businesses to remove their data from any processing activities

• Right to Portability:

Users can request organizations to send them a copy or another business a copy of their data in a structured and machine-readable format.

• Right to Data Erasure:

Under exceptional circumstances, users can ask an organization to delete any information they hold about them. $100-750 in damages in civil court

GDPR vs. CCPA – Overall comparison

GDPR vs CCPA comparison:

The GDPR framework focuses on being ‘Privacy by Default’. In contrast, CCPA focuses on creating a layer of transparency in the data economic activities of California and educating its users about their data rights.

GDPR is a lock that any data processor will have to unlock with the user’s consent as its key. While CCPA acts as a window to the digital data economy to find out what details of the user are already out there and who they have been shared with or sold to.

Differences Between GDPR and CCPA in summary

GDPR is a privacy law aiming to protect the privacy of Data Subjects in the EU. It empowers its subjects with rights to withdraw consent, data portability, access, information, and erasure.

CCPA, when compared, is not very expansive and focuses on providing the residents of California with the right to regulate how businesses process their personal data. CCPA empowers its subjects with rights to access, erasure, and Opt-out.

How can Sprinto help?

Sprinto automates the compliance process involved in becoming compliant with GDPR and CCPA. We automate upto 80% of the tasks involved in the compliance processes in context and this helps us bring down the time and cost spent to achieve compliance significantly. Get in touch with our experts today to know how we can make your compliance journey breezy.