CCPA vs. GDPR: Understanding the Key Differences
With so many changing laws and regulations around data privacy, it can be difficult for businesses to keep up. One of the most recent developments is the California Privacy Rights Act (“CPRA”), also known as Proposition 24 – it was passed in California in November 2020 and took effect on January 1, 2023. This data protection law amends the California Consumer Privacy Act (“CCPA”) in ways that are similar to Europe’s General Data Protection Regulation (“GDPR”). Let’s take a closer look at some of the similarities and differences between them.
Jurisdictional Threshold Differences between CCPA and GDPR
The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Section 17014 of Title 18 of the CA Code of Regulations, explains that the term “resident” includes “(1) every individual who is in the State for other than a temporary or transitory purposes; and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” The GDPR has a similar definition of “personal data” but does not apply to households and only applies to any identifiable natural person living or located within the EU. This means that the GDPR does not have a residency requirement and it is only a geographical requirement unlike under the CCPA.
Revenue or Volume Threshold Differences
Differently from the CCPA, the GDPR does not have revenue or volume of data processing thresholds. The GDPR only applies if an organization targets individuals in the European Union countries or processes their personal data. The CCPA as amended, applies to for profit organizations that do business in CA and satisfy one or more of the following thresholds:
- Annual gross revenues in excess of $25M in the preceding calendar year;
- Alone or in combination, annually buy, sell or share the personal information of 100,000 or more households or consumers; and/or
- Derive 50% or more of their annual revenues from selling or sharing consumer’s personal information.
Differences in Consumer’s/Data Subject’s Rights
While both the GDPR and the CCPA require organizations to provide certain rights to consumers regarding their personal data, the CCPA provides more exemptions to consumer rights that are not found in the GDPR. For example, the CCPA aims to ensure the rights of consumers when it comes to exercising their right to free speech, “ensure the right of another consumer to exercise that consumer’s right of free speech,” or exercise another “right provided for by law” but the GDPR focuses more on the data subject’s rights without much consideration for the rights of others when it comes to a data subject’s “right to be forgotten.” This remains a hot topic of discussion however, and cases have been brought before the European Court of Human Rights where the Court has weighed the freedom of expression of a newspaper for example, against a data subject’s “right to be forgotten” and performed a balancing test. Nonetheless, at least for now, the CCPA exceptions are much broader and by exercising the right to free speech, freedom of the press or another “right provided by law,” these rights carve out exceptions that are broad enough to potentially eliminate a consumer’s deletion rights in many, if not most circumstances.
Another notable difference is that although the GDPR imposes strict consent and opt-in obligations on any controller collecting and processing personal data, it does not include an express right for a data subject to opt-out of the sale of their personal data (only the right to restrict processing) while the CCPA does and lists it explicitly as one of consumer rights. The CCPA mandates businesses that sell or share personal information for cross-context behavioral advertising to include a “Do Not Sell or Share My Personal Information” link on their homepages or other web/mobile application pages. The CCPA also requires a “Limit the Use of My Sensitive Personal Information” link to be displayed in a similar way.
Differences in Opt-In and Opt-Out Requirements
Another key difference between the CCPA and the GDPR is that the GDPR requires organizations to obtain express opt-in consent from a data subject for activities such as selling a data subject’s personal data or using personal data for targeted advertising; whereas with the CCPA, opt-outs are allowed for these activities and opt-in is only required for selling or sharing of personal information of consumers under 16 years old for cross-context behavioral advertising purposes.
Other Notable Differences
Legal Basis, DPOs and Transfer Restrictions
The GDPR requires businesses to list the legal basis for collection and use of personal data, appoint a Data Protection Officer (“DPO”), and it also restricts the transfer of personal data outside of the EU while the CCPA does not have such requirements. Although the CCPA does not mandate appointment of a DPO, businesses should have a qualified individual(s) who is responsible for monitoring various activities associated with data gathering, storage, processing, data security as well as responding to consumer requests relating to their personal information.
Publicly Available Information
Another interesting difference is that the CCPA does not apply to information that is publicly available but the GDPR does, in a sense that if a business obtained information from a publicly accessible source, Article 14 of the GDPR states that unless there’s a permissible exception, the data controller must disclose the personal data that it obtained from this source to a data subject.
Consequences for Non-Compliance
Businesses that do not comply with the GDPR can face administrative fines of up to €20M or 4% of total worldwide annual turnover of the preceding year, whichever is higher. The GDPR also allows for a private right of action for “material or non-material damage as a result of an infringement” (Article 82) and “each natural or legal person shall have the right to an effective judicial remedy” against a supervisory authority from “the courts of the Member State where the supervisory authority is established.” (Article 79).
Businesses that do not comply with the CCPA can face a variety of penalties, including civil fines of up to $2,500 per violation or $7,500 per intentional violation and the potential fine is further increased to $7,500 for each violation involving the personal information of a minor consumer per incident. The consumer right of action has been broadened to include private right of action for data breaches with statutory damages of not less than $100 and not greater than $750 per consumer incident or actual damages, whichever is greater.
So while both laws provide for administrative fines and foresee a private right of action, the GDPR’s remedies are broader since they allow the data subjects to sue for any violation and not just violations related to a data breach.
The CCPA and the General Data Protection Regulation are similar but have some important differences when it comes to protecting consumer’s/data subject’s privacy rights. Businesses must understand both pieces of legislation if they wish to remain compliant with them. It is important for organizations operating within, or offering goods or services to individuals in California, the EU or the EEA to stay informed about changes to these laws so they can ensure they remain compliant with all applicable laws and regulations related to collection and processing of personal data while still fulfilling their own business objectives.
Jenya Beylin is a Senior Attorney at Meyer Law, one of the fastest growing law firms in the United States. Jenya helps companies with domestic and international privacy, data protection and compliance matters. Jenya is a blog contributor at Meyer Law and is a member of the International Association of Privacy Professions (IAPP). Learn more about Meyer Law here and follow us on Instagram @loveyourlawyer