With governments taking organizations to task with regards to consumer privacy, startups need to adhere and stay abreast with consumer privacy laws to avoid prosecutions. The European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the main consumer privacy legislation that companies need to be compliant with.
Differences between the GDPR and the CCPA
In the following guide, we look at the differences and similarities of the GDPR and the CCPA.
Who is Affected by the Legislation?
The main difference between GDPR and CCPA lies on the entities that they regulate.
For the GDPR, any entity that is within or outside the EU and that has contact with the personal data of an EU citizen is required to follow the legislation. For the CCPA, the entities that need to adhere to the legislation are those that are doing business in California and meet one of the requirements below:
- Their gross revenue is more than $25 million
- More than 50
percentof their revenue is derived from the sale of personal information
- Have access to personal information of more than 50,000 consumers, devices, or households annually, and buys, sells, shares, or receives the information for commercial purposes.
One important point to remember is that entities that share a common branding with a business that meets any of the requirements above must be CCPA-compliant. This also applies to entities that are controlled by businesses that are required to be compliant. Generally, both GDPR and CCPA are different in their extent of regulating the use of personal data among entities. GDPR is more comprehensive than CCPA in terms of the scope of organizations that it affects.
Who or What is Protected?
Both GDPR and CCPA focus on how businesses handle a person’s information. However, their approach is different. With GDPR, the focus is on data that can be classified as personally identifiable or that can be connected to a certain person. On the other hand, CCPA focuses more on consumer data. With the legislation, “consumers” are defined as California residents or people living in California for an extended period of time. The definition can also include customers, business-to-business transactions, employees, and goods and services.
The Information Protected
Both GDPR and CCPA are meant to restrict the gathering, use, and sale of personally identifiable information. However, CCPA also includes households and devices as part of identifiable personal information. With GDPR, companies are prohibited from processing personal data and related personally identifiable information under various categories. With CCPA, consumer data to be protected is defined as personal information that can be directly or indirectly be traced to a person, households or devices. CCPA’s definition of consumer data includes devices. Therefore, companies that have tablets or smartphone apps are required to be compliant with the legislation.
Consumer Opt-Out Rights
The major difference between GDPR and CCPA is how they handle consumer opt-out requirements. With GDPR, consumers are not given a right to opt-out of the sale of their personal data. On the other hand, the CCPA explicitly states in detail how consumers can opt-out. In GDPR, consumers have a right to opt-out of processing data for marketing purposes. However, the opt-out right is not focused on as a major way of enhancing data privacy.
On the flipside, the CCPA requires organizations to ensure consumer opt-out rights are visible. Under the legislation, businesses are required to create a conspicuous link on their homepage written “Do Not Sell My Personal Information”, where consumers can easily opt-out.
GDPR requires businesses to provide customers with a way to opt out of data collection for sales purposes. However, the opt-out requirement is not as highlighted as it is with CCPA. Businesses affected by CCPA are required to give consumers easy to access to opt-out of personal data collection by including a visible link on the homepage of their websites.
Data Portability Rights
Both the GDPR and CCPA have similar data portability rights. Under GDPR, consumers have a right to receive copies of their personal data in a structure that is easy to read format. Under CCPA, consumers can also request for copies of their data, and the subject companies have up to 45 days to respond. The company should provide the information requested in a format that is easy to use and that allows the consumer to move the data from one medium to another.
The main takeaway is that both privacy legislations require organizations to furnish users with the personal data they collect in an easy-to-read format that can be shared easily.
Personal Data Security
Both GDPR and CCPA are designed to give people control over their personal data that has been collected by businesses. However, the underlying formation of the laws was the concern for data security. According to the GDPR, organizations are required to take particular measures to mitigate risk on the personal data that they collect. Companies that breach consumer trust by exposing their data, either intentionally or unintentionally, can be sued for damages. On the other hand, the CCPA does not explicitly state that companies should keep the consumer data they collect safe. However, the legislation provides consumers with an option to sue companies in case of a data breach that affects them.
Other Differences between GDPR and CCPA
With regards to children, the CCPA requires companies to seek parental consent for personal data sales. On the other hand, the GDPR focuses on all data processing. Regardless, if your company does business with customers in California or the EU, you should be aware of the pieces of each legislation that can potentially affect your business.
You may also like: How Vendor Risk Management Can Impact Your GDPR Compliance
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.