The California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) have a shared goal: protecting individuals’ privacy rights. Despite this common goal, there are some major differences between the two. In this blog post, we’ll take a look at the differences between the CCPA and the GDPR.
CCPA & GDPR: Core Concepts
There are core concept similarities with the CCPA and the GDPR, but there are some concepts that are only within each individual regulation.
Only in the GDPR
- Restrictions on how and why businesses can process personal data
- Additional protections for Sensitive Personal Data
- Privacy by design and privacy by default requirements
- Opt-in consent as a legal basis of processing
Only in the CCPA
- Personal information includes data about devices and households
- Right to Object/Opt-Out only covers the sale of personal information (narrower than the GDPR’s Right to Object)
- Access rights are broader
CCPA & GDPR: Terminology
In addition to the differences in their core concepts, the CCPA and GDPR have differences in terminology such as:
Consumer vs. Data Subject
Under the CCPA, a consumer is a natural person who must be a California resident. According to the GDPR, a data subject is any identified or identifiable natural person, that is, a person who can be identified directly or indirectly. In contrast to the CCPA’s residency requirements, a data subject under the GDPR does not necessarily need to be an EU citizen or resident.
The GDPR applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored. It covers “processing” of personal data, defined to include any operation performed on personal data, including collection.
Personal Information vs. Personal Data
The CCPA broadly defines personal information (PI) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. The GDPR defines personal data as any information relating to an identified or identifiable person, by reference to an identifier. In fact, an individual can be both a consumer and a data subject if an EU-established company processes personal data of California residents.
Business vs. Controller/Processor
The CCPA classifies the following as a business:
- A for–profit organization (sole proprietorship, partnership, corporation, LLC, association, or other legal entity)
- That collects consumers’ personal information (online or offline)
- Determines the purpose and means of the processing
- Does business in the State of California
- Plus one or more of the following:
- Has annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The GDPR defines the controller the organization that determines the purposes and means of the processing. The GDPR applies under the following circumstances:
- Where the controller or its processor is established in the EU, or
- The processing personal data of EU residents by a non-EU controller or processor, where it relates to:
- Offering of goods or services, or
- Monitoring of EU residents’ behavior (insofar as the behavior takes place in the EU); or
- Processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law (i.e., an EU Member State embassy)
Right to Opt-Out vs. the Right to Object and the Right to Withdraw Consent
Under the CCPA, the Right to Opt-Out means:
- At any time, consumers can request a business to stop selling their personal information to third parties
- Business must wait 12 months to ask a consumer to opt back into the sale of personal information
- Businesses that sell personal information must post a link on their homepages that says “Do Not Sell My Personal Inform” so consumers can know about and exercise their opt-out rights
Under the GDPR, the Right to Object means:
- The data subject’s right to object to processing “on grounds relating to his or her particular situation, at any time”
- The scope includes processing based on legitimate interests, based on performance of task in public interest/exercise of official authority and research purposes
Under the GDPR, the Right to Withdraw Consent means that:
- At any time, the data subject can withdraw consent when the legal basis of processing was based on consent
- Withdrawal must be as easy as it was to give consent
Both the GDPR and the CCPA grant individuals’ rights that enable them to protect their privacy. To request a live OneTrust for CCPA software demo, visit www.OneTrust.com/ccpa-compliance or email [email protected].