Data has become one of the most valuable commodities in the world in recent years. Companies conduct billions of dollars in commerce every year that deal specifically with data. Data relating to people is personal, and every individual has an interest in the privacy of his or her information.
Unfortunately, there weren’t always laws to support that consumers own their information. Misuse by companies led to different legislative bodies responding with new laws and regulations. Two of those laws that affect California companies are the General Data Protection Regulation, or GDPR, and the California Consumer Privacy Act, or the CCPA. People and businesses alike are wondering about the difference between the GDPR and the CCPA. Below you’ll find a breakdown of those differences along with a few similarities.
When Did or Do These Laws Take Effect?
The GDPR was passed by the European Union Parliament in April of 2016, and it took effect on May 25, 2018. The CCPA became law on June 28, 2018, and its provisions fully took effect on January 1, 2020.
Who Passed These Laws?
While it’s mentioned above, one key difference between the GDPR and the CCPA is the legislative bodies that passed it and which consumers it protects. The European Union Parliament, which passed the GDPR, is a representative body of all of the member nations of the European Union. As of now, there are 28 counties in the European Union. The California state legislature passed the CCPA, and the law was passed before a ballot initiative of the same name went to a vote in November of that year.
Who Must Comply With These Laws?
When comparing privacy laws such as the GDPR vs. the CCPA, one key difference is often the scope or reach of those laws. Each of these laws has a broad scope. They affect a lot of businesses. The GDPR governs companies that operate within the EU that handle data of even one EU citizen. In addition, the GDPR governs companies outside of the EU if those companies have over 250 employees and offer good or services to the EU or handle any data of EU residents.
The CCPA applies to any for-profit entity that does business in California that collects, shares or sells the data of California consumers. Those companies must have annual revenues of at least $25 million or possess the data of at least 50,000 consumers, households or devices or derive at least 50% of its revenue from the sale of California residents’ personal information.
Who Is Protected By These Laws?
One clear distinction that appears between the GDPR and the CCPA relates to the people who are protected by these laws. The GDPR protects any resident or citizen of the EU and the European Economic Area whose data was held or processed by a company falling under its jurisdiction. The CCPA protects California consumers, which are defined as any natural person who is a California resident. Neither law protects “legal” persons, meaning business entities.
What Information Is Protected?
The CCPA vs. GDPR analysis also presents a slight difference with regards to their definitions of what data is protected. The CCPA specifically protects “personal information” that directly or indirectly links to a particular California consumer or household. The GDPR covers “personal data” that directly or indirectly relates to an identifiable individual. The GDPR does not specifically include “households” in its protections.
In essence, if your company collects names and email addresses, you would be collecting personal data or personal information, depending on which law would govern the situation.
What Are the Penalties for Violations?
Another important difference between the GDPR and the CCPA concerns the penalties for noncompliance. While each imposes monetary penalties for violations, how those financial liabilities are identified differs. Minor violators of the GDPR can face fines of up to €10 million or two percent of that violator’s annual revenue, whichever is greater. Major violators can face fines of up to €20 million or four percent of that violator’s annual revenue, whichever is greater.
Violators of the CCPA can face fines of up to $2,500 per violation, meaning $2,500 for every person whose data is not properly protected. Intentional violations can lead to fines of up to $7,500 per violation, and there is no cap on those fines.
What Information Must Be Available to Consumers?
In effect, the difference between the GDPR and the CCPA requirements for the types of information that businesses must make available to protected individuals upon request. Under the GDPR, companies must provide individuals who properly request it a copy of the information they collected that relates to that individual. The CCPA also requires that businesses share the personal information collected during the previous 12 months along with categories of information, the commercial purpose of that information and categories of third parties who have shared or bought that information. Under each law, individuals can opt-out of their consent to have their data processed and request that their data be deleted.
How Do Consumers Provide Consent to Use Their Information?
The GDPR and the CCPA are largely similar when it comes to providing consent for companies to use personal data. The consent that’s given by the individual or consumer must be voluntarily given based on a clear explanation that personal data is being collected and why it’s being collected. Generally, consent is given by clicking a button on a form that appears on a browser. Each law also provides individuals with the right to “opt-out” of this consent, thereby preventing any additional use of that personal information.
How Must Personal Data Be Protected?
Every entity governed by each of these laws must take all reasonable steps to properly protect personal data. If a data breach occurs, those attempting to comply with the GDPR must report that breach to the proper authorities within 72 hours. Companies must also inform anyone who could be affected by the breach. Under the CCPA, there is no specific public reporting requirement, but other data protection regulations require businesses to notify anyone affected by the breach. It’s up to affected consumers to bring legal action.
How Do We Maintain Compliance?
Are you up to date on how to handle opt-outs, reporting, the right to be forgotten or any other requirement that could affect your compliance with the GDPR and/or the CCPA? If not, you need to speak to a corporate attorney or GDPR lawyer as soon as possible. Kam Law Firm can help you with your CCPA vs. GDPR analysis to minimize your risk of exposure.