GDPR versus CCPA
The abundance of data breaches around Big Tech giants casts private data and its use in a brand new light.
Around the world, data protection laws and regulations are steadily emerging and forcing businesses to contend with a complex set of requirements regarding the collection and handling of personal data.
Among the most prominent privacy laws are The General Data Protection Regulation (GDPR) in Europe and The California Consumer Privacy Act (CCPA) in the U.S. Seen as the toughest European law, the GDPR imposes obligations onto organizations anywhere, as long as they target or collect data related to people in the EU. The CCPA is a federated state law intended to enhance privacy rights and consumer protection for Californian residents. While both laws aim to protect individuals’ rights on the personal data collected from them and apply to businesses that collect, use and share sensitive information, the GDPR and the CCPA differ in significant ways.
Below are 5 main differences between the GDPR and the CCPA that everyone should consider when doing business with or for the European Union and California.
1. Scope
The GDPR applies to organizations anywhere, as long as they target or collect data related to people in the EU. The CCPA only protects individuals (referred to as “consumers”) that are Californian residents (i.e. individuals living in California for other than a temporary or transitory purpose).
Good to Know! Personal data belonging to non-European citizens in transit or on holidays in the EU falls under the scope of the GDPR.
2. Definition of Personal Data
The GDPR refers to personal data as information that can reasonably be linked with (either directly or indirectly) to identifiable or identified data subject. In CCPA terms, personal data is information that can be used to identify a natural person, however, it also includes information that can be used to identify a household or device.
3. Legal basis
While under CCPA organizations can process data without being subject to specific restrictions, the GDPR dictates that data can only be processed if it is subject to one of the 6 legal basis identified. Explicit consent, Legal responsibility, Legitimate interest, Public task, Vital interest, Contractual performance
4. Opt-in / Opt-out
Users can take action to either offer (opt-in) or withdraw (opt-out) their consent for the collection and handling of their data. Under the GDPR, businesses have the obligation to ask users to opt-in, while with CCPA, users only have the option to opt-out. Furthermore, with CCPA, businesses will give notice to the users whose data is sold or transferred, while with GDPR, users’ explicit consent is mandatory.
5. Violations
What a difference! While CCPA penalties range between $2,500 for a non-intentional violation to $7,500 for intentional ones, a GDPR fine can kill your business: up to €20 million or 4% of the annual global turnover.