This past decade has seen privacy concerns come to the forefront of the public’s attention all across the world. In response to these concerns, many governments across the world have been implementing information security & privacy laws. Two governments’ laws have been particularly noteworthy, as they have two of the largest economies in the world. These are the European Union’s (EU) GDPR and the US State of California’s CCPA.
While both of these governments’ laws aim to better protect individuals’ privacy rights and share some similarities, there are differences in scope, requirements and penalties for noncompliance between the two. As a result, organizations can’t be compliant with one of these laws and automatically be compliant with the other. Rather, organizations’ compliance programs have to deal with both laws separately.
In this article, we provide a summary of the key differences and similarities between GDPR and CCPA. We then give an overview of how organizations can comply with both laws that will enable readers to meaningfully contribute to GDPR- and CCPA-related discussions at your organization.
Similarities
Scope
- Both laws seek to strengthen individuals’ privacy rights
- Personal data (PII) is defined the same, namely, that PII is any information that can directly or indirectly identify an individual
- Organizations that handle PII of either residents of California or individuals in the EU must abide by both regulations
Requirements
Individuals’ Rights
- Both regulations require organizations to assist individuals in exercising these privacy rights:
- Under both laws, organizations must give requesting individuals’ a copy of the PII the organization has on the individual.
- The laws differ, however, in how much PII organizations are required to give to individuals. We cover these differences later in the article.
- Organizations must delete any and all individuals’ information when an individual makes such a request
- The right to the same services and prices when individuals exercise their privacy rights is likely to only be similar in theory.
- As explained in the differences section, it’s unlikely that individuals will be given the same level of services & prices when exercising their privacy rights under CCPA.
- Under both laws, organizations are required to verify the identity of individuals exercising their privacy rights
- Verifying an individuals’ identity is highly important. There have been reports of stalkers, identity thieves, and others making fraudulent requests regarding another’s PII
- Right of Access
- Right to be Forgotten
- Right to Same Services & Prices
- Verifying requesting individuals’ identities
Third-party Risk Management
- Your third-parties must agree to:
- Comply with the applicable regulation(s), where the third-party will be processing PII that’s in-scope
- Have a security program in place that adequately protects the PII they will be handling
Other Requirements
- Organizations must have mechanisms in place to adequately protect PII, in accordance with the sensitivity of the PII
Penalties for Noncompliance
- Both laws impose regulations on organizations that are found to be noncompliant
- When levying fines, the courts are to consider a number of factors about the violating organization, such as the organization’s privacy posture, number of previous fines, etc.
- That said, the laws differ greatly in what constitutes a violation and the associated penalties, and we discuss those differences below
Differences
Scope
Apart from GDPR and CCPA applying in different parts of the world, there are some differences in scope:
- Individuals
- GDPR covers any individual in the EU, regardless of citizenship or residency status1
- CCPA covers only residents of California
- Organizations
- GDPR applies to any organization that processes the PII of or markets to4 EU citizens, regardless of where the company is located
- Consequently, if an organization has a website that markets to EU citizens but doesn’t collect any PII, the organization still has to comply with GDPR
- CCPA applies only to any organization that collects, sells or transfers to third parties the PII of California residents
- Consequently, if an organization has a website that markets to residents of California but doesn’t collect any PII, the organization doesn’t have to comply with CCPA
- GDPR applies to any organization that processes the PII of or markets to4 EU citizens, regardless of where the company is located
Requirements
The biggest difference between GDPR’s and CCPA’s requirements are that GDPR requires a lot more of organizations and organizations’ third- and fourth-parties. This section contains an overview of the differences.
Individuals’ Rights
This section describes the differences in the rights that individuals have under each law.
- GDPR
- Right of Access
- There is a slight difference in that under GDPR, any and all PII an organization has on an individual must be disclosed to a requesting individual. This includes any data on an individual that’s been inferred (e.g., performing analytics to predict which product a customer will buy next)
- Right to Giving Consent
- Organizations must obtain consent from each individual prior to processing that individual’s PII
- Organizations are to communicate the terms & conditions for consent clearly and in plain language
- Right to Correction
- Individuals may have incorrect PII about them corrected
- Right to Data Portability
- Individuals may have their PII transferred from one similar service to another
- Right to Object to Processing
- Individuals may prohibit an organization from processing their PII
- Right to Restricting Processing
- Individuals may require organizations that are already processing their PII to stop processing their PII
- CCPA
-
- Right to Opt-Out
- Only organizations that are selling PII are required to give individuals the ability to opt-out
- Right to Opt-in
- Organizations are required to ask for consent to process PII only from minors3
- There are no rules regarding how the terms & conditions for consent are to be communicated
- Organizations are required to ask for consent to process PII only from minors3
- Right to Same Services & Pricing
- Organizations may:
- Charge a different price/rate or offer a different level of quality of goods/services if that difference is reasonably related to the value provided to the individual by the individual’s data
- Reasonably and justly offer financial incentives (e.g., payments) to individuals whose PII is collected, sold or transferred
- Organizations may:
- Right to Opt-Out
Third-party Risk Management
- GDPR
- Each third-party that is to handle PII subject to GDPR must be thoroughly vetted
- Third parties must require each their vendors that will touch PII subject to GDPR to:
- Abide by GDPR
- Only process PII as explicitly stated in the Data Protection Agreement
- Have a security program in place that adequately protect the PII
- Thoroughly their own third-parties
- Require these third-parties to require their vendors to abide by GDPR and all that entails
- CCPA
-
- Selling PII Received from Your Organization
- Third parties to whom your organization sells or transfers PII may not sell the PII they (the third party) have received from your organization.
- Third parties may sell the PII they’ve received if the affected individuals:
- Receive explicit notice of the intent to sell their PII
- Are given an opportunity to opt-out
- Selling PII Received from Your Organization
Other Requirements
- GDPR
- A DPO is an executive (or someone with direct access to executives) whose sole job is to ensure the organization is complying with GDPR
- Organizations must assess how their processing activities of PII will affect individuals
- Appoint a Data Protection Officer (DPO)
- Conduct a Data Protection Impact Assessment (DPIA)
- CCPA
- Update their online privacy policy to include a California Resident-specific section
- If selling PII, have a clear and obvious link on their homepage entitled “Do Not Sell My Personal Information” that links to a webpage that enables individuals to opt-out of the sale of their PII
Penalties for Noncompliance
The penalties for noncompliance are, perhaps, the most significant difference between GDPR and CCPA. In a nutshell, GDPR can have materially significant files for companies of all sizes while CCPA does not.
What Constitutes a Violation
- GDPR
- Any violation of GDPR, such as:
- Not appointing a DPO
- Communicating the terms & conditions for consent in legalese
- Failing to assist an individual exercising their privacy rights
- Insufficiently vetting third-parties
- Suffering a data breach of PII
- Any violation of GDPR, such as:
- CCPA
- A violation is largely considered to have occurred if an organization fails to fix an alleged violation within 30 days of becoming aware of the violation
- Examples of a violation include:
- Violating any part of CCPA (e.g., not obtaining consent from a minor)
- Suffering a data breach of unencrypted or non-redacted PII
- Not implementing a security program adequate to the types of data processed
Penalties
While both laws can negatively impact small businesses, GDPR can also materially affect large organizations’ financials.
- GDPR
- Fines are based on a violation’s severity:
-
-
-
- Minor violations
-
-
-
-
-
-
- Fines can go up to one of the following, whichever is larger:
- €10 million or
- 2 percent of the previous year’s worldwide annual total revenue (not profit)
- Fines can go up to one of the following, whichever is larger:
- Major violations
- Fines can go up to one of the following, whichever is larger:
- €20 million or
- 4 percent of the previous year’s worldwide annual total revenue (not profit)
- Fines can go up to one of the following, whichever is larger:
-
-
- CCPA
- Fines are based on if a violation is intention or unintentional:
-
-
-
-
- Intentional violations
-
-
- Fines can go up to $7,500 per violation
-
-
-
- Unintentional Violations
-
-
-
-
-
-
- The following can be imposed on a violating organization:
- A fine of $100 - $750/individual per incident
- Actual damages to the individual
- Whichever fine is is greater:
- Injunctive4/declaratory5 relief
- Any other relief the court deems proper
- The following can be imposed on a violating organization:
-
-
-
How Your Organization Can Comply with These Regulations
In order to ensure your organization is complying with both GDPR and CCPA:
- Talk with your organization’s legal counsel, privacy experts and other stakeholders on what your organization needs to do in order to comply with GDPR
- Read our other information security & privacy compliance articles so you can meaningfully contribute to these discussions
- Thoroughly vet your third-parties
- With an increasing number of privacy regulations, consider implementing a Comprehensive Privacy Policy Framework6
- Where applicable, consider becoming US-EU Privacy Shield compliant
You explore more in depth articles on the foundations GDPR and CCPA here.
1The way GDPR is written, it applies to any individual who’s in the EU. This means that an American citizen who’s visiting France for a week is covered by GDPR during that week.
2e.g., sells a product in euros
3Under CCPA, a “minor” is anyone under 16 years of age. Additionally, for minors under age 13 explicit consent from the minor’s parent/guardian must be obtained
4Injunctive relief: A court-ordered act or prohibition
5Declaratory relief: When requested by one of the parties in court, a judge determines the parties' rights under law, with the hope that an early doing so will resolve some (if not all) of the case’s issues
6NIST is publishing a comprehensive privacy framework in late 2019/early 2020