Do you know how much data is created every day? On average, that’s 2.5 quintillion bytes of data. By 2025, it’s estimated people will be generating 463 exabytes of data every day. A large part of this amount is personal data – showing what online users like, what do they search for and what do they buy. This data is pretty much invaluable for organizations of all sizes and industries as it allows them to better understand who their customers are and what they might expect from the brands. The problem was, internet users had little to no control over who collected their data and how it was used.
Although several privacy laws existed (such as the EU Personal Data Directive from 1995), the main issue was that the regulations and online user rights often varied from country to country – and that often lead to personal data misuse.
Since 2018 though, the situation has changed with the the European Union’s General Data Protection Regulation in and California Consumer Privacy Act, which both limit what how much data organizations can collect and what they can do with it.
While CCPA and GDPR do cover similar topics and have the same goal in mind, there are a few things they do differently though. Which ones? We’ll tell you everything you need to know about those two privacy regulations in this GDPR vs. CCPA comparison article.
What is GDPR?
GDPR (General Data Protection Regulation) is a European set of data protection regulations applying to all companies around the world that are collecting and storing personal data about European citizens.
The law's main aim was to limit what businesses can do with the data they collect, protect consumers' privacy rights, and give individuals more control over how their personal data is used. Under General Data Protection Regulation, any information that can identify a living natural person is considered personal data and thus falls under the consumer data protection law – from the name, phone number, or address to browsing habits or previous purchases. “Data subjects” (meaning a natural person to who the given data belong) can also at any time ask a given company for a copy of the data the company has collected on them or request that the company stop using the data.
Designed to replace the slightly outdated 1995 data protection directive, the GDPR set contains eleven chapters and 99 separate articles. Those chapters focus on the rights of the data owners, businesses’ duties when it comes to data storing and processing, necessary data security measures, penalties for law violation, but also how the data can be handed over to other companies. This makes the European privacy law one of the most comprehensive as well as one of the strictest privacy laws in the world.
Under the General Data Protection Regulation, individuals have the right to:
- Access their data: A data subject has the right to request access to their data as well as to ask how the company uses it. Organizations must also provide a copy of the consumer’s personal information, free of charge, whenever the data owner requests it.
- Have their data deleted: Data subjects can request that the data companies gathered about them be deleted from companies’ databases.
- Move their data to a different place: Individual users can request that their current consumer data be transferred from one environment to another, for example, from one service provider to another.
- Be informed about their data being collected: Under GDPR, businesses must give a “privacy notice” to the consumers, where they will tell them why they are collecting and storing the data and how long the data will be stored. Businesses must also ask consumers for their consent before collecting the data.
- Correct their personal information at any time: Consumers who find out that their personal data is incorrect or incomplete can ask the companies to update it.
- Limit/forbid companies from processing their data: Whenever a consumer requests that a company stop using their data for certain purposes (e.g., marketing messages), the company must comply immediately. Businesses must also make it clear that consumers can withdraw their consent whenever they wish and give them an easy way to do so.
When do you have to use GDPR?
When it comes to who must comply with the European privacy law, GDPR requirements are very straightforward.
Basically, any entity that collects or processes the personal data of residents of the EU must comply with the regulations, regardless of where the organization is located.
Organizations employing over 250 are also automatically required to comply with the GDPR. Those that have less than 250 employees don’t need to keep records of all their data processing activities unless:
- data collecting and processing for business purposes is one of their main tasks
- collects specific data types mentioned in the regulations (like criminal records)
- it affects the rights and freedoms of data subjects.
This might sound pretty broad, so let’s look at an example – a random logistics company set in Florida. As long as they worked only with US-based clients and companies and had no business relantionships with companies from Europe, they would only be required to comply with the local law. The situation changes once they start working with European companies though – as then they will be legally obliged to comply with the GDPR regulations.
Since all websites collect some sort of user information, GDPR law also applies to them. The only exception is made for geographically-restricted websites that can’t be accessed by anyone outside the specified location – for example, an American version of a brand’s website that can be opened only by people living in America.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a state law that was passed in 2018, and it went into effect in January 2020. The new law, based on the GDPR, was created in response to earlier incidents in which businesses were accused of mishandling or exploiting private information. It’s the first law of its kind in the US, giving Californians unprecedented online privacy protection, including the right to sue businesses in case of a data breach.
Californian users also gained several new rights under this landmark law, including:
- The right to know about all personal information a business can collect about them and how it is used.
- Right to access personal information held by a business at any time
- The right to request deleting their personal information collected.
- The right to opt out of the sale of their personal information
- The right to use their CCPA rights without fear of being denied a service charged a higher price, or receiving a different level of goods or services.
Based on how similar the consumer rights are to those in General Data Protection Regulation, California Consumer Privacy Act is often called a Californian version of the European law. There are some ways in which the California law differs from GDPR, though – we’ll look at the main differences in a moment.
When do you have to use CCPA?
When it comes to organizations that have to stay compliant with the new privacy law, the Californian law is definitely less strict than the European privacy law as it applies only to any for-profit business that meets one or more of the following conditions:
- Has gross revenue of more than $25 million
- Stores personal data on at least 50,000 people
- Buys/Sells/Receives/Shares personal information of 50,000 or more California residents annually for commercial purposes.
- Derives 50% or more of annual revenues from selling personal information
Like GDPR, CCPA compliance also applies to businesses outside the US and California. So as long as a company deals with any personal data coming from California residents and meets at least one of the conditions above, it must comply with the California Consumer Privacy Act. There are, however, exceptions for non-profits and government agencies.
Similarities between GDPR and CCPA
California Consumer Protection Act and General Data Protection Regulation are quite similar in a few ways, so they’re often compared. Both regulations were created to give consumers far more control when it comes to how much personal data is collected on them and how it is used. Both laws also provide nearly identical rights to consumers – for example, to ask businesses to erase any information they have stored about the consumers or to object to having their personal data sold.
Additionally, the two laws aren’t restricted to California or Europe alone. As long as a business is dealing with the personal information of EU or CA residents, it must comply with GDPR and CCPA regulations, regardless of the company’s main location.
Key Differences between GDPR and CCPA
Although the two laws seem similar in terms of rights and main goals, there are also some major differences between them. Missing those nuances might make adjusting your company’s internal privacy laws and ensuring business privacy compliance a bit trickier. So let’s look now at what exactly makes General Data Protection Regulation and Californian Consumer Protection Act unique.
#1 Law Scope
First, let’s look at how broad each law is.
General Data Protection Act applies to any entity (whether it’s a regular business, non-profit organization, or a governmental agency as long as it collects or might collect in the future any data from anyone located in the EU. And that includes any medium through which the entities might collect data – emails, websites, and so on. The only exemptions are for smaller companies that rarely process consumer data and those without customers or users in the EU regions.
The California Consumer Privacy Act meanwhile only covers:
- For-profit entities that do business in California (with NGO and governmental agencies exempt)
- Businesses that have a annual revenue of over $25 million
- Companies that earn 50% or more of their revenue from selling information.
- Businesses that share branding or are controlled by a company that falls under the CCPA regulation.
That makes GDPR a far broader law than CCPA as it covers virtually all organizations worldwide, regardless of the size or location – as long as a company collects any data on European users, it falls under the General Data Protection Regulation law. California Consumer Privacy Act reach is meanwhile limited only to larger companies (mainly Silicon Valley ones), with smaller ones and NGO’s not needing to be compliant with the law.
#2 Data access
Under both laws, consumers have the right to ask the businesses what sort of personal data a given company has collected about them and request to get a copy of the data. However, there are a few (albeit small) differences here as well, for example, when it comes to processing time. Under GDPR, consumers can send such a request at any time, and the company that received such a request should respond in 30 business days (the time can be prolonged for complicated cases, though). CCPA meanwhile allows for 45 business days.
Second, GDPR also includes one that gives consumers the right to correct any incomplete or incorrect parts of their data. Californians didn't have such a right under the CCPA regulations but starting from January 2023, they will have a right to correct their personal information as well under the California Privacy Rights Act (CPRA).
#3 Data collection
The biggest difference between both laws is related to how brands can collect data under both laws, with the European law being far more strict than the Californian one. Under GDPR, organizations have to state their "legal basis" for collecting the consumer data (meaning the purpose for collecting the data) and tell them how that data will be used later. Another requirement is that the organizations can’t collect or use the data before the consumer gives them clear permission to do so – this is called an “opt-in consent".
Many businesses use checkboxes as opt-in methods – by checking or unchecking checkboxes, consumers can either give their consent for their entire data to be collected or they might leave some of them blank, limiting how much the companies can do with the data.
Giving the consumer clear information on what they need to do to give organizations their consent and how and when they can withdraw the permission is one of the key requirements here.
CCPA regulations don't have an "explicit consent" requirement in the law though – businesses can collect personal information from users over the age of 16 straight away, without having first to get their permission. The only thing required under this law is telling the consumers how they can limit the amount of data companies can collect on them and what they need to do to opt-out.
Businesses that sell personal information are also obliged to add a “Do Not Sell My Personal Information” link in a visible place on their website to give consumers an easy way to opt-out of getting their data sold to other entities.
#4 Fines and penalties for non-compliance
Last but not least, each law has different financial penalties and fines for non-compliance. GDPR is known for its pretty heavy administrative fines for non-compliance. Smaller and less serious violations can result in penalties of up to €10 million or 2% of the firm’s worldwide annual revenue (whichever is higher). Severe violations or repetitive ones meanwhile can reach €20 million or 4% of yearly revenue – again, whichever is higher. Since 2018, The European Union has handed out more than €163 million in total GDPR fines, with the highest fine being €746,000,000 given to Amazon Europe Core S.à R.L. last year.
Compared to the above fines, the CCPA fines might seem much lower:
- The maximum civil penalty for intentional violations are $7,500.
- Maximum civil penalties for unintentional violations are $2,500.
- Consumers can also file private lawsuits for statutory damages, which will be between $100 to $750 damages for each breach incident.
Compared to GDPR fines, the fines above may not seem significant at first glance. However, you should know that CCPA regulations consider each incident of violation separately and fines for it individually – and there’s no upper limit for the fine either. The fines for actual damages are also counted separately.
So, for example, let’s say that a company the size of Facebook didn’t adhere to privacy requirements, and the California Attorney received over 200,000 complaints about it. If the violations were deemed intentional, the end fine could be one billion five hundred million dollars total.
So while the CCPA compliance fines may seem small at first compared to the GDPR, the amount can quickly add up – especially if consumer damages fines are added to the already hefty fines for the main violations.
Summary of CCPA vs GDPR
Now that we have taken a closer look at the California Consumer Privacy Act and EU General Data Protection Regulation, we can see that they have several important differences. Let's sum them up:
|
CCPA |
GDPR |
|
|---|---|---|
|
Who falls under the regulation? |
CCPA only applies to:
NGO organizations and goverment agencies are exempt. |
|
|
Who is protected? |
Consumers, defined as California citizens who live in California or are domiciled in California. | Data subjects who are defined as natural people who can be identified by the stored personal information. |
|
How company can gather data under the law |
Organizations can collect personal information without having to ask the consumer for permission. However, they have to clearly state how consumers can limited the data companies can collect and how they can opt-out from having their data sold to other parties. |
Under GDPR, organizations can’t collect data unless they have a clear reason matching one of the legal basis in GDPR regulations and customer gave them their permission for collecting the data. |
|
Rights given to the people falling under the law |
|
|
|
Penalties for non-compliance |
|
|
Conclusion
The CCPA and GDPR laws have a similar intent – to protect consumers’ privacy in the digital world and put a stop to misusing consumers’ data by businesses. But there are some visible differences when it comes to how each of the laws works.
With GDPR, all organizations, regardless of size or location, must comply with the regulations if they have or might have customers from the EU. Because there are so many specific requirements, your company may also need to prepare and take several organizational measures in order to comply.
CCPA requirements are a bit more lenient as you only need to follow the regulations if you fill one or more conditions, such as having stored data of more than 50,000 people.
However, navigating between the nuances of each law and getting everything ready for the compliance process might be a bit confusing, especially if it’s your first time understanding and complying with privacy law requirements. Wouldn’t having someone nearby to aid you makes the whole process easier?
With Safetica on your side, you can understand how your company collects and stores data, ensure that the data is secure, and understand the nuances of both privacy laws. Then becoming GDPR and/or CCPA compliant will be a breeze.
Author
Kristýna Svobodová
Content Strategist @Safetica
Next articles
Regulatory Compliance
Regulatory Compliance
HITRUST framework: The Scope, Purpose, and How to Comply
This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.
Regulatory Compliance