High-Level Comparison of GDPR and CCPA
Now that I have walked through the individual rights of both European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), discussed the CCPA in the context of other US privacy laws, and provided a detail “cheat sheet” for both GDPR and CCPA, lets compare the two at a high level from a scope, individual rights, obligations and enforcement perspective.
But First ....
... before we even get to Scope comparison etc. what is the "helicopter view" of where they are similar and where they are different?
They are similar in that they both give individual's certain privacy rights vis a vis their personal data that is being collected/processed by various types of organizations. Rights such as the Right to be Informed (i.e. the "Right to Know" in a transparent manner about what privacy rights a person has and what personal data is being collected, the purposes of its collection, and if it is being sold or shared) and the Right to Delete that personal data. And they provide varying levels of "sticks" to enforce those Rights.
Where they are different is that GDPR is much more focused on the accountability and governance aspects of the processing of personal data, while the CCPA is more focused on giving consumers the various tools to limit its sale. But with the CCPA there is no obligation for consumers to use those tools, i.e. CCPA is an "opt-out" system (except for minors) while GDPR is an "opt-in." So as this MLex report states: "If consumers take no action, under CCPA, there are no restrictions on how businesses use their data."
Scope Comparison
In terms of effective date, GDPR came into full effect in mid-May of 2018. CCPA was passed into law in 2018, but did not take effect until January 1, 2020, with a few caveats: (1) enforcement actions taken by California AG to not occur til July 1, 2020; and (2) collection of personal data of a job application and/or employee and/or contractor by a business not in scope until January 1, 2021.
In terms of who is regulated and who is protected, GDPR regulates "controllers" (entities who determine the purposes and means of the processing of personal data) and "processors" (third parties that process personal data on behalf of the controller) who are either: (a) established in the European Union (EU), regardless of whether the processing takes place in the EU or not, or (b) not established in the European Union that either offer goods or services (irrespective of paid or not) to, or monitor behavior of, EU data subjects. Controllers can include non-profit businesses. GDPR protects a natural person (i.e. a real person, not a corporation, and not a deceased person — also referred to as a data subject), regardless of whether they are a resident of the EU. So, the territorial aspect of the law applies to entities either processing data in the EU or processing the personal data of EU data subjects.
CCPA regulates for profit “businesses” who either have (1) gross revenue greater than $25 million OR (2) buys/sells/shares personal information on over 50,000 consumers or devices OR (3) derives 50% or more of its revenue from selling consumer personal information. So much narrower in who is regulated, effectively small-to-medium businesses and non-profits are excluded. CCPA protects consumers who are California residents. So, the territorial aspect applies to the consumers, i.e. California residents.
The data protected is relatively the same – GDPR calls it “personal data” while CCPA calls it “personal information.” It’s stuff you expect, e.g. government IDs, credit card info, health records, etc. CCPA also broadens the definition to include information linked to households and devices. GDPR has a special category of “sensitive data” that includes racial, ethnic, political beliefs, sexual orientation, etc. that cannot be processed with a few exceptions including consent by the data subject and/or in the context of fulfilling legislation. The CCPA has delayed implementation of the protection of personal data involving employment until January 1, 2021.
Finally, in the case of the GDPR, personal data can only be processed if there is a lawful basis, which includes implicit consent as well as to fulfill a contractual obligation. So, the focus on GDPR is about giving data subject’s the ability to “opt-in” to allow entities to process their personal data based on notice and consent. In contrast, in the US a recent Supreme Court ruling (Sorrell v. IMS Health Inc. in 2011) interpreted the US Constitution's 1st Amendment as letting businesses collect data without having to specify a purpose. So CCPA supports “opt-out” with the exception for minors, who are “opt-in” for the sale of their personal information (i.e. by default business are not allowed to sell personal data) if aged 13-16 or with parental consent with children under 13.
Individual Rights
The totality of rights found in the GDPR and CCPA are the following, with √ = yes/supports and X = N/A (if you are not sure what one of these mean, refer to either the GDPR or CCPA cheat sheets in prior blog posts):
Right to …
GDPR
CCPA
… be Informed
√
√
… Access
√
√
… Rectification
√
X
… Erasure
√
√
… Restrict Processing
√
X *
… Data Portability
√
√
… Object to Processing
√
X *
… "opt out" for Third Party Sales
√ **
√
… Reject Automated Decision Making and Profiling
√
X
… not be Discriminated Against
√ **
√
* = except to opt-out of sales of personal data to third parties
** = implied
Obligations
The below table discusses the legal obligations that a “controller” (GDPR) or “business” (CCPA) has vis a vis processing of personal data/information. Think of this as "accountability" that the controller/business has vis a vis to protecting personal data.
Obligation
GDPR
CCPA
Privacy Policy Disclosure
√
√
Date Protection by Design and Default
√
X
Written Contracts with Processors / Service Providers
√
√
Maintain Records of Processing Activities
√
X
Respond to Rights Requests
√
√
New Homepage Link Required
X
√
Implement Appropriate Security Measures
√
√ *
Security Breach Notification
√
√ *
Data Protection Impact Analysis
√
X
Data Protection Officers
√
X
Adhere to the Rules of Cross-Border Data Transfers
√
X
* = implied via other California law(s)
Enforcement
There is a very big difference between CCPA and GDPR vis a vis enforcement — the CCPA is in the “light slap on the hand” category compared to GDPR. This is a big problem for both consumers and security professionals as I discussed in this blog post on the “Problems with the California’s AG on Data Breach Reporting,” as many breaches are being swept under the rug in terms of consumers are not being notified and security professional not fully knowing the full extent of our data breach problem.
In terms of Civil Fines, i.e. regulatory penalties, GDPR enables Member States’ “supervisory authorities” to hand out a range of penalties including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether.
CCPA on the other hand allows the California Attorney General to go after a business if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. But after 30 days, if the business or service provider is still in violation, they can be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.
Specific to individuals’ private rights of action, i.e. a business’ liability to impacted individuals, the GDPR is much broader. In the EU under GDPR, data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims.
With the CCPA, there is a private right of action but only in the narrow context of consumers "nonencrypted and nonredacted personal information" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices." Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." Key here is there is not another rights of actions beyond a breach occurring. Furthermore, the definition of "personal information" is from a narrower definition of personal information found in Cal Civic Code § 1798.81.5, i.e. another law.
Part of the vision behind CCPA Version 2.0 aka the California Privacy Rights Act (that will be on the ballot in California in November of 2020) is to beef up CCPA’s enforcement through a new regulatory agency called the California Privacy Protection Agency (I assume it will be called the CPPA, which will confuse people with CCPA and CPRA also being referenced). Anyway, that will be a good segue for me to drill down on the CPRA very soon in an upcoming blog post.