The passage of the California Consumer Privacy Act (CCPA) has now raised the question as to whether the measures companies have implemented to comply with the General Data Protection Regulation (GDPR) will satisfy the CCPA. Unfortunately, the answer is largely, “No.”
CCPA vs GDPR:
- Requires disclosures, communication channels (which must be at no cost such as toll-free phone numbers) and other items that are not required to comply with the GDPR.
- Contains a broader definition of “personal data” and also covers information pertaining to non-individuals such as households and devices.
- Establishes broader rights for California residents to direct deletion of data, with different exceptions than those in GDPR.
- Establishes broader rights to access personal data without some exceptions available under GDPR.
- Imposes more rigid restrictions on data sharing for commercial purposes.
- Does not allow companies the discretion to offer consumers a choice between for-charge services and charge-free services.
- If companies want to continue offering a charge-free service to Californians, companies cannot rely on revenue from data sharing or other usage to fund the service.
- Companies may offer financial incentives to California residents, including compensation, for the collection or sale of their personal information, but only if they obtain prior opt-in consent which may be revoked by the customer at any time.
Table 1 – Other Differences
GDPR | CCPA | |
Basis for consent | Opt in | Opt out |
Who it applies to | Any organization holding personal data on EU citizens | For-profit entities that process personal data of California residents and either:
|
Rights for individuals | Access to data being held, right to erasure, correction, and object to automated processing. Right to notification if there is a data breach. | Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to. |
When does it come into force | May 25, 2018 | Jan 1, 2020 |
Financial Penalties | 4% of turnover or €20m (whichever is greater) | $7,500 per violation. $750 or actual damages for each individual, whichever is greater |
Time allowed to respond to a request | 1 month | 45 days |
Our compliance consultants are here to help if you have any questions on how to properly apply these new regulations to your organization.