As you may know, EU-based privacy regulation GDPR has been effective since May last year. Now, California’s own consumer privacy law, the CCPA, is also about to become effective from 1st January 2020.
Both the privacy laws, CCPA vs GDPR, work to strengthen data protection for users regarding the collection, usage, and sharing of information conducted by businesses. The aim of the two laws might be the same, but upon looking thoroughly, significant differences between the two frameworks become apparent.
What is the GDPR?
The General Data Protection Regulation (GDPR) is Europe’s framework to define how businesses and public sector organizations, including non-profit, can handle the information of individuals, whether collected online or offline. The legislation is designed to create unified data privacy laws across Europe and give individuals more control and authority of their own data.
Since the GDPR applies all across the EU, all the 28 member countries possess the ability to make small updates of their own to the regulation, e.g., making updates to the Data Protection Act 2018 of the UK. A noteworthy point is that a business or user who is subject to the DPA will also likely be subject to the GDPR rules.
Possibly the strongest data protection laws in the world, the GDPR is the replacement to Europe’s former data protection directive from 1995. The framework is a way to modernize the data protection laws from the 90s that needed major improvements, in order to cope with rapid technological advancements and growing digitization.
What is the CCPA?
Just like the GDPR governs user data in Europe, the California Consumer Privacy Act (CCPA) is the United States’s first-ever framework that defines how for-profit entities can collect, use, and sell the information of California residents. The CCPA bill received a pass in June 2018ㄧa month later after the GDPR came in to effectㄧfollowed by amendments in September 2018 and October 2019 later on.
Being the first of its kind, the CCPA framework is considered to be the most comprehensive data privacy directive in the US. It is an initiative to enforce data protection laws that give Californians the right to have better control of their own data and be entitled to transparency.
Although, CCPA is not to be taken as a replacement to California’s existing privacy laws, CalOPPA. Complying to the CalOPPA privacy policies is easier compared to the CCPA. While the CalOPPA, which continues to exist, applies to any business or website that collects information about California residents, e.g., collecting a resume or order shipping details, the CCPA enforces stricter, broader data collection rules on larger entities. (Watch our quick 20 minutes presentation on “Decoding CCPA”)
Both the frameworks might serve similar purposes, but they address things differently through their own nomenclature. But before actually getting into the comparison, it is important to know about the ‘who’s who’ in the CCPA vs GDPR.
Individual/Userㄧthe one who is protected
- CCPA: Consumers
- GDPR: Data subjects
Information/Dataㄧthat what is protected
- CCPA: Personal information
- GDPR: Personal data
Business/Companyㄧthe one that is regulated
- CCPA: Business and service providers
- GDPR: Data controllers and processors
Note: This section does not mention all the terminologies used under the CCPA and GDPR.
CCPA and GDPR Similarities
The CCPA and GDPR frameworks use different terminologies, but there are provisions that cater to similar purposes. Here are some similarities between the two:
- Type of individuals covered: Cover natural persons and not legal persons with respect to ‘consumers’ and ‘data subjects’ that they protect under their respective frameworks.
- Data protection for minors: Define special provisions for protecting personal information of children under or up to 16; the GDPR requires consent from parents or guardians and the CCPA requires opt-ins regarding selling of ‘personal information.’
- Excluding personal purposes: Exclude ‘business and service providers’ and ‘data controllers and processors’ from their application if the processing of information is related to personal, household, or non-commercial activity.
- Anonymizing the data: Do not apply their frameworks on anonymized data where data cannot reasonably identify or be linked to a ‘consumer’ or ‘data subject.’
By now, you’ve hopefully understood the basic definitions of the GDPR and CCPA, the purposes they serve, the terminology they use, and the commonalities they share. Now, let’s cover the key differences between the CCPA vs GDPRㄧwhat sets them apart and what individuals and businesses should know.
CCPA Vs GDPR
Effective 1 January 2020, the CCPA will be applicable and compliance will be expected from businesses who are subject to the framework. If your business falls under it, there are just a few days left for you to comply. Are you CCPA-ready?