The California Consumer Privacy Act is often described as similar to, or following in the footsteps of, the EU regulation known as the GDPR (General Data Protection Regulation.) The enactment of the GDPR caused much hand-wringing because it substantially changed the way businesses could collect, store, and use personal information of EU residents. The CCPA is not nearly as broad as the GDPR, but it is, like the GDPR, changing the way businesses handle personal data, this time within the US.
The CCPA and the GDPR share similar goals. The idea is to give consumers the right to control the use of their personal information, and to put the burden on businesses to respect individuals’ rights over their personal data. Both laws give individuals the right to bring legal action against a business if the business violates the law. Both laws allow regulators to impose significant financial penalties against a business that violates the law.
Here are some ways they differ and some ways they are the same:
When does the law apply?
The CCPA applies to for-profit businesses that meet certain thresholds (see Part I) and that collect the personal information of California residents.
The GDPR applies any time personal information from EU residents is processed in any way (“Processed” means collected, stored, transferred, accessed – pretty much anything you can do to data is “processing.”)
How is “personal information” defined?
CCPA: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
GDPR: “any information relating to an identified or identifiable natural person …such as a name, an identification number, location data, an online identifier..”
Is anonymized, aggregated, and/or de-identified data also personal information?
CCPA: Data that is “reasonably capable of being associated with” an individual or household is personal information. If you could, without too much difficulty, connect that data to a person or household, it is personal information.
GDPR: Data that can be combined with other information to identify an individual is personal information. Data that is truly anonymized is not personal information.
What rights do individuals have over their data?
Right to access – An individual has the right to know what personal data a business has about that individual (this right is more limited under the CCPA)
Right to delete – An individual can request that a business delete and remove all of that individual’s personal data (with some exceptions)
Right to correct – Under the GDPR, a business must correct errors in an individual’s personal data if requested. (The CCPA does not include this obligation.)
Right to portability – An individual has a right to obtain a copy from the business of all personal information that business has regarding that individual
Right to opt-out – Under the GDPR, an individual can refuse consent or withdraw consent previously given to any processing of that individual’s data. Under the CCPA, a consumer can opt-out of any sale of their personal data to a third-party.
Non-discrimination – The CCPA explicitly says that a business can’t discriminate by refusing service or charging a higher price to a consumer who exercises their rights.
Except in the case of a parent exercising rights over a child’s data, these individual rights can only be exercised by the individual themselves, and not by a third-party seeking access to an individual’s data. It’s important, therefore, to be able to verify the identity of an individual who makes a data access request.
Note too that both laws have additional obligations for the protection of children’s and special categories of data, like health, financial, or biometric data. Children’s data and special category data are also protected under various Federal laws.
For more information about how to comply with the CCPA, see Part III.
Please note that the above is a high-level overview for your information, and is not intended to be legal advice for your specific situation.
