'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
The 25th of May, 2018, was a red letter day in the history of data protection and privacy. This was the day that the General Data Protection Regulation (GDPR) went into effect. Designed to protect the personal data of consumers stored by businesses, GDPR gives citizens of the European Union powerful new rights over how their data is collected, stored, and used by various organizations, as well as ways to control how their data is handled.
Although there has been no federal-level movement on similar privacy legislation in the United States yet, strong state-level laws have emerged that promise to bring GDPR-like protections, and even expand on rights enumerated under GDPR for American internet users. The forerunner among all these state-level data privacy laws is the California Consumer Privacy Act (CCPA).
Although GDPR and CCPA share the aim of giving individuals more control over their personal data, they take different approaches. Here are some of the key differences between the two laws when it comes to scope, rights and enforcement.
Between CCPA and GDPR, the latter has a broader scope concerning who has to comply with the law. This is so because GDPR covers all citizens of the European Union, and regulates all organizations that collect and store personal information of E.U. citizens, irrespective of their location or size.
In contrast, CCPA places constraints on the size and nature of organizations that must comply as it applies only to ‘for-profit’ businesses that have $25 million or more in annual revenue, or possess personal data of more than 50,000 consumers, households, or devices, or earn more than half of their annual revenue selling consumers' personal information.
Sections 1798.140 (c), (g), 1798.145(a)(6)
The CCPA applies to organizations “doing business in California.” This criterion is not precisely defined in the CCPA. However, according to the California Franchise Tax Board, doing business in California consists of “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit” and an out-of-state entity can be considered as doing business in California if it meets certain thresholds (see Section 23101 of the Revenue and Taxation Code). Therefore, it is conceivable that out-of-state entities collecting, selling or disclosing personal information of Californians can fall under the scope of the CCPA.
The obligations imposed on businesses by the CCPA do not restrict a business’s ability to “collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California [...]” this is further clarified as “commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California and no personal information collected while the consumer was in California was sold.”
Articles 3, 4(1) Recitals 2, 14, 22-25
Under Article 3, the GDPR applies to organizations established in the EU. The GDPR applies to processing by controllers and processors in the EU (entities that have an “establishment” in the EU) if processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not. “Establishment” in the EU is interpreted broadly, which could include having a minimal presence of using a local agent or having a single representative.
The GDPR also applies to organizations located outside the EU (those that do not have an establishment in the EU) if they offer goods or services to, or monitor the behavior of, data subjects located in the EU, irrespective of their nationality and the company’s location.
Both GDPR and CCPA give consumers specific rights. Some of these rights include the right to have information deleted or accessed. Both GDPR and CCPA protect only natural persons and not legal persons. Businesses must test their processes and ensure they can accommodate consumers’ rights, subject to certain limitations. GDPR allows controllers and businesses to either charge a reasonable fee or refuse to respond on manifestly unfounded or excessive requests made by data subjects. Furthermore, under the GDPR, the controller must inform the data subject of the reasons for not taking any action on their request without delay and at the latest within 1 month of receipt of the request.
CCPA does not allow businesses to charge for access and deletion requests, but allows them to verify any consumer request before complying, and limits personal information disclosure requests that businesses must comply with to 2 requests per 12 month period. CCPA also allows businesses to reject a request to delete personal information if the information is necessarily required by the Business for completion of a contract, service, warranty, to comply with a legal obligation, or for security purposes.
CCPA does not limit the scope of this right to specific situations, categories of personal information or purposes. The right generally applies to personal information that a business has collected from the consumer and it seems that the consumer does not have to justify his or her request.
The deadline to respond to a right request is 45 days from the receipt of the consumer’s request. The deadline can be extended an additional 45 days when reasonably necessary, provided the consumer is informed within the first 45 days. It is important to note that the time period to respond to any verified consumer request may be even further extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests.”
The right to erasure only applies in instances where consent is withdrawn and there is no other legal ground for processing, or when personal data is no longer necessary for the purpose for which it was collected.
Data subjects’ requests under this right must be replied to without “undue delay and in any event within 1 month from the receipt of the request.” The deadline can be extended to 2 additional months taking into account the complexity and number of requests. In any case, the data subject must be informed of such extension together with reasons for the delay within one month from the receipt of the request.
CCPA also stipulates that information on the following must be provided to consumers:
The GDPR states that information on the following must be provided to consumers:
Under GDPR, data subject also has a right to transparent information, communication and modalities for the exercise of the rights of data subject under which controller is required to provide information to data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
CCPA provides consumers with a right to opt-out from the selling and/or disclosing for business purposes of their personal information. The opt-out can therefore only stop the selling of personal information, and it does not impact other uses of their information. However, the right to opt-out of the sale is absolute i.e. that businesses cannot reject an opt-out request on the basis of their compelling legitimate grounds.
Businesses must adhere to the language provided in CCPA, namely the homepage of their website must have a link titled ‘Do Not Sell My Personal Information.’
GDPR provides data subjects with the right to object to the processing of their personal data when the processing is based on the legitimate interest of the controller or a third party. The data controller would have to cease processing personal data unless it demonstrates that there are compelling legitimate grounds to continue the processing.
Moreover, the data subject has the right to object to processing for direct marketing as well as to withdraw consent at any time.
The consumer has a right to request a report of all the personal information collected/disclosed or sold by a business. The report must contain categories of personal information collected, categories of sources, the business or commercial purpose for which the information was collected or sold, categories of third parties who were sold/disclosed the personal information and specific pieces of personal information collected by the business. This right applies only to personal information collected in the 12 months prior to the request.
The right applies to all the personal data collected and processed about the data subject making the request. Under GDPR, the data controller must include further information in the response to a request of access, notably, the retention period, the right to lodge a complaint with the supervisory authority, the existence of automated decision making, and existence of data transfers.
CCPA states that consumers must not be discriminated for exercising their rights under CCPA, which means they must not be:
It has to be noted that a different price or change in services to consumers opting to exercise their right not to sell their personal information is only allowed if the difference can be reasonably related to the value of the consumers’ data to the business.
Businesses can also set up schemes for providing financial incentives to consumers if they choose to allow the collection and sale of their personal information, but the consumers must opt-in to become part of such an initiative.
GDPR does not explicitly include this right and therefore no scope is defined. Although GDPR does not contain any explicit provision on non-discrimination, it requires personal data to be processed fairly, controller to provide fair and transparent information and that data subject’s consent be given freely.
CCPA does not explicitly provide any right to rectification or correction.
Right to rectification is the data subject’s right to correct any inaccurate personal data and to have incomplete personal data completed.
Under CCPA, consumers have the right to data portability that ensures access to information in a portable and readily usable format and that allows consumers to transmit information to another entity. Right to data portability is part of the right to access under CCPA and is therefore subject to the same limitations.
Right to data portability is the right to receive data in a structured, commonly used and machine-readable format as well as the right to transmit data to another controller or from one controller to another. This right can only be exercised where it is technically feasible to do so and it does not adversely affect the rights and freedoms of others.
This right is not explicitly found under CCPA.
This right applies when accuracy of data is contested by data subject, processing is unlawful and data subject opposes erasure and requests restriction, controller no longer needs it for processing but data subject requires for legal claims, or when data subject has objected to processing pending the verification whether the legitimate grounds of controller override those of data subject.
This right is not explicitly found under CCPA.
This is the right of a data subject not to be subject to decision based solely on automated processing, including profiling, that produces legal effects concerning the data subject or similarly significantly affects him/her unless certain exceptions apply.
CCPA makes it obligatory upon businesses not to sell or disclose the personal information of consumers to any entities who process the data on behalf of the business for any specified business purpose unless they sign a written contract first.
The written contract should detail that the entities processing the data cannot use, disclose, sell or process that data containing consumers’ personal information in any manner inconsistent with the specific business purpose. And if the entity which has bought the personal information of consumers from a business wishes to sell it forward, it will need to provide a notice to the concerned consumer and an opportunity to opt out of the sale.
Although there is no explicit data subject’s right to continued protection under GDPR, it requires a detailed contract or other legal act to be in place between controllers and processors for the purposes of disclosure of personal information.
Both GDPR and CCPA mandate penalties based on non-compliance and/or data breach. Under GDPR, penalties can reach up to either 4% of global turnover or €20 million (whichever is higher) for a severe violation and 2% of global turnover or €10 million (whichever is higher) for a less severe infringement. It is important to note that under the GDPR, DPAs can apply sanctions when a company is deemed to be at risk of a breach or not behaving responsibly.
CCPA fines for non-compliance are not cumulative but rather are applied per violation, which can reach up to $2,500 per unintentional violation and $7,500 per intentional violation, with no upper cap. The violation of CCPA guidelines can only be prosecuted by the State of California through the Attorney General of California after it has been granted a 30 day notice to cure an alleged violation.
CCPA, also sets civil damage penalties rates of up to $100 - 750 per violation, per user (or actual harm if that is greater) for the breach of unencrypted and non-redacted personal information of individual consumers. Therefore under these provisions, post-incident costs for violators under CCPA could approach or even exceed those under GDPR.
Sections 1798.155, 1798.185
The Attorney General has the power to assess a violation of the CCPA. The CCPA does not specify which activities are included in this assessment.
The Attorney General has the power to assess alleged violations of the CCPA and to bring action before the court for civil penalties, which include monetary penalties and injunctions after providing a notice to the violator and providing them a 30 day period to cure the alleged violation.
The monetary penalties collected through civil actions under the CCPA form the Consumer Privacy Fund, which funds the activities of the Attorney General in this sector.
The Attorney General has the power to independently start investigations and actions against alleged non-compliance from businesses.
There is also a private legal action which consumers can take if their unredacted or unencrypted personal information is breached. Damages between $100-750 or actual harm incurred (whichever is greater) can be recovered.
Articles 51-84 Recitals 117 - 140
Data protection authorities have investigatory powers which include the power to:
“conduct data protection audits, access all personal data necessary for the performance of its tasks, obtain access to any premises of the data controller and processor, including equipment and means.”
Data protection authorities have corrective powers which include:
“issuing warnings, reprimands, to order the controller and processor to comply, order the controller to communicate a data breach to the data subject, impose a ban on processing, order the rectification or erasure of data, suspend the transfer of data and impose administrative fines.”
The GDPR does not regulate how data protection authorities are funded, this being left to the Member States to decide.
The GDPR states that data protection authorities must act in “complete independence when performing their tasks,”which also means that they must be free from financial control by having a separate and dedicated budget.
The clauses on data encryption requirements on part of the businesses in both laws constitute a rather grey area. GDPR calls for access to data encryption, making this an essential part of the privacy protection component for businesses. The main reason for this is to add an extra layer of protection for consumers’ data. However, CCPA does not explicitly lay down any duty on businesses to undertake encryption.
While encryption is one procedure to secure data and avoid data abuse, GDPR requires controllers and processors to take into consideration a list of factors while choosing any appropriate technical or organizational measure for the purposes of data security under its Article 32. These factors include the state of the art, the costs of implementation and the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons.
Encryption reduces a company’s liability arising out of a data breach. Under both CCPA and GDPR, if a company suffers from a breach but their data has been encrypted, some or all of the company’s obligations can be reduced. This might be because if breached data was encrypted, companies have another level of protection against unauthorized access, and therefore have some reduction in liability by default. Under both GDPR and CCPA, businesses are not responsible to notify any data breach if they have implemented protection measures such as encryption. Encryption is considered to be a strong data protection measure that also provides much flexibility to controllers and processors to meet data security needs. “Encryption provides the best defense against any fines that might be levied for violations or data breaches under CCPA”, according to ESG and Fortanix.
With the regulations such as the CCPA and GDPR affecting companies worldwide, organizations need to start looking towards solutions that can easily keep track of all the regulations under each law, which regulations apply to your organization and provide a swift compliance framework that an organization can follow.
See how easy it is to manage privacy compliance with robotic automation.