The California Consumer Privacy Act (CCPA), heralded as the U.S. version of the European Union General Data Protection Regulation (GDPR), has many American companies overhauling their approach to privacy protection in data processing activities.
But assuming that the CCPA is “GDPR Lite” (as it’s often called) can result in your non-compliance with the California law. The two privacy laws have many differences. Compliance with the GDPR does not necessarily assure compliance with the CCPA. To meet the standards required by each of these data protection laws, you need to understand the differences between the two.
To help, we offer here a detailed comparison of the CCPA and the GDPR.
How Do the CCPA and the GDPR Differ?
One key difference is what companies fall under each regulation’s scope.
The General Data Protection Regulation applies to all companies worldwide that access or process the data of EU citizens currently living in an EU country. The CCPA requirements apply to for-profit organizations that do business in California and:
- Generate $25 million gross annual revenue;
- Access the personal information of more than 50,000 California residents; or
- Generate 50 percent or more of their income from the sale information of California residents
The types of information protected are similar. But the CCPA, unlike the GDPR, protects the data privacy of entire households and data contained on computing devices in the household, including their applications.
The CCPA defines “consumer data” as personal information that identifies, relates to, describes, can be associated with, or might be directly or indirectly linked to a specific person, household, or device. The CCPA also lists specific categories of personal information. The GDPR protects “personal data” of any identified or identifiable natural person, and prohibits processing that information if it fits any of the GDPR‘s categories.
Although the regulations use different language, both focus on providing users with easy-to-read copies of their collected data and allowing the protected parties to share that information easily. The GDPR created a new right for data subjects to receive copies of their personal data from the entity storing it in a structured, commonly used, machine-readable format. It also allows persons to request the transmission of their personal data to other data controllers. Under the CCPA, when a consumer requests disclosure of the data a business has collected, the business must provide it within 45 days, in a readily usable format that allows the consumer to transmit his or her data easily from one entity to another.
The two laws also use the same terminology to describe the processing of personal data in different ways. GDPR uses the word “processing” to describe any activity involving data. The CCPA breaks data activity down into “processing,” “selling”, and “collecting.” The manner of obtaining user consent also differs, as the language of the GDPR allows data subjects to opt in to data collection; the CCPA allows subjects to opt out.
Is the CCPA Stricter Than the GDPR?
Most professionals consider the CCPA to be less stringent than the GDPR. If your company has already undergone the journey to be GDPR-compliant, then adhering to the CCPA regulations as well should be an easy adjustment. GDPR compliance, however, does not guarantee CCPA compliance, as we will discuss below. It’s crucial to understand the requirements of each law to assure that your systems and processes are fully compliant with both.
Does the GDPR ‘Cover’ the CCPA?
No. Compliance with one law does not equal compliance with both. Depending on the nature of your work and the size of your company, you might not need to be CCPA-compliant even if the GDPR applies to you. GDPR compliance can give you a great head start for CCPA compliance, but the latter applies broader regulations to a smaller and entirely separate group of people. The CCPA also requires frequent reviews and a faster turnaround time on requests from customers for their data.
Where Does CCPA and GDPR Compliance Overlap?
Both laws are concerned foremost with the rights of data subjects, and are structured to emphasize the rights of consumers rather than the restrictions on businesses. These laws were put into place to allow for further transparency into, and increased awareness of, the lifecycle of an individual person’s data.
Each law guarantees a set of rights to data subjects. The GDPR guarantees eight rights, while the CCPA mentions only five. Four of the rights in the CCPA overlap with the GDPR:
- Right to Know: Data subjects have the right to know that businesses plan on collecting their data before it happens.
- Right to Access: Data subjects have the right to make access requests for their personal information.
- Right to Erasure: Also known as “the right to be forgotten,” data subjects are able to request the deletion of their personal data.
- Right to Object: There is a slight divergence in this right. The CCPA allows Californians to object to the sale of their personal information, while the GDPR allows subjects to object to both direct marketing and automated profiling.
The CCPA also includes the right to service without discrimination, and the GDPR allows for the right to rectification and data portability.
ZenGRC and GDPR/CCPA Compliance
These new data privacy laws make the threat of a data breach even greater than it was previously. GDPR and CCPA compliance require documentation collection, storage, and retrieval.
And as more people interact with vendors that process consumer data or that have employees monitoring consumer requests, compliance with both regulations will require more communication between people within the organization and without.
ZenGRC monitors and streamlines workflows to assure requests are followed through to completion — a critical capability to meet the CCPA’s 45-day timeline.
ZenGRC also simplifies the task of reviewing controls necessary for maintaining opt-out and opt-in information.
Finally, ZenGRC acts as a “single source of truth” so that all employees involved in GDPR and CCPA compliance can access the same information and documentation to support audits.
Why try to comply with these complex regulations on your own? ZenGRC helps take the “risk” out of risk management and compliance. Contact us for your free demonstration, and start down the worry-free path to GDPR and CCPA compliance.