CCPA vs GDPR
CCPA Versus GDPR – Consumer rights
GDPR, on the other hand, mandates prior consent, i.e., websites must ask consumers before storing or processing their data. They must clearly display the consent form on their website in a banner. The consent form must mention the purpose for which the data is being collected. The form must not have any pre-checked checkboxes (except the necessary ones), so the user won’t feel misguided. GDPR also states that if a user does nothing with the consent form and keeps browsing the website, it must not be considered valid consent.
Just like CCPA, GDPR also provides an opt-out option. So, if you want to stop your data from being sold or get your personal data deleted from the company’s records, you can do that at any time.
Similarly, both privacy laws mandate that consumers must not be discriminated based on their preferences.
Who needs to comply?
California Consumer Privacy Act applies to ‘for-profit’ businesses that cater to California residents and meet any of the following criteria:
- Has a gross annual revenue of $25 million or more.
- Buys, sells, or collects personal information of more than 50,000 California consumers (individuals, households, and devices).
- Earns more than 50% of its annual revenue from the sale of personal information of California residents.
CCPA applies to businesses worldwide, even if they do not have any physical presence in the USA. Not-for-profit businesses and government bodies are exempted.
The General Data Protection Regulation applies to all the businesses and organizations that collect data on individuals residing in the European Union and European Economic Area. The organizations may be for-profit businesses, non-for-profit businesses, public bodies, or institutions. In short, any website that collects data from the European Union must comply with GDPR irrespective of its geographical location, type of business, and financial conditions.
Who is covered?
As per CCPA, a consumer is an identifiable natural person who is a resident of California. They may be located in California or in transit. CCPA is applicable even if the person is in transit or is temporarily outside California.
GDPR, however, protects data subjects who are also identifiable persons. Still, they may not necessarily be residents of the EU or EEA. So, even if you are in the EU temporarily or for transitory purposes, you will still enjoy the same rights because your data will be collected when you are within the EU’s geographical limits. CCPA doesn’t provide any such rights to non-residents.
How do they define personal data?
According to CCPA, personal information is any information that can be related to a specific consumer or a specific household. GDPR, however, sticks strictly to individuals.
CCPA exempts the below-mentioned information from being treated as personal information:
- Information protected under CMIA and HIPAA
- Information protected by California’s Driver’s Privacy Protection Act
- Information collected for clinical trials
- Information publicly available from federal, state, and local government
CCPA doesn’t categorize any information as ‘sensitive.’
GDPR exempts this information from being treated as personal data:
- Anonymous data
- Data processed through non-automated means
- Data processed for personal or household purpose
GDPR states that the data related to a subject’s health status, religious beliefs, ethnic origin, political orientation, etc., are highly sensitive and must be protected by businesses.
Penalties for non-compliance
Violating GDPR could invite a penalty of up to 10 million Euros or 2% of the annual global turnover of your preceding financial year, whichever is higher. If the violation is severe, you may have to pay a penalty of 20 million euros or 4% of your annual global turnover, whichever is higher.
Which is better?
CCPA Data Privacy Course
Introduction to the California Consumer Privacy Act.