The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are crucial laws that help consumers protect their privacy by letting them choose how they want to share their personal information with businesses and third parties. They have the same objectives, which is why they have numerous striking similarities. However, CCPA is based on the ‘opt-out’ principle, whereas GDPR mandates ‘prior consent’.

CCPA Versus GDPR – Consumer rights

If you are a California resident, CCPA gives you the right to check what personal information is collected about you. You can ask businesses not to sell that data or delete it if you want. CCPA does not mandate prior consent, i.e., businesses/websites do not need to ask for your permission before collecting personal data such as browsing history, shopping history, etc. But it gives you the right to control how that information is stored and used. The websites must have a ‘Do Not Sell My Personal Information’ button so you can easily opt out of having your personal information sold.

GDPR, on the other hand, mandates prior consent, i.e., websites must ask consumers before storing or processing their data. They must clearly display the consent form on their website in a banner. The consent form must mention the purpose for which the data is being collected. The form must not have any pre-checked checkboxes (except the necessary ones), so the user won’t feel misguided. GDPR also states that if a user does nothing with the consent form and keeps browsing the website, it must not be considered valid consent.

Just like CCPA, GDPR also provides an opt-out option. So, if you want to stop your data from being sold or get your personal data deleted from the company’s records, you can do that at any time.

Similarly, both privacy laws mandate that consumers must not be discriminated based on their preferences.

Who needs to comply?

California Consumer Privacy Act applies to ‘for-profit’ businesses that cater to California residents and meet any of the following criteria:

  • Has a gross annual revenue of $25 million or more.
  • Buys, sells, or collects personal information of more than 50,000 California consumers (individuals, households, and devices).
  • Earns more than 50% of its annual revenue from the sale of personal information of California residents.

CCPA applies to businesses worldwide, even if they do not have any physical presence in the USA. Not-for-profit businesses and government bodies are exempted.

The General Data Protection Regulation applies to all the businesses and organizations that collect data on individuals residing in the European Union and European Economic Area. The organizations may be for-profit businesses, non-for-profit businesses, public bodies, or institutions. In short, any website that collects data from the European Union must comply with GDPR irrespective of its geographical location, type of business, and financial conditions.

Who is covered?

CCPA protects the consumers, i.e., the residents of California, whereas GDPR protects data subjects.

As per CCPA, a consumer is an identifiable natural person who is a resident of California. They may be located in California or in transit. CCPA is applicable even if the person is in transit or is temporarily outside California.

GDPR, however, protects data subjects who are also identifiable persons. Still, they may not necessarily be residents of the EU or EEA. So, even if you are in the EU temporarily or for transitory purposes, you will still enjoy the same rights because your data will be collected when you are within the EU’s geographical limits. CCPA doesn’t provide any such rights to non-residents.

How do they define personal data?

According to CCPA, personal information is any information that can be related to a specific consumer or a specific household. GDPR, however, sticks strictly to individuals.

CCPA exempts the below-mentioned information from being treated as personal information:

  • Information protected under CMIA and HIPAA
  • Information protected by California’s Driver’s Privacy Protection Act
  • Information collected for clinical trials
  • Information publicly available from federal, state, and local government

CCPA doesn’t categorize any information as ‘sensitive.’

GDPR exempts this information from being treated as personal data:

  • Anonymous data
  • Data processed through non-automated means
  • Data processed for personal or household purpose

GDPR states that the data related to a subject’s health status, religious beliefs, ethnic origin, political orientation, etc., are highly sensitive and must be protected by businesses.

Penalties for non-compliance

If you fail to comply with CCPA, you may end up paying $2,500 for unintentional violations and $7,500 for cases in which you have intentionally violated the law. You may also have to pay up to $750 per consumer as statutory damage.

Violating GDPR could invite a penalty of up to 10 million Euros or 2% of the annual global turnover of your preceding financial year, whichever is higher. If the violation is severe, you may have to pay a penalty of 20 million euros or 4% of your annual global turnover, whichever is higher.

Which is better?

While both these laws are aimed at protecting the privacy of the consumers, GDPR has a broader scope than CCPA. It mandates that businesses must seek consent before collecting data. It has properly segregated sensitive information so that penalties can be imposed accordingly. It protected everyone in the EU, whether as a resident or temporarily. CCPA, however, is a first-of-its-kind law in the US and is soon going to pave the way for the California Privacy Rights Act (CPRA).

Wrap up

Data privacy is ever-evolving, and so is compliance with CCPA and GDPR. If you are unsure how to get started or maintain compliance, you should seek expert help because the penalties are quite high. Plus, the loss of reputation can cause severe damage to your business in the long run.

CCPA Data Privacy Course

Introduction to the California Consumer Privacy Act.