European Data Protection Regulation and California Consumer Privacy Act – a Comparison

 

On May 25th 2018, the General Data Protection Regulation (GDPR), one of the most comprehensive data protection laws in the world, was introduced in Europe and it changed the way Europeans even think about storing data. This includes the process in which it is obtained, stored, used and, not be forgotten, destructed. For private households this new law came with various advantages, for the companies themselves, it meant a lot of work and restructuring. The more data an organization collected over the years, the more data they have to dig themselves out of now to make sure they comply to new data protection law. On January 1, 2020, the California Consumer Privacy Act (CCPA), a similar law, is going to be introduced in California. This law also exists to protect the consumer and his or her privacy. Therefore, activities to comply with the CCPA will have to start at least 12 months before the implementation of this new law. This is the only way organizations can guarantee they are prepared and operating within the law once January 1, 2020 hits. As data privacy experts, Natuvion has broken down the core differences and similarities the GDPR and CCPA have in definitions, rights and enforcement.

 
 

Key definitions:
 

Personal Data/Personal Information

Both, the GDPR and the CCPA define their “personal data” and “personal information” quite broadly. The GDPR generally only means identified or identifiable individuals while the CCPA also includes households. The GDPR also has a topic for “special categories of data” which means sensitive data like race, sexual preferences, etc. and prohibits processing that data.
 

Pseudonymization

The GDPR and the CCPA are very similar in this point. The personal data of the “Data Subject” can no longer identify the person without the use of additional information that is kept separately. The GDPR allows the data subject itself to provide the additional information which the CCPA completely denies.
 

Children

Under the GDPR, children under 16 must have their guardians’ consent while the CCPA has an opt-in requirement for selling personal data. Children under 13 must also have their guardian opt-in for them.
 

Research

Research is defined in a very broad manner for the GDPR and the CCPA which allows both of them to act more freely for the public interest. Pseudonymization is important here. Under the GDPR, data collected for such research cannot be used otherwise. Under the CCPA the data collected for a certain research project can be used by the same business that collected the data in the first place.

 

 

Scope:
 

Personal Scope

Compared to the GDPR where businesses, public bodies and institutions as well as not-for-profit organizations are affected, under the CCPA, only for-profit entities are included. Also, for the CCPA it is important to know that you must be a California resident in order to be protected.

 

Territorial Scope

The GDPR applies to all organizations within the EU and also organizations outside the EU if they offer goods and/or services to “data subjects” that are located in the EU. The CCPA on the other hand hasn’t clearly defined their criterium. The law says that it applies to organizations doing business in California with California residents.

 

 

Consumer Rights:
 

The consumer has the right under both laws to request the deletion of his or her personal data. Furthermore, he or she has the right to know when data is being collected and what it is collected for (specific reason and it can only be used for that reason). The consumer also has the right under both laws to request to get a full report on what personal information an organization holds about them. This data is required to be received in a commonly used and easily usable format. The GDPR and the CCPA allow the consumers to ask the entities to stop processing and selling their information. The CCPA only allows to opt-out of the selling and not the collection of personal data. Under the GDPR it is different as any type of processing of the personal data can be requested to end. The CCPA establishes the right to non-discrimination for the exercise of rights. this menas that a business cannot deny consumers any goods or services, charge them different prices or provide a different level of quality if these consumers requested access or deletion of their personal informationor opted out from selling their personal data to the firm. The GDPR on the other hand does not have a clear point about this in its law.
 
 
 

Enforcement:
 

The authorities to supervise the application of the law are two different ones with different power as well. For the GDPR it is the national data protection authorities which are also part of the European Data Protection Board. The CCPA is supervised by the California Attorney General. Both laws have monetary penalties in order. For the GDPR the fines are issued by a data protection authority, the fines under the CCPA, however, are issued by a court. These laws are there to protect the consumers privacy and allow individuals and also class or collective actions to be brought against any organization that breaks these laws.
 
 

Conclusion:
 

With the introduction of the CCPA the hope is to strengthen the data protection rights of the residents of California. In the event of intentional breach of the CCPA's privacy obligations, the company must pay a fine of up to $ 7,500. If the company meets the consumer's demands within 30 days, a penalty can be avoided. The European GDPR and the California CCPA have many things in common. Especially the rights of those affected are very similar in the two laws. These provide the largest problem area in the implementation of the laws. Many of the experiences gained through the introduction of the GDPR can thus be partially adapted and reused. The already developed technical solutions can also be used for the CCPA.
 
 

Outlook:
 

It remains to be seen whether other states will follow the Californian approach or if the US government will develop a uniform data protection system. Do not miss our next article in which we introduce you to the relevant fields of action of the CCPA and their effects and technical realization options in IT system landscapes. Do you have questions or need help with your own privacy project? Then Natuvion is the ideal contact - we are happy to assist and accompany you on your way.

Join our webinar series where our competence center experts from IT and legal share an overview of data privacy laws and provide simple steps to comply. 

 

 

 

Register now