If your organisation currently operates in California, it is likely that you are already compliant with the California Consumer Privacy Act (CCPA). Whilst this takes you one step closer to being compliant with the EU General Data Protection Regulation (GDPR), there are a few extra processes and checklists that your organisation must go through to be fully compliant. In essence, the GDPR is the stricter cousin of the CCPA and more work needs to be done on your end.
In 2018, the European Union passed the General Data Protection Regulation (GDPR) to protect its citizen’s data rights. This transformed the way companies are able to handle the personal data of data subjects and the far-reaching consequences of breaching this regulation. It is the most comprehensive data regulation of its kind and has a wider scope in comparison to the CCPA.
The CCPA was introduced in January 2018 within the State of California, went into effect in January 2020 and was enforced on 1st July 2020, affecting businesses operating in California that collect personal information of California consumers.
How organisations can go from the CCPA to GDPR in a few simple steps:
Understanding the different scope of application
Understanding the different scope of protection
Understanding data breaches and penalties
By way of introduction, there are a few basic similarities and differences between the two regulations that should be highlighted from the outset.
Where the GDPR applies to all organisations irrespective of whether it is a charity or for-profit, the CCPA only applies to for-profit entities. Whilst the two legislations both cover natural persons, the GDPR covers all data subjects, regardless of citizenship, whereas the CCPA only applies to California residents and ‘households’ which under the CCPA are deemed as ‘consumers’. The term household thus means that it extends beyond a data subject or natural person, which differs from the term of data subjects alone that is covered by the GDPR. Overall, this shows a substantial difference in approach yet the effects of the identifiable natural person is broadly similar.
Below are the further similarities and differences that your organisation should take note of to go from CCPA compliance to GDPR compliance.
Scope of application
When comparing the two regulations, the difference in their scope of application means that an organisation that is CCPA compliant will have to take extra steps to be compliant with the GDPR. This is because the GDPR applies to all types of organisations that deal with personal data from within the EU whilst the CCPA only applies to organisations that meet the following criteria:
has over $25 million in annual gross revenue; or
Derives more than 50% of its revenue from selling consumers’ personal information; or
Shares (buying or selling) the personal information of over 50,000 consumers, households or devices for commercial purposes
The processing under the CCPA is also only limited to Consumers who are natural residents of California and organisations that operate within California whereas the GDPR refers to data stemming from all data subjects, irrespective of residence, and geographical scope.
The scope of the GDPR is much broader than the CCPA as it regulates data controllers and processors that are both established within the EU and those that are not established within the EU so long as it processes EU data subject’s data to offer goods and services.
Scope of Protection
The signature difference between the CCPA and the GDPR is how they allow data subjects to manage and control how much of their data is being collected.
The GDPR operates on a legal basis for processing data so that as long as the organisation can show that it is processing data lawfully, it may continue to do so. That is unless it uses user consent as a legal basis for processing data in which case, a clear ‘opt in’ mechanism is required. The GDPR also has certain opt-out methods such as the withdrawal of consent for processing activities and the processing of data for marketing activities.
The CCPA on the other hand adopts an all-encompassing ‘opt out’ approach where organisations must make available a link that says “Do Not Sell My Personal Information” in a clear manner on their website. The organisation must then wait 12 months before it can ask the user for re-authorisation.
For CCPA compliant firms, the GDPR is substantially different in the way it treats the protection of data rights and how data is to be lawfully processed. As such, organisations will need to familiarise themselves with the legal grounds for processing data and the lawfulness of processing under the GDPR and understand where certain ‘opt-out’ mechanisms must be adopted.
Data breaches and Penalties
For non-compliance with the CCPA, there are no penalties until a data breach occurs. When such a breach happens, the organisation can be fined for each act of non-compliance.
The fines under the CCPA are:
$2,500 per violation,
up to $7,500 per violation if intentional.
However, it is only possible to sue for a data breach in limited circumstances, such as if non-encrypted and non-redacted personal information was part of a data breach due to the organisation’s failure to comply with the CCPA and not taking reasonable precautions. For other types of violations that do not involve a data breach, only the Attorney General can file an action. Such an action would not be on behalf of individuals who have their data breached but rather for California residents as a collective and aims to rectify patterns of complaints and misconduct.