Using the GDPR to take back control of privacy? We want that as well! The Californian Consumer Privacy Act (CCPA) is a consumer initiative in the US and its content is still open for adjustments. Through public forums, consumers can provide input for the design of the Act. The final version of the CCPA is planned to come into force the 1st of January 2020.
This raises the question on what aspects the regulations differ since the CCPA was inspired by the GDPR. Here is our overview of the 5 most important differences, of the current state of the CCPA and the GDPR.
1. Scope: all organisations vs. only commercial organisations
The GDPR applies to all organisations (commercial and non-profit) that process personal data of European citizens, regardless of where the organisation is based. In this regard, the CCPA and GDPR are quite similar. Except for the fact that GDPR goes for Europeans and CCPA is about Californian residents of course.
Both regulations do differ, however, on the aspect that the CCPA only applies to commercial organisations that both collect and process the personal information of Californian residents and it does not apply to non-profit organisations. Additionally, the business must meet at least one of the following requirements:
- An annual gross revenue over $25 million;
- The business must receive or share personal information of more than 50,000 California residents annually, or;
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
In order to fall under CCPA legislation, a business must meet at least one of these criteria.
In short, one can conclude that the CCPA is more focused on large scale commercial businesses. For the GDPR on the contrary, it doesn’t matter if you are a commercial or a non-profit organisation, large or small: you will always have to comply to it.
2. Wait what?! I didn’t ask you to sell my data!
Consent for the processing of personal data is a central topic for both regulations. According to the GDPR, if the processing of data is not covered by one of the other bases for processing (such as the performance of a contract), a consumer needs to give consent for the use of his or her personal data. The use of data should be linked to one or more specific purposes clearly communicated by the firm, and the purpose needs to be specified per attribute. Consumers need to actively “opt in” and give specific and unambiguous consent for the use of personal data, according to the principle of privacy by default.
The mindset towards opting in and receiving marketing communications is quite different in the US: here you have a right to opt-out according to the Can-Spam Act. In Europe on the contrary, an opt-in should be actively given before data may be used for marketing purposes. What is new in the CCPA is that customers can opt out of the sale of their personal data. The data controller must adhere to this request for at least 12 months.
3. Executing privacy rights: to what extent do you control your own privacy?
What is new for the CCPA is that it includes the right for consumer to “opt out” for having their data sold to third-parties. There has to be a clear “Do Not Sell My Personal Information” link, visible on the website’s home page. The GDPR does provide more rights than the CCPA, including the right to restrict processing, the right of rectification, and the right to not be subject to (automated) processing. The regulations differ slightly on the right of disclosure or access: with the CCPA you can only obtain a written disclosure of your personal information, whereas the GDPR allows broader access and offers a complete overview. The right to data portability and right to erasure are mentioned in both regulations. There are some differences however, for instance that the right to data portability is more extensive under the GDPR than under the CCPA. Under the GDPR, the firm must send a machine readable format of the data to the customer and, upon the customer's request, to the firm the customer wants to transfer the data to. Under the CCPA, it must only be sent to the customer.
4. Creation of personal profiles and automated decision-making
EU data subjects should have freedom of choice in their buying decisions, instead of being presented with unfair tailored offerings based on the data that was gathered regarding personal preferences and lifestyle. I hear you thinking: what do you mean by unfair tailored offerings through automated decision-making? Well, here is an example. If a travel website automatically offers an exclusive vacation on favourable conditions to certain visitors based on data that shows that they live in a high-class neighbourhood and doesn't give someone from a low-class neighbourhood the opportunity to buy it on the same conditions, this is definitely a no-go. The same goes for automated decision making for job application procedures: individuals may not be rejected solely based on automated decisions. The CCPA does not specifically cover automated decision-making nor profiling restrictions.
5. Fines: max $7,500 per record in the database vs. max. 4% of annual global revenue
Well-arranged consumer privacy is more important than ever on the business side: violating the regulations is substantially costly: the CCPA fines range up to $7,500 per record in the database, if the violation was intentional. Imagine if there are 50,000 records, the fines can become substantial. The CCPA does offer businesses the opportunity to rectify noticed violations within 30 days after the fine has been levied. The GDPR does not provide such an opportunity once the fine has been levied, but has a wider range of enforcement measures, for instance issuing a warning, and the maximum amount of the fine is different: €20,000,000 or 4% of annual global revenue, whichever is highest for the most serious violations.
Therefore, being compliant to GDPR does not mean you’re also compliant to CCPA. Modifications must be done if you need to comply with CCPA as well. One thing is certain: the right to privacy is more alive than ever.
Read more? This chart provides a brief overview of the differences.
Market Researcher at iWelcome
Mandy is an experienced researcher in the area of GDPR. She has executed all GDPR-related research iWelcome has done over the past two years. In addition to that, she is part of iWelcome's marketing department.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.