On January 1, 2020, the California Consumer Privacy Act (CCPA) will come into effect, and businesses that meet the covered criteria will have to be compliant with the newest privacy regulation. The CCPA is one in a recent line of data privacy laws designed to protect consumer information and give consumers the power over what happens to their data.
People often compare it to the EU’s General Data Privacy Regulation (GDPR), which was arguably the most publicized data privacy law. However, while there are certainly similarities between the two, GDPR compliance does not automatically equal CCPA compliance. For example, the GDPR protects EU citizens, while the CCPA is directed towards California residents, and whereas the GDPR is geared towards any company that collects personal data, the CCPA applies to companies that meet specific criteria.
Related: California Consumer Privacy Act: What you need to know to be compliant.
The following list highlights the key differences in requirements for CCPA versus GDPR:
For CCPA compliance, companies must include a “Do Not Sell My Information” link on their website that allows users to opt out of allowing the company to sell their information. Such a link, or any means of opting out of the sale of the consumer’s information, is not a requirement for GDPR. For CCPA, companies need a process for receiving and managing these opt outs, and must be able to track who opts out so they can honor the request and ensure that third parties do so as well.
CCPA has a much broader definition of personal data than GDPR. Whereas GDPR’s definition of personal data is “any information that are related to an identified or identifiable person,” CCPA’s definition encompasses any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes, but is not limited to, the following categories of information:
Companies must identify and be prepared to locate and disclose a larger scope of data for CCPA compared to GDPR.
Related: Preparing for CCPA: Best Practices
Penalties are different for CCPA compared to GDPR. Under the GDPR, companies can be fined up to $20 million or 4% of annual global turnover. Meanwhile, under the CCPA, with 30 days notice, the Attorney General can bring an action to recover fines of $2500 per violation, and $7500 for intentional violations. Also, unlike the GDPR, consumers can bring a private right of action in the event of a data breach or unauthorized disclosure to recover between $100 to $750 per violation or actual damages, whichever is greater. And whereas the GDPR can cap the amount a company may have to pay, the CCPA does not.
Though being GDPR compliant puts businesses in a good spot, they still need to do more to ensure CCPA compliance. The rules, however subtle, are different for both, and businesses need to pay special attention to avoid hefty penalties brought on by either or both. Download our CCPA cheat sheet