On January 1, 2020, the California Consumer Privacy Act (CCPA) will come into effect, and businesses that meet the covered criteria will have to be compliant with the newest privacy regulation. The CCPA is one in a recent line of data privacy laws designed to protect consumer information and give consumers the power over what happens to their data.
People often compare it to the EU’s General Data Privacy Regulation (GDPR), which was arguably the most publicized data privacy law. However, while there are certainly similarities between the two, GDPR compliance does not automatically equal CCPA compliance. For example, the GDPR protects EU citizens, while the CCPA is directed towards California residents, and whereas the GDPR is geared towards any company that collects personal data, the CCPA applies to companies that meet specific criteria.
Related: California Consumer Privacy Act: What you need to know to be compliant.
Key differences between CCPA and GDPR
The following list highlights the key differences in requirements for CCPA versus GDPR:
“Do Not Sell My Information” link
For CCPA compliance, companies must include a “Do Not Sell My Information” link on their website that allows users to opt out of allowing the company to sell their information. Such a link, or any means of opting out of the sale of the consumer’s information, is not a requirement for GDPR. For CCPA, companies need a process for receiving and managing these opt outs, and must be able to track who opts out so they can honor the request and ensure that third parties do so as well.
Definition of “Personal Data”
CCPA has a much broader definition of personal data than GDPR. Whereas GDPR’s definition of personal data is “any information that are related to an identified or identifiable person,” CCPA’s definition encompasses any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes, but is not limited to, the following categories of information:
- Names and aliases
- Postal addresses
- Unique personal identifiers
- Online identifiers (IP addresses)
- Email addresses
- Account names
- Social security numbers,
- Driver’s license numbers
- Passport numbers
- Commercial information
- Biometric information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
Companies must identify and be prepared to locate and disclose a larger scope of data for CCPA compared to GDPR.
Related: Preparing for CCPA: Best Practices
Penalties are different for CCPA compared to GDPR. Under the GDPR, companies can be fined up to $20 million or 4% of annual global turnover. Meanwhile, under the CCPA, with 30 days notice, the Attorney General can bring an action to recover fines of $2500 per violation, and $7500 for intentional violations. Also, unlike the GDPR, consumers can bring a private right of action in the event of a data breach or unauthorized disclosure to recover between $100 to $750 per violation or actual damages, whichever is greater. And whereas the GDPR can cap the amount a company may have to pay, the CCPA does not.
Ensure that you are specifically following the CCPA’s rules
Though being GDPR compliant puts businesses in a good spot, they still need to do more to ensure CCPA compliance. The rules, however subtle, are different for both, and businesses need to pay special attention to avoid hefty penalties brought on by either or both. Download our CCPA cheat sheet