Blog details



CCPA vs GDPR. In this blog we take a look at similarities and differences between the CCPA and the GDPR. 

It has been a year and a half since the GDPR started to apply. Did you think you were done adapting all your data processes to the Regulation? Don’t miss this post! You might still have a lot of work to do with the new California Consumer Privacy Act (CCPA).

The CCPA was enacted in 2018 and it will be effective from January 1, 2020. It is the first law in the US to provide the consumers with privacy rights. Businesses collecting, selling or disclosing California residents personal information might be subject to the CCPA requirements.

At this stage you may be wondering if the CCPA is the ‘Californian GDPR’. Don’t panic! We have prepared this blog to let you answer that question yourself. Aphaia has gone through the CCPA and the GDPR thoroughly in order to identify the most relevant similarities and differences between them and we have put together our findings in the lines below.

Who is obliged to comply with the CCPA?

While the GDPR applies to “controllers” regardless of their nature or their activity, the CCPA requirements only apply to for-profit entities (“businesses”) that:

are for-profit;
collect consumers’ personal information, or on the behalf of which such information is collected;
determine the purposes and means of the processing of consumers’ personal information;
do business in California; and
meets any of the following thresholds:
has annual gross revenue in excess of $25 million;
alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA also applies to any entity that controls or is controlled by the business.

Are there territorial limits?

The CCPA applies to organisations that do business in California and, similar to the GDPR, even though it is not explicitly mentioned, it also seems to be applicable to those ones established outside of California if they collect, sell or disclose California consumers personal information while conducting business in California.

Who has rights under the CCPA?

The GDPR covers the privacy rights of ‘data subjects’, who are defined as “an identified or identifiable natural person”, whereas the CCPA protects ‘consumers’,understood as natural persons who are California residents.

Which processes involving data fall under the CCPA?

Whilst the GDPR refer the ‘processing’ of personal data, the CCPA specifically includes ‘collecting’ and ‘sharing’ personal data.

It is important to note that ‘collecting’ covers “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means” and ‘selling’ comprises “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration”. It should be stressed that ‘selling’ does not necessarily involve a payment to be made in exchange for personal information.

What rights does the CCPA provide the consumers with?

Similar to the GDPR, the CCPA provides consumers with new rights, including a right to transparency about data collection, a right to be forgotten, and a right to opt out of having their data sold, which becomes opt in for minors.That said, Californian consumers have the following rights:

The right to know whether their personal information is being collected about them.
The right to request the specific categories of information a business collects upon verifiable request.
The right to know what personal information is being collected about them, the categories of sources form which the information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
The right to say “no” to the sale of personal information.
The right to delete their personal information.
The right to equal service and price, even if they exercise their privacy rights.

It is clear that the CCPA will have large implications for businesses in California (and all around the world!) as it is the strictest privacy law ever enacted in the US. However, with appropriate help, organisations will be able to manage the requirements and implement them step by step as happened with the GDPR almost two years ago.

Do you require assistance with CCPA compliance? Aphaia provides both GDPR and CCPA adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

Prev post
Apple a examen por prácticas irregulares de cesión de datos
October 18, 2019
Next post
Comparación de la CCPA y el RGPD
October 23, 2019

Leave a Comment