CCPA vs GDPR
CCPA vs GDPR. In this blog we take a look at similarities and differences between the CCPA and the GDPR.
It has been a year and a half since the GDPR started to apply. Did you think you were done adapting all your data processes to the Regulation? Don’t miss this post! You might still have a lot of work to do with the new California Consumer Privacy Act (CCPA).
The CCPA was enacted in 2018 and it will be effective from January 1, 2020. It is the first law in the US to provide the consumers with privacy rights. Businesses collecting, selling or disclosing California residents personal information might be subject to the CCPA requirements.
At this stage you may be wondering if the CCPA is the ‘Californian GDPR’. Don’t panic! We have prepared this blog to let you answer that question yourself. Aphaia has gone through the CCPA and the GDPR thoroughly in order to identify the most relevant similarities and differences between them and we have put together our findings in the lines below.
Who is obliged to comply with the CCPA?
While the GDPR applies to “controllers” regardless of their nature or their activity, the CCPA requirements only apply to for-profit entities (“businesses”) that:
The CCPA also applies to any entity that controls or is controlled by the business.
The CCPA applies to organisations that do business in California and, similar to the GDPR, even though it is not explicitly mentioned, it also seems to be applicable to those ones established outside of California if they collect, sell or disclose California consumers personal information while conducting business in California.
Who has rights under the CCPA?
The GDPR covers the privacy rights of ‘data subjects’, who are defined as “an identified or identifiable natural person”, whereas the CCPA protects ‘consumers’,understood as natural persons who are California residents.
Which processes involving data fall under the CCPA?
Whilst the GDPR refer the ‘processing’ of personal data, the CCPA specifically includes ‘collecting’ and ‘sharing’ personal data.
It is important to note that ‘collecting’ covers “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means” and ‘selling’ comprises “renting, disclosing, releasing, disseminating, making available transferring, or otherwise communicating personal information for monetary or other valuable consideration”. It should be stressed that ‘selling’ does not necessarily involve a payment to be made in exchange for personal information.
What rights does the CCPA provide the consumers with?
Similar to the GDPR, the CCPA provides consumers with new rights, including a right to transparency about data collection, a right to be forgotten, and a right to opt out of having their data sold, which becomes opt in for minors.That said, Californian consumers have the following rights:
It is clear that the CCPA will have large implications for businesses in California (and all around the world!) as it is the strictest privacy law ever enacted in the US. However, with appropriate help, organisations will be able to manage the requirements and implement them step by step as happened with the GDPR almost two years ago.