Understanding the Key Differences Between GDPR and CCPA for Businesses

Comparing CCPA with GDPR: The legislators fight back

Legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights. This is exacerbated by the fact that choice is limited, as a small group of companies dominate the consumer space.

Until now corporations have produced their terms and conditions, which you must accept, and if you did not like the way they would use your data their answer their answer was ‘don’t use the service’. However, some services are becoming so ubiquitous that opting out means avoiding whole swathes of the digital revolution. It is simply not an option either for individuals or for nations who see a vibrant digital economy as a way of driving national productivity. Governments are increasingly going to have to regulate the way these companies behave.

As the home of many of the internet giants, changes in US legislation often drive the thinking of Silicon Valley. So we thought we would compare two of the most high profile examples of new Privacy legislation so far: the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act) which will come into effect on 1st January 2020.

Who is covered?

The CCPA is much more restrictive because it focuses simply on consumers who are California residents whereas the ‘data subject’ in the EU is any person.

Penalties

The CCPA penalties are US$2,500 per negligent violation or US$7,500 per intentional violation with each person in the data set being a separate violation (however multiple violations against one person would count as one violation such as selling the same profile many times).

There is also a right under CCPA for individuals to claim damages but only if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards.

GDPR has a maximum fine of €20m or 4% of global turnover at the discretion of the relevant European Supervisory authority (i.e. whichever national regulator supervises that business). And this has been exercised with some eye-watering fines recently imposed.

Who it applies to?

CCPA applies to Californian businesses for which any of the following tests apply: it has more than $25m in revenue; it buys, receives, sells or shares personal information of 50,000 plus consumers per year for commercial purposes; or derives 50% or more of its revenue from selling consumer personal information.

GDPR theoretically applies supra-nationally to any organisation worldwide holding the data of people living in the EU or EU citizens. It covers any type of organisation: public, private or voluntary and of any size.

Rights At a general level the rights given to the individual by GDPR are more comprehensive but one aspect of CCPA catches our eye and we believe to be a powerful tool for the consumer. It is the right to opt-out from the sale of personal information (and related opt-in requirements for children). This will undermine the business models of some organisations, but we believe this makes a powerful statement that personal data is valuable, and consumers and legislators are waking up to that fact. We think this is a useful addition to the list of rights.

Other countries such as India are already working on their own versions of Data Privacy based on GDPR. In New York, a tougher variant of CCPA is already on the table. The proposed legislation in New York is broader in that it applies to entities intentionally targeting New York residents for conducting business there and allows for far broader and greater private damages claims.

GDPR remains the gold standard for data privacy regulation. I still expect many other jurisdictions to use this as their benchmark for the foreseeable future. What is more, regulation is unlikely to stop at data privacy and will start to treat some companies like utilities.