Aug 10, 2020
These laws are similar, but they're not the same. The most glaring difference between CCPA and GDPR may be country of origin, but their verbiage differs in crucial areas.
The short answer is that taking reasonable precautions to ensure you're acting according to the requirements set forth in the European Union's General Data Protection Regulation (GDPR) is not enough to qualify as compliant with the California Consumer Privacy Act of 2018 (CCPA).
"In particular, compliance with the CCPA will entail being prepared to make additional disclosures both in the privacy policy and in response to individual’s requests for information, to locate and deliver specific information about individuals which is different to that required under the GDPR, to identify contracts that may constitute a sale of data under new broad definitions, and to establish policies and procedures, including to protect against discrimination of individuals exercising their CCPA rights, which will need to look different to those required under the GDPR," according to an article published by international law firm Pillsbury Winthrop Shaw Pittman LLP.
Keep in mind that this is a brief educational article sourcing and quoting public information from knowledgeable subject matter experts, and by no means is this to be construed as legal advice from us or them, nor is it an exhaustive overview. That goes without saying, of course, but our lawyers (and likely the lawyers quoted in this article) would very much appreciate it if it was in fact said.
The differences between these two regulations doesn't stop there, however.
GDPR Doesn't Cover CCPA "Data" Types
They continue down to the very definition of data, which then relates to who could fall within the scope of coverage under each law.
"For example, the CCPA definition refers to information relating to households in addition to information related to individuals. Whilst the definition of personal data in the GDPR only explicitly refers to individuals, there have been numerous discussions and enforcement action across Europe showing that personal data, as defined in the law, may also cover households," according to the Future of Privacy Forum.
The nature of data is also seen differently between the two.
The GDPR defines "sensitive data," which can be considered special categories of data, and prohibits processing it unless one of a few exemptions applies. This definition is not in the CCPA, but the CCPA does define biometric data, which includes elements from one of the categories of sensitive data in the GDPR. There is no extra layer of data protection for this, however, as there is with the GDPR.
Furthermore, under the GDPR, "personal data" covers publicly available data whereas CCPA does not consider publicly available information as "personal information."
The opt-out rights for CCPA and GDPR are substantially different, according to an in-depth comparison from Practical Law (resource ID: w-016-7418).
GDPR Doesn't Cover CCPA Opt-Out Rights
"[Under CCPA], Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses … The GDPR does not include a specific right to opt-out of personal data sales. However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances," according to Practical Law.
Those rights include the ability to opt-out of processing data for marketing purposes and withdrawing consent for processing activities.
Furthermore, the CCPA requires a link in a clear and conspicuous location on the homepage of a website, stating "Do Not Sell My Personal Information."
Company access to information is one thing, but consumers' abilities to remove their data from a data controller will differ slightly. The GDPR requires a request for deletion to be backed by one of six conditions, but the CCPA is a bit broader than that.
According to Practical Law, the right of rectification is not extended under CCPA, whereas the GDPR grants subjects the ability to correct inaccurate personal data and complete otherwise incomplete personal data.
The list can and will go on when determining the differences and similarities between GDPR and CCPA. Those listed here are only a few of many.
As a general rule of thumb, it's safe to assume that if you act in good faith to meet the requirements for one, that does not necessarily mean you will automatically be covered for the legal requirements and ramifications of the other.
The definition, application, consideration, protection, deletion, correction, and handling of data is approached differently between the two. Yes, there are similarities that provide comparable or equivalent rights, but the case-by-case application, general scope, and other criteria will inherently differ due to the language in each.
Ensure you enact separate initiatives for CCPA compliance and GDPR compliance, otherwise you could face penalties.