CCPA vs. GDPR: What Businesses Need to Know
This article explains the difference between GDPR and CCPA - and how your business can become compliant
California has had the most extensive data protection law among the US states since 2004 when the California Online Privacy Protection Act (CalOPPA) was implemented. That hadn’t changed over the years, but it didn’t prevent the Golden State government from passing a new, even more extensive law either.
The California Consumer Privacy Act (CCPA) is the most recent California law passed on personal data protection. It was passed in June 2018 and comes into effect on 1 January 2020. The passing of the law coincides with the massive anxiety caused by the introduction of the GDPR by the EU a month earlier, so it comes as no surprise that many refer to the CCPA as California version of GDPR.
That, however, is far from the truth. While the unanimous passing of the law may have ridden the wave of the public scare on personal data abuse, the CCPA is not as extensive as the GDPR. As a result, the requirements for businesses are not as extensive.
Who Must Comply with CCPA?
The CCPA applies to every company in the world if:
- They collect the personal data of California residents
- They (or their parent company or a subsidiary) exceed at least one of the three thresholds:
- Annual gross revenues of at least $25 million
- Obtains personal information of at least 50,000 California residents, households, and /or devices per year
- At least 50% of their annual revenue is made from selling California residents’ personal information
A California resident is defined by the California laws as any natural person who:
- Is in California for other than a temporary or transitory purpose
- Is domiciled in California, but is outside the state for temporary or transitory purposes
What Are CCPA Requirements for Businesses?
You are CCPA-compliant as long as you:
- Allow your users to access their data upon request, along with information on how you have used their data in the past.
- Disclose to your users who you sell their data to, if you sell it at all. You’ll also have to give your users an opportunity to object and prevent the sale of their data by putting a “Do Not Sell My Personal Data” option on your website. This means that you are allowed to sell your users’ personal data as long as you give them the opportunity to prevent it. If they choose that option, it is a clear ban on selling their data.
- Ask for explicit consent for the selling of a child’s data. If the child is 13-16 years old, you can get consent from them. If they are younger than that, you will have to get consent from their parents.
- Delete all their data upon request. Some types of data are exempt (transactions, internal analytical data, data for research).
- Introduce a system for verification of the identity of the person making any of these requests
- Don’t discriminate against persons who exercise their privacy rights when providing your products or services. If someone asks for access, change, or erasure of their data, you have to keep providing the same quality level of your services or products to them. However, you are allowed to provide incentives for users in exchange for more of their data as long as it is not usurious and/or unjust.
- Introduce privacy notices
- Ask for consent for the processing of personal information for a purpose that has not been part of the notice on the collection and the privacy policy when originally collected
- Show notice on collection again every time you introduce a new purpose of the collection
- Provide details of your financial incentives program, if any
- After denying consumer’s request for deletion, offer them to opt-out of the sale of personal information, if you sell such information
How Does CCPA Compare to GDPR
Many business owners are wondering if the implementation of GDPR means compliance with CCPA or they have to take additional measures. To clarify that, first you need to learn how CCPA and GDPR compare.
What Entities does the Law Cover?
- CCPA: Only businesses who collect data from California residents and exceed one of the three thresholds
- GDPR: Anyone based in the EU or who collects data from EU residents.
Do They Require a Privacy Policy?
- CCPA: Yes.
- GDPR: No.
What Information Do They Have to Disclose in Privacy Policies?
- CCPA: What type of information you collect, for what purposes, third parties you share their information with, how consumers can access and change their data, who do you sell data to and why, how consumers can request the erasure of their data, lists of personal information and categories of personal information that have been sold in the past 12 months, and details on financial incentives program.
- GDPR: What type of information you collect, for what purposes, third parties you share their information with, how consumers can access and change their data, how consumers can request the erasure of their data, the identity of data controller and processor, how long you keep the data.
Do They Require Prior Consent Before Sending Out Cookies?
- CCPA: No
- GDPR: Yes
Do Users Have a Right to Access and Change Their Data?
- CCPA: Yes, upon request.
- GDPR: Yes, upon request.
Do Users Have the Right to Be Forgotten (Have Their Data Erased)?
- CCPA: Yes, upon request.
- GDPR: Yes, upon request.
Do Businesses Have to Ask for Consent from Users Prior to Selling Their Personal Data?
- CCPA: No, but they must offer them an opportunity to opt-out from the selling of their data.
- GDPR: Yes.
The CCPA is not blazing new trails like the GDPR was. There is not much in this law that we haven’t seen somewhere else.
If you’ve done your homework with the GDPR compliance, you are covered for some parts of the CCPA, but not all. It is important to note that compliance with GDPR doesn’t mean compliance with CCPA, therefore you will have to take certain steps to ensure full compliance.
How to Prepare for Compliance with CCPA
To comply with the CCPA, consider the following suggestions:
- Update your privacy policy according to the CCPA requirements
- Establish methods for requests for access, change, and erasure of data, including at a minimum a toll-free number
- Introduce a system for verification of the identity of persons making any of these requests
- Prepare data maps, inventories, or other records of California residents’ personal data to be ready to let them exercise their CCPA rights
- Introduce a “Do Not Sell My Personal Data” button or link
- Introduce a method for obtaining consent by parents of minors under 13 and direct consent from 13 to 16 years olds
- Introduce privacy notices
While you have to take care of some of these suggestions yourself, you can automatize getting an updated CCPA-compliant privacy policy and a cookie banner. A Secure Privacy online privacy policy generator and cookie banner generator can help you stay compliant without the hassle of updating them manually or hiring an expensive lawyer to review them.
Disclaimer: This website contains general information about legal matters. This article is for informational purposes only. The information is not advice, and should not be treated as such. Talk to your lawyer before applying any of the advice listed in the article.
Data Privacy and Responsible AI: A Guide for DPOs
Learn how to implement responsible AI while ensuring data privacy compliance. Discover practical strategies for Privacy by Design in AI systems, data minimization, and navigating privacy regulations. Essential reading for Data Protection Officers.
- Legal & News
Vietnam's Personal Data Protection Decree: Key Insights on Data Law
Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
- Data Protection
Navigating Israel’s Data Protection Landscape: Key Compliance Insights for Businesses
Learn how Israel's Privacy Protection Law affects your business, including compliance requirements, data transfer rules, and key obligations.