The article is written by Karan Singh Sohal.
Table of Contents
Introduction
California Consumer Privacy Act (CCPA) is the first major United States privacy legislation that became effective on January 1st, 2020. CCPA offers people from California with new rights over the data that is created regularly. The CCPA is an Act that improves privacy rights and promotes consumer protection for residents of California in the United States. The CCPA laws give certain rights to consumers regarding the usage of their personal information whether sold or shared to other organizations. Protection under CCPA is reserved for people residing legally in California and considered as data subjects. The Act thus promotes the concept of privacy and transparency to protect and serve the rights of individuals from California. CCPA will also provide consumers ownership, control and security over their personal information which will enable consumers to decide to disclose or delete their personal information if they deem fit. The CCPA therefore concerns with businesses that collect personal information about residents of California.
General Data Protection Regulation (GDPR) is a law from the European Union (EU) and the European Economic Area (EEA). It also focuses on the transfer of personal data outside the EU and EEA areas. GDPR’s main goal is to give control to data subjects over their personal data and to regulate business internationally. Moreover, it also contains regulations pertaining to personal data of people who reside in European Economic Area and applies to any enterprise regardless of its location. The GDPR was recognized on 14th April 2016 and was enforced on 25th May 2018. The regulation made a perfect example for many countries. The Data Protection bill which is being introduced in India is in reference to GDPR.
Scope
CCPA and GDPR have extra-territorial scope for companies collecting actual personal data and limits uses of personal data. CCPA is applicable for companies that accommodate under the definition of a business asalso on the location of a company. CCPA only protects consumers that fall under its definition of a consumer as being a California resident. The Act concerns businesses established inside or outside California that collect personal information of California state residents and satisfies at least one of three conditions. Firstly, annual gross revenues of more than $25 million, handling personal information of 50000 or more consumers, getting at least 50 percent of annual revenues from selling Californian consumers personal information. However, it does not apply to job candidates and employees according to Amendment Assembly Bill 25.
GDPR does not have any limit and therefore has a much wider scope. It covers all companies that process EU data whether they are well known in the EU or not and it doesn’t matter where the data processing takes place. GDPR is a regulation that protects EU residents whose “personal data” are collected by companies which correspond to identifiable or identified data subject. GDPR however is applicable to job candidates and employees which makes it more well-rounded regulation than CCPA.
Objective & Reasons for Protection
The main objective of CCPA is to protect personal information defined to include any identifier that can be linked to a consumer. They are protected because consumers can opt out of the sale of their personal data. The main objective of GDPR is to protect personal information that can be used to identify a natural person. They are protected by giving an option to opt out into the processing of their data.
Requirements in CCPA & GDPR
Under CCPA one is required to tell the customers the type of information the company would be gathering, the necessity for gathering the said information, the details of what is being collected and finally the company is required to tell where the information is being shared. Whereas in GDPR the companies must specify the type of business they do, how the customer may contact the company, the reason for processing the said personal data, the types of data the companies may collect and the period of which they intend to store it and the complete details of where this data is being shared.
Rights under CCPA & GDPR
Under CCPA the customers have the right to access the said personal data that have been provided to the company, they also have the right to gain knowledge about the said data and object to such sale if being shared by any company. Whereas in GDPR all such rights in CCPA are available but moreover the customer has the Right for rectification which basically deals with rectifying any wrong information that has been given or collected by the said company. Finally GDPR has the right to data portability which basically states a customer can obtain his data and reuse it for any purpose according to his will. As GDPR is more evolved it has given these basic rights to its data subjects.
Specific Regulations
In CCPA there are disclosures requirements present on collection, selling and sharing of personal information. Moreover the CCPA doesn’t have any such legal restrictions for handling personal information of the said customers. Finally the businesses comply to verify consumer request within 45 days. The only difference between CCPA and GDPR is that according to regulations the companies must verify data subject requests within 30 days.
Effects of CCPA & GDPR
CCPA buy, share or sell data to around 50,000 California citizens and earn to an excess of 50% of revenue from the said sale of the personal data having revenue of 25 million dollars per annum. Whereas GDPR collects and share personal data from European citizens and residents. It functions outside of the European Union but still offers goods or services to European Citizens. The difference between the two is that GDPR does not focus on the size of the business when executing laws to companies. However CCPA places a requirement on businesses to be of certain size or have a certain amount of data before enforcing the law.
Fines & Consequences
The consequences involved in CCPA will be penalties from $2500 to $7500 per violation. Moreover, $100 to $750 per consumer per incident penalty after civil action and businesses have 30 days to cure violations and inform consumers that they have done so. Whereas in GDPR, penalties are of 4% of annual global revenue or $20 million whichever is higher and compensation is given out for material or non-material damages concerning data breach. However, no grace period to cure violations is given under GDPR. The compliance violations are punished via direct fines or in an indirect manner through media and public relations. Fines due to GDPR are directly corresponding to company’s annual revenue, whereas CCPA fines are based as per the violations done by a particular company.
Breach & Privacy Rights
In CCPA one has the right to disclosure/access. But there are requirements for sale of personal information of children like minors below 16 years of age must authorize the sale of their personal information. For children under 13 years of age, the approval must be given by a parent or a legal guardian. The right to object is only on the sale of personal information. Moreover, in CCPA an individual has the right of portability which basically means to obtain and reuse their personal data for their own purposes across different services. CCPA gives the right to recover damages ranging from $100 to $750. The only dismay one has with CCPA is that it hasn’t incorporated data breach. It can compromise on the data of consumers and could open one to legal violations.
GDPR being of an evolved nature also has the right to disclose/access withsome conditions. Certain rights are granted in this act to the consumers like right to erasure which basically means that one has the right to be forgotten, right to receive compensation for material and non-material damages, right to restrict processing which empowers individuals to choose the amount and category of data that they wish to process and finally the right to rectification which basically gives individuals an opportunity to rectify incorrect or incomplete data, request of which can be made verbally or in writing. In the case of children below the age of 16 years, processing of their personal data shall only be considered legal if one has the consent of a legal guardian. The minimum age with respect to data processing which can be considered is 13 years for GDPR. One must also note that just like CCPA, GDPR also considers the right of data portability for its data subjects. However, it is imperative to note that unlike CCPA, GDPR has a provision for data breach. Therefore, GDPR is more secure regulation and hence protects consumers against legal liabilities.
Law suits can be bought by the relevant authorities for breach of privacy if a company’s data is mishandled or hacked. So Businesses should be highly cautious in their data handling methods and should religiously audit there data from time to time. Whereas in GDPR there are extensive regulations on keeping data encrypted, confidential and accessible. It is imperative in GDPR to notify the consumer if ever there is a data breach to their systems. Therefore GDPR has come up with performing a data protection impact assessment (DPIA) before any processing is done for any consumers’ personal data. Therefore it can be clearly seen that GDPR and CCPA both the acts are well equipped to handle or prevent any type breaches concerning the data of the consumers and if hereinafter any breaches do occur it can lead to several legal liabilities for the company.
Requirements under CCPA and GDPR
In CCPA, certain requirements need to be fulfilled for better functioning like one must ensure to put disclosure requirements for collection, selling and sharing of personal information. Secondly, for the purposes of handling personal information one must not impose a lawful basis as a requirement. Finally, it regulates businesses to comply with a consumer request that is verified within 45 days. In comparison, GDPR regulates data controllers to conform within 30 days with the assistance of verifiable data.
Consent
CCPA has an absence of consent provision which basically means less scrutiny thereby making a company more vulnerable to legal actions and as a result high valued settlements. However, GDPR incorporates a provision on consent under Article 30 and therefore is a much more secured regulation. Article 30 also requires a company to produce “Records of Processing Activities” which will allow regulators to see that the company is adhering to the GDPR regulations. With this objective, the records should show why and how the data is being processed.
How is it Different?
If a company is familiar and is complying with the GDPR, then CCPA will not be that difficult to comply with as it is less complicated and a newer law compared to GDPR. However, some compliance in CCPA is newer as compared to GDPR. The criteria for consumer’s data or their overall revenue in CCPA is determined by the gain of the company. CCPA unlike GDPR can be applied to households and devices as well as natural people. Even though GDPR is more evolved but CCPA will protect further more for information linked to a device such as browsing activity. Both laws have conditions for disclosures and transparency.
Conclusion
It can be concluded by this article that GDPR is a more evolved and wider privacy law that establishes a data protection legislation under the EU where privacy is a given until prior consent is obtained from the EU users. It strengthens users with rights to access, erasure, information and consent. As regards GDPR, companies can incorporate a more sophisticated data privacy model for better functioning.CCPA presently is at an evolving stage and needs a more specific and well-oriented representation. It creates rights for Californian residents to fairly increase decision rights over the data that many businesses have acquired, by requesting access or deleting or opting out entirely for a business that sell collected data to different third parties. The two laws can be distinguished perfectly by way of their nature and structure even though they are a legal framework for privacy in Europe and California.
References
3) www.iapp.org
5) https://termly.io/resources/infographics/gdpr-vs-ccpa/
6) https://www.onetrust.com/the-ccpa-vs-the-gdpr/