In 2018, the digital world was turned on its head with the institution of the General Data Protection Regulation (GDPR).
Although the law is based in the European Economic Area (EEA), businesses around the world that target European consumers are subject to comply with this comprehensive data privacy law.
Shortly after the GDPR’s release, another law entered the public eye: the California Consumer Privacy Act (CCPA).
In effect as of January 1, 2020, this California law was conceived as a replica of the GDPR, meant to bring European privacy standards to the United States.
However, the CCPA failed in replicating the GDPR, instead being passed as a light version of the EEA’s landmark data law.
- How did the CCPA succeed in mimicking the guidelines of the GDPR?
- Where did it fail?
Let’s take a look at the basics of the CCPA and GDPR laws and what makes them different.
1. Defining who needs to comply
No doubt, the GDPR leaves plenty of room for interpretation regarding who is and is not subject to comply with the law.
However, it’s the common interpretation of the legislation that any business or digital operation that targets EEA (and Switzerland) citizens needs to meet the standards outlined in the law — or suffer the consequences.
The CCPA, on the other hand, gives a much narrower definition of who falls under the purview of the legislation. The legal text explicitly applies to “businesses” — as defined by the CCPA.
Under the CCPA, a business is defined as a for-profit entity that meets one or more of the following thresholds:
“(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as
adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal
Compared to the GDPR, these thresholds are relatively high, and leave a lot of companies questioning whether they are or are not subject to comply with the CCPA.
2. Raising transparency standards
One of the most notable parallels between the two laws can be seen in the new standards they set for transparency. To meet the requirements of both the GDPR and the CCPA, businesses are modifying their privacy policies to be more thorough, detailing every aspect of their data collection, storage, sharing, and use.
These new standards raise the bar for what information users have the right to access regarding the collection of their personal data.
Furthermore, both the GDPR and the CCPA require businesses to specify within their privacy policies what rights European and Californian consumers have under these laws.
In addition to explanations of their rights, users will be given instructions of how they can act upon them. For example, Californian consumers should be provided with a “Do Not Sell My Personal Information” link and instructions for opting out of the sale of their data.
3. Establishing consequences for noncompliance
Like with any law, both the GDPR and the CCPA establish penalties for those who fail to comply.
The GDPR threatens fines up to 20 million euros, or 4% of a company’s annual revenue — whichever is higher. Fines are dished out by country-specific GDPR enforcers. Already, tech giants have been penalized for noncompliance — including a Google GDPR fine of 50 million euros.
Alternately, CCPA noncompliance can cost companies $750 per violation in a lawsuit brought by the California Attorney General’s office. Each person whose data is violated by a CCPA noncompliance claim counts as a violation — meaning large companies may be looking at millions of dollars in class-action payouts.
However, CCPA enforcement won’t officially begin until July 1, 2020, meaning the bar the law sets for accountability is yet to be seen.
4. Comparing the basics of the GDPR & CCPA
In addition to the similarities and differences mentioned above, these two landmark privacy laws share even more key features, and offer their own unique requirements.
To learn more about the basics of both laws, check out Termly’s CCPA vs GDPR infographic below:
This infographic was created by Termly.