to GDPR
Who is regulated?
The scope and territorial reach of the GDPR is much broader. Substantially different in parties regulated
Who is protected?
Substantially different in approach, but similarly broad in effect. Both laws focus on information that relates to an identifiable natural person, however the definitions differ. Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider
What information is protected?
Substantially similar. However, the CCPA definition also includes information linked at the household or device level
Right to deletion/erasure (The right to be forgotten)
Similar data deletion rights. The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad. However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR. The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader. Current legal interpretation is that under CCPA, you cannot anonymise data (under review by Attorney General)
Privacy notices/Information rights
Similar disclosure requirements, but differences in the specific information required and the delivery methods. The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 month preceding the request
Security
Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organisation’s circumstances and regulator interpretation
Opt-out right for personal information sales
Substantially different. The GDPR does not include a specific right to opt-out of personal data sales, whereas under CCPA you must include a ‘Do Not Sell My Personal Information’ link in a clear and conspicuous location on a website homepage
Children
Substantially different requirements, other than ages involved. The CCPA only requires parental consent for personal data sales, while GDPR’s parental consent requirement applies to all processing consent requests
Right of disclosure or access
Broadly similar rights of disclosure/access. The CCPA’s right is only to obtain a written disclosure of the information. The GDPR allows broader access, which is not limited to a written disclosure in a portable format
Right of data portability
Broadly similar rights. The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller
Right of rectification
Substantially different. This is not a requirement for CCPA
Right to restrict processing
Substantially different. This is not a requirement for CCPA; other than the right to opt-out of personal information sales
Right to object to processing
Substantially different. This is not a requirement for CCPA; other than the right to opt-out of personal information sales
Right to object to automated decision making
Substantially different. This is not a requirement for CCPA
Responding to rights requests
Substantially similar. However, turnaround times are different and CCPA only has a 12 month look back for customer rights requests
Non-discrimination
Similar idea, different obligations. Such as both acts cannot discriminate against a consumer because they exercised their rights
Penalties (Private rights of action)
Substantially different in scope, but violations of either may potentially result in significant economic liability
Penalties (Civil fines)
Approach to calculating fines differs, but violations of either may potentially result in significant economic liability