How is the CCPA different from the GDPR?

7 min read

Georgia Iacovou

24 Sep 2019

The California Consumer Privacy Act is coming on the 1st of January 2020.

The GDPR was introduced in the EU in May 2018 — it’s a regulation for organisations to better handle the flow of user data. It also gives controls and rights to users over their data. The CCPA is sort of similar, but has key differences. If you comply with GDPR, it in no way means that you also comply with the CCPA.

Who does the CCPA apply to?

This law applies to businesses located anywhere — not just in California. If a business collects or sells any data belonging to a Californian, they must comply with the CCPA.

However, it only applies if your business meets one or more of the following:

These things may seem like they narrow the scope a lot, but this means the law certainly applies to big tech companies such as Facebook, Google, and Amazon.

⚖️ The difference from the GDPR here is that the GDPR applies to any organisation that collects data from EU citizens, regardless of whether they make money from it. The CCPA seems to be aimed at for-profit business who make a lot of money, or who at least make most of their money from selling data.

What do I have to do if it applies to me?

The official website is full of language that is quite obviously aimed at the consumer; they outline what rights consumers will have with the CCPA in place, they do not instruct businesses on what changes they may need to make.

Therefore, as a business you must facilitate the following (taken directly from their site):

  1. Right to know ALL data collected by a business on you, twice a year, free of charge.
  2. Right to say NO to the sale of your information.
  3. Information Security: Right to sue companies who collected your data, where that data was stolen or disclosed pursuant to an unauthorized data breach, if the company was careless or negligent about how it protected your data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it). Identity Theft needs to be curbed!
  4. Right to DELETE data you have posted.
  5. Right not to be discriminated against if you tell a company not to sell your personal information.
  6. Right to be informed of what categories of data will be collected about you prior to its collection/at point of collection, and to be informed of any changes to this collection.
  7. Mandated opt-in before sale of children’s information (under the age of 16).
  8. Right to know the categories of third parties with whom your data is shared.
  9. Right to know the categories of sources of information from whom your data was acquired.
  10. Right to know the business or commercial purpose of collecting your information.

At the moment, there’s not too much about how a business might prepare to be compliant. The message is simply: be prepared for users to exercise their rights.

The CCPA has some aspects of the data rights we have under GDPR: you can do subject access requests where you ask to know what data a company has about you, and request for it all to be deleted.

⚖️ The difference from the GDPR here is that you only have the right to request what data a company has about you twice a year. Under GDPR, you can make as many requests as you like.

The circled button is not allowed… declining should not stop you from enjoying the full experience.

☝️ But a key similarity is: that a business cannot discriminate against you if you want to exercise your rights. So if you say to a business ‘please don’t sell my data to anyone’ they have to deliver the same quality of service to you as they would anyone else. The GDPR is the same, but sites and services consistently break the rules by blocking content unless consent is given.

So as it stands now, to comply with the CCPA you have to be prepared to process the different kinds of requests that may be made of you. Users may ask what data you’ve collected, who you’ve shared that with, and to stop sharing it altogether.

So it’s not so much a set of rules, but a set of user rights that you have to be ready to facilitate.

What is ‘personal information’ according to the CCPA?

The answer to this is almost too easy: their definition of ‘personal information’ is so broad that it basically encapsulates everything. So, according to the CCPA it is:

“Information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”

This information spans from the usual things such as a name, email address, IP address and passport number, to other pieces of data that could potentially be used to identify you like geolocation, biometric data and psychometric data — and: inferences made from any of this data.

This comprehensive scoping will cover things such as behavioural ads which are becoming a large and unmanageable problem on the internet.

⚖️ The difference between this and the GDPR is not the type of data they are talking about, but that it’s not necessarily just a ‘person’s data’ but also a device’s or household’s data. This is interesting because it starts to remove individual ownership of specific data.

So what you may get are requests that are less like “please don’t track and share my location”, and more like “please don’t track and share the location of the family iPad”.

Roping in ‘device and household’ as well as individuals sort of helps with managing the data that flows through a smart device that everyone in a house uses. E.g. it’s like that all members of a household, not just one, will either directly or indirectly interact with Alexa.

How will the CCPA be enforced?

I have answered this question for many other similar regulations in the past and the answer is always the same: fines.

If you are found to be in violation of the CCPA you could get fined up to $7,500 per violation. You could also pay up to $2,500 for each unintentional violation.

Consumers in California could also sue a business if they think they’re data has not been handled correctly under the regulation. So it’s really hard to say how much money you would pay out if you violate this regulation.

⚖️ The difference between this and the GDPR is that the fines for GDPR are either €20M or 4% of the company’s annual turnover — which ever number is bigger. Also, you can receive a GDPR fine if you are simply at risk of breaking the rules. Under CCPA, you only get fined once you’ve broken the rules. Which is possibly too late — it’s hard to say until the fines start rolling in next year.

The important things to takeaway

Firstly, GDPR and CCPA are not the same at all — doing all you can to comply to one does not guarantee compliance to the other.

One of the main ways that the CCPA is different is it’s narrower scope: sure, it could effect any business because it’s easy to assume that if you have a website, someone in California will interact with it at some point.

The narrow scope lies in what kinds of businesses it effects: you have to either have revenue upwards of $50M, make most of that from selling data, or sell data from 100k people/devices/households a year. It would be interesting to see, besides the big five, who this effects and how it changes the landscape. Not only that, but which states will be next.

the author

Georgia Iacovou

Content Writer, Metomic