Select Page

Heureka CCPA Series: Part 1 CCPA vs GDPR

Author: David Ruel, Sr. Product Manager

Conversations and decision making around CCPA have rapidly increased over the course of the last three months. Similar to the launch of GDPR, companies large and small are wondering what part they have to play in CCPA. With this in mind, Heureka is introducing a series of articles in November around CCPA. Part one starts with some basics to help answer common questions around the differences between GDPR and CCPA.

In this article we cite information from an excellent report from BakerHostetler highlighting the key differences between California’s landmark regulation and Europe’s own trailblazing framework. As this series progresses we will be detailing how Heureka Software can help clients deal with their ever-growing mountain of unstuctured data.

CCPA vs. GDPR. What are the differences?

Both Europe’s General Data Protection Regulation and the California Consumer Privacy Act are talked about as game-changing pieces of legislation around data privacy and consumer protections. But they are often discussed in vague terms, with the details getting lost in the shuffle.

Penalties

CCPA allows for civil penalties of up to $7,500 per violation, but also grants businesses a 30-day window to remedy violations. Under GDPR, administrative fines can reach 20 million Euro or 4% of annual global revenue, whichever is greater.

Who’s Regulated

In terms of who is subject to the regulation, CCPA is much narrower than GDPR. CCPA covers for-profit entities that meet any of several specific criteria, such as having revenues of more than $25 million or handling the personal information of more than 50,000 consumers, households, or devices for commercial purposes. GDPR, meanwhile, broadly covers “data controllers and data processors.”

What’s Protected?

The regulations are similar in terms of what is protected, however, unlike GDPR, the CCPA includes personal information linked at the household or device level. Check out page 8 of the Baker report which details what is considered PII under CCPA.

Opt-Out Rights

For CCPA, organizations must have a “Do Not Sell My Personal Information” option on their website and accommodate any requests to opt out of the sale of personal information. GDPR does not have an overarching opt-out requirement, although it does have more specific consent requirements such as opting out of data processing for marketing reasons and withdrawing consent for processing activities.

Privacy Notice

The regulations include similar disclosure requirements, however, the CCPA’s requirements for notifying consumers about personal information disclosed or sold to third parties only covers one year prior to the request.

Accessing “Right of Disclosure” Information

Under CCPA, California consumers have the right to obtain a written disclosure of their personal information being collected. The GDPR’s access is not limited to a written format.

Right to Deletion

CCPA’s data deletion rights are much broader than GDPR’s, which only applies if one of six conditions are met. CCPA regulations do allow for businesses to refuse the request on broader grounds than that of GDPR.

We will be covering the deletion of files in the series and how Heureka helps identify and remediate unstructured data.

Right of Rectification

CCPA does not currently have a right of rectification, whereas GDPR requires that consumers are able to correct inaccurate or incomplete personal data.

Right to Restrict or Object to Processing

CCPA only allows data subjects to opt out of personal information sales, whereas GDPR grants the right to restrict the processing of personal data and the right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.

Right to Object to Automated Decision-Making

CCPA has no restrictions around automated decision-making, whereas GDPR does.

Children

Both regulations set age of consent at 16 years old, but GDPR’s parental consent requirement is broader than CCPA’s, which requires parental consent for personal data sales.

Conclusions

Even if your organization does not have to worry about GDPR, understanding how various regulatory bodies are approaching the issue is helpful in preparing for CCPA and other legislation to come.

In our next CCPA Series segment, we will begin to drill down into specific areas of CCPA and how Heureka Software helps prepare you for taking action including reporting, searching and file actions. For more information, request your demo now or download our CCPA checklist.

Heureka Software and Red Clover Advisors are hosting a CCPA webinar on November 20. You may sign up for this free event here.