The European Union’s General Data Protection Regulation (GDPR) represents the most comprehensive privacy law in 20 years. The regulation took effect in May 2018 – one month before the first passage of the California Consumer Privacy Act (CCPA). The CCPA goes into effect in January, 2020. Similar to the GDPR, the CCPA deals with consumer data and how it is obtained, stored, and handled by businesses. Both laws promise better transparency among businesses entrusted with public data and new options for consumers seeking privacy, but there are key differences to understand while gearing up to comply with a new set of regulations.
Similarities Between CCPA and GDPR
Both the CCPA and GDPR:
- Give individuals the right to access and delete personal information obtained by businesses.
- Increase transparency about what personal data is collected, shared, and sold.
- Require consumer privacy notices and portable copies of exported data, as requested by consumers.
- Provide the right to data erasure, under certain conditions.
Differences Between CCPA vs. GDPR
The laws diverge on several points with the CCPA taking a more restrictive stance than the GDPR on some issues, and a more permissive approach in others.
- Businesses affected: The GDPR applies to every business that processes EU citizen data, regardless of size or location. The CCPA applies to businesses collecting the information of customers, vendors, and employees in California.
- Definition of personal information: The CCPA includes an expansive definition of household information beyond names, physical addresses, and phone numbers – to include IP addresses, device identifiers, biometrics, and geolocation –while the GDPR does not include household information in its definition.
- Right to access: GDPR gives the right to access “all personal data processed in the EU,” whereas the CCPA only provides the right to access California personal data collected “within the last 12 months,” delineated between collected and sold.
- Right to correct errors: The GDPR allows individuals to correct erroneous information in their files, while the CCPA does not specifically address errors.
- Right to stop processing: Under GDPR, individuals can put a stop to a company’s processing of their information; CCPA only allows individuals to opt out of their data being sold to third parties.
- Right to opt-out: Under GDPR, individual consent is not required to collect and use data. Under CCPA, individuals have an absolute right to opt out of the sale of their personal information. It goes further in requiring businesses add a “Do Not Sell My Personal Information” link on their websites and mobile apps.
- Right to equality: The GDPR implies a right to equal pricing and service, whereas the CCPA explicitly requires it.
- Children’s privacy: GDPR requires parents to provide consent to the processing of their children’s personal information. The CCPA requires the businesses to obtain opt-in consent for the sale of a child’s information but not the company’s processing of it. Children are defined as those under 16, whereas teens may provide their own consent.
- Enforcement: Penalties for GDPR violations are limited to 4% of global annual revenues; penalties for CCPA violations are $2,500 per unintentional violation and $7,500 per intentional violation.
Prepare for CCPA Litigation
Kroll Settlement Administration stands at the ready to assist firms in the administration of the new and complex litigations that will arise with enforcement of the CCPA. As a pioneering class action administrator for more than 50 years, the CCPA is not the first time we’ve had to meet the challenges of newly enacted regulations. We welcome the chance to help firms comply with the new rules, and make sure that all litigation filed pursuant to the California Consumer Privacy Act is resolved as efficiently as any other. Contact us to learn more about how our team of business consultants, programmers, notice experts, and client service managers help you navigate any new regulations.