Thursday, February 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Where the CCPA and GDPR Overlap and Diverge

An Illustrated Comparison of the Regulations

by Felix Sebastian
November 14, 2019
in Data Privacy
businessman touching virtual data shield

Before the CCPA becomes law on January 1, 2020, compliance officers worldwide (not just in California or the U.S.) need to be sure their companies are compliant. Are steps taken toward GDPR compliance sufficient? Termly’s Felix Sebastian explores the differences between the regulations.

Since the General Data Protection Regulation (GDPR) took force, businesses have collectively spent billions of dollars and “hundreds of years of human time” on compliance efforts. These numbers look excessive at first glance, but with the GDPR supervisory authorities handing out multimillion-dollar fines to Google and other corporate giants this year, investing in prevention measures is cheaper than coughing up 4 percent of revenue.

Data protection officers and consumers alike are only just adjusting to this new era of data privacy laws, but another major regulation — the California Consumer Privacy Act (CCPA) — is awaiting its turn to go live on January 1, 2020.

Knowing how the CCPA and the GDPR differ (and are similar) is crucial to effectively prepare for upcoming CCPA compliance challenges. Here’s an infographic to help you get started on this research.

differences between CCPA and GDPR
Infographic courtesy of Termly

While the infographic compares the fundamentals of the GDPR and the CCPA, here are a few more similarities and differences worth noting:

Extraterritoriality — Who’s Covered?

Both the GDPR and the CCPA are extraterritorial in their scope. This means that while these two laws are based in the European Union (EU) and the U.S. state of California (CA), the laws still apply to businesses worldwide that target EU* and California residents, respectively.

Given the transnational nature of data and businesses in this internet age, extraterritoriality is a standard component in new privacy laws around the world, such as those in Thailand and Brazil.

Personal Data — What’s “Personal?”

At the core of both the GDPR and the CCPA lies the protection of personal data. However, the two laws differ in how they define “personal;” these distinctions in phrasing, though minor, have practical implications for businesses.

The GDPR uses the term “personal data” and defines it as “information that relates to an identified or identifiable individual.”

In contrast, the CCPA uses the term “personal information” and defines it as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA’s use of “reasonably” in its definition provides more room for interpretation. In practice, this means that, for example, hashed data might not be deemed “personal” under the CCPA. We’ll have to wait and see how the interpretations of the enforcement agencies, businesses and consumers play out in the months following the CCPA taking effect.

Rights — What’s Provided?

Both the GDPR and the CCPA entitle their subjects to know what personal information is collected from them (and whether and with whom it’s shared), to access this information and to request that it be erased.

Specifically, the GDPR gives EU* consumers eight rights over their personal data. Those include the right to:

  1. Know
  2. Access
  3. Rectify
  4. Erasure
  5. Restrict (processing)
  6. Data portability
  7. Object (to direct marketing)
  8. Object to decision-making based only on automated profiling

The CCPA, on the other hand, grants California consumers five rights, which include the right to:

  1. Know
  2. Access
  3. Object (to sale of their data)
  4. Erasure
  5. Service without discrimination

The two laws differ slightly in the meaning of “right to object.” Whereas the GDPR affords its subjects the rights to object to direct marketing and to restrict the processing of their personal data, the CCPA provides a related, yet different right: the right to object to the sale of their data.

Furthermore, the CCPA specifies the “right to nondiscrimination,” meaning consumers who choose to exercise their CCPA rights are entitled to equal prices, products and services as any other customer.

Exemptions

Finally, let’s review exemptions to the GDPR and the CCPA.

Although the GDPR is a law passed by the EU parliament, the GDPR does not apply in its entirety to all EU member states. Article 23 of the GDPR allows member states to reasonably modify and/or restrict certain data rights when it comes to matters of national significance, for example:

  • Criminal investigations
  • Defense
  • National and public security
  • Economic and financial interests of the EU or the state

A list of GDPR exemptions available in the U.K., for instance, was recently published by the U.K. Information Commissioner’s Office.

Given that the CCPA is a law passed by a single U.S. state, it handles exemptions in a more direct manner: through the text of the law itself and through amendments. CCPA exemptions mostly pertain to personal data in business sectors that already have laws in place for regulating how data is processed. Examples include:

  • Consumer reports covered by the Fair Credit Reporting Act
  • Insurance-related data covered by the Gramm–Leach–Bliley Act and the California Financial Information Privacy Act
  • Health data covered by the Health Insurance Portability and Accountability Act (HIPAA)

Some CCPA exemptions are currently meant to be in effect only until January 1, 2021, giving lawmakers a year to pass supplementary data privacy laws that pertain to the following:

  • Job applicants
  • Employees
  • Contractors
  • Business-to-business transactions

What happens when those laws pass (or fail to pass) remains to be seen.

In addition to these exemptions, note that the CCPA applies to only a subset of companies that collect the personal data of California residents, as illustrated in the infographic. Furthermore, the CCPA does not apply to nonprofits. The GDPR casts a much wider net, with no revenue or volume thresholds.

Summary

GDPR-fatigued compliance officers may be dismayed by the new challenge of CCPA compliance. But, strategically speaking, those who’ve already developed systems and processes to satisfy the GDPR are in a good position due to overlap with the CCPA. Focusing on the key differences between these two regulatory behemoths can help ensure total compliance.

 


*More specifically, the GDPR applies to all entities that process the personal data of any resident of the European Union member states plus Iceland, Liechtenstein, Norway and Switzerland.


Tags: CCPA/California Consumer Privacy ActGDPR
Previous Post

5 Steps to Improve Board Monitoring of Compliance

Next Post

It’s Time to Reconsider the Term “Whistleblower”

Felix Sebastian

Felix Sebastian is the Managing Editor at Termly, where he helps business owners generate privacy policies and other important legal documents, implement best business practices and comply with transnational privacy laws. He specializes in writing and curating compliance guides and law overviews for small business owners.

Related Posts

finger breaking digital padlock

SOC 2 Compliance: Why You Should Care

February 19, 2021
side view of earth with network concept

A Boom in Privacy Regs Complicates Compliance

February 10, 2021
hand holding multicolored balloons outside

Happy Data Privacy Day!

January 28, 2021
COVID-19 tracking app showing location and infected people on blue background

Prioritizing Privacy During a Pandemic

January 4, 2021
Next Post
businesswoman in black blowing a whistle and pointing at the camera

It's Time to Reconsider the Term "Whistleblower"

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights