GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR
California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison.
| GDPR | CCPA | |
| What is personal data/information? | Broadly defined as “any information relating to an identified or identifiable natural person.” | Includes standard identifiers, but also includes less conventional categories, such as biometric data, Internet activity, education, information, and commercial information. It does not include publicly-available information. |
| What is data processing? | Any operations performed on personal data, automated or otherwise. | Any operations performed on personal data, automated or otherwise. |
| Whose information is protected? | Natural persons (also known as data subjects) in the European Union who can be identified, directly or indirectly, by reference to an identifier. | Consumers, which are natural persons who are California residents. |
| Who must comply? | “Controllers” (who determine “the purposes and means of processing the data”) and “processors” (who process personal data for the controller) that process personal data of data subjects within the European Union, regardless of whether the processing takes place in the Union. | Businesses that collect consumers’ personal information, or authorize another to collect it on their behalf, and either (1) have annual gross revenues of more than $25 million; (2) annually buy, receive, sell, or share, for commercial purposes, information from at least 50,000 consumers, households, or devices; or (3) derive at least 50% of their annual revenues from selling consumers’ personal information. |
| When can data be processed? | When there is a specific lawful basis, including: consent, performance of a contract, to protect a person’s vital interests, for the public interest, or legitimate interests of the controller or a third party. | The Act does not enumerate specific bases for processing, although the sale of consumer information is prohibited if a consumer has opted out. |
| What rights do data subjects have? | (1) Right to be informed of data processing practices. (2) Right to access to personal data and other information about processing. (3) Right to rectification. (4) Right to be forgotten. (5) Right to restrict processing. (6) Right to data portability. (7) Right to object to processing. (8) Right not to be subject to a decision based solely on automatic processing. |
(1) Right to be informed of the types of information collected and the purposes for collection. (2) Right to access the categories, sources, and specific pieces of information collected, the purposes for data collection, and third parties with whom the data has been shared. (3) Right to request deletion of personal information. (4) Right to opt out of the sale of a consumer’s personal information. |
| How do the laws apply to children’s data? | Processing children’s data is lawful if the child is at least 16, otherwise parental consent is required. However, EU member states may lower the age to require parental consent to no younger than 13. | Businesses cannot knowingly sell data of consumers younger than 16 unless the consumer has opted in to the sale (if the consumer is between 13 and 16), or the parent or guardian has opted in to the sale (if the child is under 13). |
| What are the exemptions? | Processing by legal authorities in relation to investigating, detecting, or prosecuting criminal offenses or penalties; processing for journalistic, academic, or literary expression purposes; limited exemptions for processing for scientific, historical research, or archiving purposes in the public interest; processing for purely personal or household activities. | Processing for compliance with federal state or local laws, including, but not limited to, GLBA and HIPAA, or legal investigations; collection or sale of de-identified or aggregate consumer information; collection or sale of personal information that takes place wholly outside of California; sale of information to consumer reporting agencies for a consumer report; where compliance would violate evidentiary privilege. |
| Do consumers have a private cause of action? | Yes. | Yes, but private citizens must give the business an opportunity to cure any violations and inform the California Attorney General (AG) of a complaint against the company before bringing a case. Any attempts to waive a consumer’s enforcement rights, including the right to bring a class action, will be unenforceable. |
| What fines can be levied? | Depending on the violation, administrative fines of up to 20,000,000 EUR or up to 4% of total worldwide annual turnover of the previous year. | For private causes of action, between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
For California AG actions, civil penalties of up to $7,500 per violation. |