Shortly after the European Union’s General Data Protection Regulation (GDPR) came into force in May 2018, California passed its own sweeping privacy legislation, the California Consumer Privacy Act of 2018 (CCPA). So what are the key similarities and differences between the two laws?
Similar to GDPR’s extraterritorial reach, the CCPA may apply to businesses without a physical presence in California. The GDPR applies to any business that offers goods or services to data subjects in the EU or monitors the behaviour of EU data subjects. In contrast, the CCPA applies more narrowly to entities that determine the purposes and means of processing personal information pertaining to California residents and meet one of three thresholds:
- Have annual gross revenue in excess of $25 million
- Buy, receive for business commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices, annually, or
- Derive 50% or more of their annual revenues from selling consumers’ personal information
Lawful basis for processing
Under the GDPR, businesses must justify their processing of personal data by reference to one of six lawful grounds, such as by showing that the processing is necessary for the performance of a contract, or that individuals have given their affirmative consent. The CCPA does not contain any similar provision. However, the CCPA gives California residents the right to opt-out of the “sale” of their personal information.
Data subject rights
Both laws provide consumers with certain rights with respect to their personal data, but the rights under the CCPA are narrower. The GDPR provides data subjects with various rights, including the right to be informed of data processing practices, the right to access their personal data, the right to amend inaccurate data, the right to delete data, the right to receive personal data in a commonly used format so that it can be “ported” to another company and the right to object to processing in certain cases. The CCPA gives Californians the right to learn whether personal information is being collected about them, and the rights to access and delete their personal information, but it does not provide consumers with the right to portability, and any “objection” right is specific to the sale of personal information.
Although some have dubbed the CCPA as “GDPR 2.0” or “GDPR-like”, businesses should be aware that there are major distinctions between the two laws. The GDPR does not subsume the CCPA and compliance with the GDPR does not ensure compliance with the CCPA. We recommend that organisations seek the advice of EU and California qualified lawyers to understand the application and implications of the GDPR and CCPA, respectively, on their businesses.