Videos
Season 2

GDPR vs CCPA, what are the differences?

By
Patrick TIEV
Partagez cet article

The GDPR has revolutionized the processing of personal data for organizations. Its implementation, on May 25, 2018, was emulated and several states were inspired by it to legislate on personal data. Among them, the state of California with the CCPA (California Consumer Act) which came into force on January 1, 2020. However, this text has some differences with the GDPR.

CCPA and RGPD: Neighboring objectives with significant differences.

Whether you are a DPO, Compliance Officer or Legal Director, you have certainly been alerted to the arrival of this text enacted on June 29, 2019. And, if you work in an international Group, this double compliance is a great challenge to take up!

Let me tell you right away, the compliance of an organization with the GDPR does not de facto lead to compliance with the CCPA: there are obligations specific to California law.

In this video, I look back at the 7 main differences that exist between the GDPR and the CCPA. Listing these differences will allow you to identify the actions and projects to be undertaken within your organization. You will thus be able to calmly consider your compliance with the CCPA.

CCPA and RGPD, what are the differences?

1st difference: The people concerned

The RGPD covers all natural persons located on the territory of the European Union without residence conditions.

The CCPA is limited to consumers who are residents of California only.

2nd difference: The data concerned

The CCPA recognizes as “Personal Information” data concerning individual consumers but also household data. The scope of California law therefore has an extra-individual dimension. This dimension does not exist in the GDPR.

On the other hand, unlike the RGPD, the CCPA explicitly excludes certain categories of data in its field of application (health data, public data, etc.).

Likewise, the CCPA does not include the distinction between sensitive personal data and personal data.

3rd difference: The organizations concerned

The CCPA has a much narrower scope of application than that of the GDPR.

The RGPD applies to natural or legal persons, public or private organizations, for profit or not.

Conversely, the CCPA only applies to for-profit businesses that meet one of the following threshold criteria:

  • Have a gross annual figure of more than $25 million
  • Selling the personal information of more than 50,000 California residents per year
  • Obtain more than 50% of annual sales from the sale of personal information of California residents.

4th difference: The Collection of Consent

Unlike the GDPR, the CCPA does not require prior consent for processing. Businesses can process California consumer data as they want except when consumers exercise their right to object to the sale of their data.

So there is no Opt-In logic as we can see with the European regime.

Exceptions for minors under 16: Between 13 and 16 years of age, the consent of the minor is required for the sale of their personal data. For minors under the age of 13, the consent of the legal guardian will be required.

5th difference: The rights of the persons concerned

Right to information

In both regimes, companies are required to mention the categories of personal data processed. But, unlike the GDPR, the CCPA requires only the categories of personal data processed in the last 12 months to be mentioned.

Right of access and portability

Unlike the GDPR, access and portability rights only relate to personal information collected in the 12 months preceding the request.

Right to delete.

Again, the CCPA and the GDPR differ. Whether in the methods of formulating the request or the need to justify the request.

Right to object

The RGPD allows the persons concerned to stop any processing of their personal data.

With the CCPA, the state of California decided to limit this right only to the sale of personal information to third parties. On this subject, and unlike the RGPD, the consumer does not have to justify himself: this right is absolute. In addition, in order to guarantee this right, the CCPA requires organizations to set up a specific link on their website with the title “Do Not Sell My Personal Information”

6th difference: Sanctions

With the arrival of the CCPA, businesses face penalties of up to $7,500 per violation with damages of $750 per user affected by the violations. At first glance, the amounts are quite low compared to the sanctions provided for by the RGPD, which can amount to up to 20 million euros or 4% of global annual turnover. Be careful, however, because we can imagine that with this mechanism sanctions could reach substantial amounts of consequences.

7th difference: The sale of personal data

For the CCPA, data is perceived as intangible assets with monetary value. On the other hand, for Europeans, personal data rights are extra-property rights and are therefore not considered to be assets.

Consequence: The CCPA allows financial incentives to obtain personal information about its consumers. This possibility is completely absent from the GDPR.

The latest news

News

Adequacy obtains the EcoVadis gold medal: a recognition of our CSR commitment

Alessandro Fiorentino
News

Adequacy ranked best GDPR compliance software by Déciders Magazine

Alessandro Fiorentino
Extraterritorial Laws and Related Laws

Data Privacy Framework: 3 factors of an inevitable shock

Alessandro Fiorentino

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Let's discover together how Adequacy adapts to your reality on the ground.
Request a quote