Both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) give individuals greater control over their personal data. They require companies to be more transparent in their processing of it, requiring consent for certain data processing, and giving people access, correction and deletion rights. But there are differences, so if you do business in both the EU and California don’t assume that complying with one will mean you’re OK for the other. However, if you have taken steps to comply with one you can and should leverage as much of that effort as possible, so adapt policies, processes, 3rd party contracts, and training materials as necessary.
Our US partners, Outside GC have helped us pull together the following overview of the key requirements and differences.
| CCPA | GDPR |
|---|---|
| 1. SCOPE Any company doing business in California that meets any one of these thresholds: (i) gross revenue > $25 million (inflation adjusted), (ii) annually buys, receives, sells, or shares the personal information of > 50,000 consumers, households, or devices for commercial purposes, or (iii) derives 50% or more of its annual revenues from selling consumers’ personal information. And it applies to the whole business, not just entities that are incorporated or licensed to do business in CA. But NOT if a company’s entire commercial activity is outside CA, even if CA residents’ personal information is processed, so where: personal information was colllected while the consumer was outside of CA, no sale of the consumer’s personal information occurred in CA, and no personal information collected while the consumer was in CA is sold. | 1. SCOPE Applies to any business that meets any one of these thresholds: (i) is established in the EU and processes personal data in connection with their EU business, regardless of whether the data processing takes place within the EU, or (ii) is not established in the EU, but processes EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior. |
| 2. WHO IS PROTECTED California residents who are either: (i) in California other than for a temporary or transitory purpose, or (ii) domiciled in California but are currently outside the State for a temporary or transitory purpose. | 2. WHO IS PROTECTED Anyone, regardless of nationality or location, whose data is processed by an EU-based entity. So much broader. |
| 3. WHAT INFORMATION IS PROTECTED “Personal information” similar to GDPR. There is a list of 11 specific categories. Information linked at the household or device level is covered. “Personal data” similar to GDPR. It includes any data which identifies an individual or which could be used to identify an individual. This means that any data which is unique to a person such as an IP address or location data can fall within the definition of personal data. Sensitive data is more strictly regulated, e.g. info relating to racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, sexual orientation, as well as genetic, biometric and health data. Personal information covered by certain other US federal laws is excluded because there are already robust privacy and safeguarding rules in place to protect it. | 3. WHAT INFORMATION IS PROTECTED “Personal data” similar to CCPA. It includes any data which identifies an individual or which could be used to identify an individual. This means that any data which is unique to a person such as an IP address or location data can fall within the definition of personal data. Sensitive data is more strictly regulated, e.g. info relating to racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, sexual orientation, as well as genetic, biometric and health data. |
| 4. PRIVACY NOTES AND POLICIES Both laws stipulate that companies have disclosure obligations regarding data collection, including the purposes for processing data and the various rights of individuals with respect to their data. Requirements include: (i) tracking information in accordance with pre-determined categories, such as geolocation data, internet or other similar network activity, or biometric information, (ii) disclosing “sharing” and “sale” of data (which are defined very broadly), (iii) providing a notice to tell people about their rights to opt out of the sale of their data, and (iv) providing a separate mechanism for people to exercise the opt out right. | 4. PRIVACY NOTES AND POLICIES Both laws stipulate that companies have disclosure obligations regarding data collection, including the purposes for processing data and the various rights of individuals with respect to their data. Requirements include: (i) stating the legal basis for the processing, (ii) disclosing information on any third party recipients of the data, and (iii) telling people if their data will be transferred outside the EEA and identifying the mechanism for transferring it. |
| 5. DATA SECURITY Data security requirements are not imposed directly. But an affected person has the right to take action for certain data breaches that result from a failure to implement reasonable security practices and procedures appropriate to the risk. | 5. DATA SECURITY Data controllers and data processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Businesses can determine those measures based on the type of data, processing, and the risk that the unauthorized access to such data would cause to individuals. A number of parameters are given to define what is the appropriate security for that data. Examples of possible measures include: • encryption and pseudonymization of data, • ensuring the confidentiality, integrity, availability and resilience of processing systems, • ensuring data can be restored quickly in the event of an incident, and • having a process for regularly testing the effectiveness of security measures. |
| 6. RESPONDING TO RIGHTS REQUESTS A business must respond to a request within 45 days of receipt, but requests: (i) cannot be made more than twice per year (except in certain circumstances), and (ii) are limited to a 12-month look-back period. But these limits do not apply to deletion and ‘do not sell’ requests. | 6. RESPONDING TO RIGHTS REQUESTS A response must be given without undue delay and at the latest within 1 month of the request. |
| 7. PENALTIES FOR BREACHES An individual’s right of action is quite narrow and companies have a 30-day period for curing violations, if possible. Individuals can get the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident. Courts may also impose injunctive or declaratory relief. And the California Attorney General may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation, if intentional. | 7. PENALTIES FOR BREACHES Fines can be up to the greater of EUR20 million or 4% of an company’s annual global revenue. EU Member States can also impose their own penalties including criminal sanctions. Individuals can also bring claims for damages in national courts. |
| 8. THIRD PARTIES Agreements with 3rd party service providers must (at a minimum) prohibit the 3rd party from retaining, using and disclosing personal information for any purpose other than is needed to perform the services specified in the agreement. Otherwise it will be defined as a “sale” of the data. If it’s a sale, consumers should have been given the right to opt out and some of the liability protections of the CCPA will not apply. | 8. THIRD PARTIES Data controllers must have agreements with 3rd party data processors and they must include certain mandatory terms (more than is required under the CCPA). |
| 9.INTERPLAY WITH OTHER LAWS The CCPA does not override other California laws but if there is a conflict the law that gives the greatest privacy protection governs. It supplements rather than replaces existing consumer protection laws, such as the California Online Privacy Protection Act (CalOPPA), California Data Protection Act (CDPA), Shine the Light law, and the data breach notification statute. This means that companies need to assess whether and to what extent they are also subject to other laws on privacy and data security in addition to the CCPA. If they are relevant, external notices and internal policies and procedures need to be documented in compliance with all such laws. | 9.INTERPLAY WITH OTHER LAWS The GDPR can be implemented differently by each EU country, so companies need to check relevant local laws. Companies in the EU or targeting or monitoring EU-based individuals also need to be aware of the ePrivacy Directive which contains supplemental rules on the processing of personal data for direct marketing purposes and the use of cookies and similar technologies. For example in some countries B2B marketing is allowed without needing explicit consent whereas some countries require such consent for B2B as well as B2C marketing. |
Outside GC is the largest provider of on-demand, in-house counsel legal services in the United States, handling the legal needs of companies of all sizes, from start-ups to the Fortune 500, and across a range of industries, including technology, life sciences, media, SaaS, advertising, retail, e-commerce, consumer products/services and others. The former in-house experience of their attorneys is what sets them apart from traditional firm lawyers, enabling them to provide practical and efficient legal counsel to their clients.
About Stephan:
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape.
