Data protection is everywhere nowadays. Ever since the introduction of the GDPR and the global craze around it, new laws have been popping up worldwide.
We will reflect on this while comparing the GDPR with CCPA.
We will discuss subjects such as:
National laws can quickly create a mess for global businesses operating online. That’s why they prefer national laws whose requirements are aligned among themselves.
When businesses ask how to comply with data protection laws worldwide, they would prefer a straightforward answer, such as: “You just need to do this, this, and that, and you are compliant”.
Instead, they get the lawyers’ favorite, but the world’s most dreaded answer: “It depends”.
And that’s the truth. Different countries introduce different laws with different requirements. However, they are not as different as they could be.
Let’s look at the currently existing data protection laws and see how they compare.
In general, there are two prevailing trends in data protection laws worldwide:
There are differences between the two, and they are not insignificant.
Most countries that have passed new data privacy laws since the introduction of the landmark European legislation try to meet its standards. Some of them are almost identical, some others are very similar.
On the other hand, the United States restrains itself from passing a federal data privacy law. It leaves it to the federal states to pass their laws.
For now, very few of them have such laws, and they are not as comprehensive as the GDPR.
In most cases, global companies do business in the developed world, including the EU and the US. Therefore, compliance with data protection laws worldwide requires following the two major trends in comprehensiveness.
Also, users from both sides of the pond need to understand these two trends to understand their rights better.
To explain them better, we will make GDPR vs. CCPA comparison.
It doesn’t mean that it applies only to these two laws. Brazil, Thailand, Canada, Argentina, Turkey, and many other countries have laws similar to the GDPR.
At the moment of writing this article, Colorado and Virginia follow the example of the CCPA.
We’ll compare the GDPR and the CCPA, but you’ll get an idea about the differences between the two.
We are going to compare them through the lens of:
The GDPR is a law on data protection. It is a separate law that treats the protection of personal data.
The laws of the US states regulating personal data, on the other hand, are part of laws on consumer protection. The law of California is called California Consumer Protection Act.
The law of Virginia is called the Consumer Data Protection Act. Only the Colorado Privacy Act is Colorado’s law, but its essence is too similar to the previous two laws.
The GDPR focuses on the protection of data. It regulates what happens to personal data from the moment of collection, through the processing, storage, and transfer, all the eBay to deleting the data the business does not need anymore.
The CCPA focuses on protecting the consumer who, among other things, needs to have their personal information protected.
The GDPR focuses on data privacy. The CCPA focuses on the consumer.
GDPR applies to businesses that:
So, it applies to all European businesses without exception and to all businesses worldwide that get in touch with the personal data of at least one European individual.
It doesn’t discriminate based on the size of the business. It applies to every single business that meets this criterion. It applies to giant companies and small online stores and blogs.
CCPA, on the other hand, applies only to a limited number of businesses.
It applies only to for-profit businesses that collect, process personal information of consumers and do business in California, provided the business meets at least one of the following thresholds:
Only a few companies meet these thresholds; therefore, no US state privacy law applies to them. This also means that users’, i.e., consumers’ personal information, is not protected in any way.
The paradox is that any US citizen has a better chance to have their data protected by the GDPR (if dealing with an EU company) or a similar law over the laws of the US states.
For example, if a California citizen interacts with a UK clothing store online, the UK GDPR applies. The UK GDPR protects this Californian because it applies to the UK company, but at the same time, he is not protected by US law.
If the very same user interacts online with a small California online clothing store, there is no way to protect their personal information. US small businesses do not owe any data protection to US citizens until they meet any thresholds.
The legal basis for data processing and the concept of opt-in v. opt-out will give you a better picture of why this is important.
When the GDPR applies, users decide how much of themselves they will uncover. When CCPA applies, the user is uncovered as soon as they arrive on the website and is shown a privacy notice.
The GDPR requires businesses to have a good reason and a legal basis for collecting and processing personal data. It specifies what the possible legal bases are, and if the business cannot use any of that, it must not collect personal data. Period.
That’s the concept of opt-in. The data can be collected by the user and processed only if the user opts in for the processing or if there is some public interest.
Most often, businesses rely on users’ consent. Companies are good to go if users allow their data to be processed.
If they enter voluntarily into a contract, such as a purchase of a shirt from an online clothing store, then the user has to provide their data to have the shirt delivered home.
Public interest or the controller’s legitimate interests can be a legal basis as well, but they are an exception to the opt-in rule and are rarely used. In general, the business should not touch users’ data without some form of opt-in.
With CCPA, it is different. Businesses are free to collect and process personal data as much as they want if they inform the user about that.
However, consumers have the right to opt out. They can request businesses not to sell their data or request deletion of their data. That would prevent the business from further processing or selling the data, but that is about it.
That’s the concept of opt-out. Businesses are free to process data if the user does not oppose that.
It is important to note, though, that California and Nevada are the only US states that provide an opportunity to opt out.
This opportunity is available only if the user is from any of these two states or if the business is from and meets the applicable thresholds.
The user who lives in Michigan and interacts with the Florida hotel is not protected.
The differences between the European and the US model in data protection is also visible in the rules on international data transfer.
An international data transfer occurs when a piece of data moves from one country to another.
For example, when a US online store collects a German user’s email address and stores it in the US, it transfers the data of a German user from Germany to the US.
If the US company uses the services of a Canadian email automation company, it further transfers the data to Canada.
Regarding personal data protection, the EU gives weight to human rights and the US to homeland security.
The GDPR prevents companies from transferring data to countries or organizations that do not provide equal protection as the EU law itself.
Businesses can transfer the data only to adequate countries or have to opt for transfer tools, such as standard contract clauses or user’s consent.
The US, on the other hand, does not prevent any business from transferring data worldwide. If an incident occurs, the business will be held responsible. But if nothing happens, no one cares.
But, that’s not all. According to the Foreign Intelligence Surveillance Act (FISA) 1978 and the Clarifying Overseas Use of Data Act (CLOUD Act) 2018, the US government can get the personal data of any person whose data is stored in the US or by a US company anywhere in the world.
This even means that the US government can access the data of a German citizen stored by a German company on AWS servers since AWS is a US company and owes them access to the data.
That’s why the CJEU annulled the Privacy Shield with the Schrems II decision and made data transfers to the US very complicated.
The EU and the US are still looking for a solution, but this important difference is coming.
GDPR and CCPA differ in data breach rules as well.
GDPR requires implementing technical and organizational measures to ensure the data security of controllers and processors.
If a breach occurs anyway, they have to inform the data protection authority in most cases and data subjects, i.e., users in many cases.
Data breach rules are part of the law that ensures comprehensive data protection.
The CCPA, however, has no provisions on data breaches.
Most US states have no data protection laws yet, but many have data breach laws. While personal information is being protected through consumer laws, data breaches are regulated by different laws.
GDPR and CCPA approach enforcement of the laws differently.
The GDPR and similar laws establish a government agency to enforce the respective law. Each country has its agency that enforces the law regarding the users and companies from that county.
When a user thinks their data privacy rights have been violated, they can complain to the relevant agency, and they will investigate the case. The business will pay a GDPR fine if it is responsible for the violation.
If the user has suffered damages due to the violation, they can proceed to court to get damages compensation. If the agency finds that there has been no violation of the GDPR, the user can still go to court and seek justice.
Things are not so simple over the Atlantic. In California, users can initiate a lawsuit only in the case of a data breach or a lack of security measures.
But, in any other case, consumers are left to the initiative of the Attorney General. Since the Attorney General cannot know about all the CCPA violations, any consumer can reach out to them, and they will investigate.
If the investigation shows a violation, the Attorney General will give a 30-day notice to the business to cure the breach.
If the business complies, nothing happens further. If they don’t, they will be fined.
Comparing the two solutions, it is clear that the CCPA does not offer as much opportunity to seek justice as the GDPR does.
Moreover, many things are left in the hands of the Attorney General, who has many competencies other than consumer protection they need to take care of.
This will change in 2023 when the CPRA, widely known as CCPA 2.0, comes into force. It will establish a dedicated enforcement agency for data privacy for the first time in US legislation history.
Aside from granting non-comprehensive data protection, the CCPA is not as easy to enforce in the case of a violation from a business.
The GDPR obliged every EU country to establish a dedicated and well-equipped data protection agency to address the violations.
Although it still seems impossible to make all businesses respect the law, the GDPR does much better with enforcement.
Finally, both approaches lead to different data subject rights.
No other data privacy law worldwide grants more rights than the GDPR. Even those that mimic the GDPR sometimes guarantee fewer rights.
The CCPA, however, is even more limited in that area. It has significantly improved compared to the era of no data protection laws in the US, but it does not provide as many rights to consumers yet.
To give you an idea how CCPA v. GDPR compare in terms of data subject rights, the following table provides a good overview:
|Know||Yes||Yes||Access||Yes||Yes||Delete||Yes||Yes||Object||Yes||No||Restrict||Yes||No||Data portability||Yes||No||Correction||Yes||No||Not be subject of automated decision making||Yes||No||Opt-out of the sales of personal data||No||Yes||Opt-in after opting out||No||Yes|
In Europe, people have several data subject rights. In the US, they can only know and access data and then opt out or delete it. In the meantime, the controller can process the data freely, and consumers have no way to intervene, not counting on the deletion and opting-out.
There is one more trend – not having a data protection law. India and Indonesia are the world’s largest economies without such laws.
They are in the process of introducing a comprehensive data privacy law, though, as per the example of the GDPR.
At the same time, the US states passing new privacy laws remain similar to the CCPA, making it obvious that the world is headed in one direction and the US in another.