Data protection is everywhere nowadays. Ever since the introduction of the GDPR and the global craze around it, new laws are popping up around the world.
In this guide we will talk about the different international trends in data protection regulations.
We will reflect on this while comparing the GDPR with CCPA.
We will discuss subjects such as:
- Current state of of protection laws
- GDPR vs. CCPA: Consumer protection & data protection
- GDPR vs. CCPA: Applicability
- GDPR vs. CCPA: Opt-in vs. opt-out
- GDPR vs. CCPA: International data transfers
- GDPR vs. CCPA: Data breach rules
- GDPR vs. CCPA: Enforcement
- GDPR vs. CCPA: Data subjects’ rights
National laws can quickly create a mess for global businesses operating online. That’s why they prefer national laws whose requirements are aligned among themselves.
When businesses ask how to comply with data protection laws worldwide, they would prefer a straightforward answer, such as: “You just need to do this, this, and that, and you are compliant”.
Instead, they get the lawyers’ favorite, but the world’s most dreaded answer: “It depends”.
And that’s the truth. Different countries introduce different laws with different requirements. However, they are not as different as they could be.
Related guide: GDPR Three Years Later: What We’ve Learned and What’s Ahead of Us
Related guide: How Do Sales of Personal Data Work and How to Protect Yourself
Let’s look into the currently existing data protection laws and see how they compare with each other.
Current State of Data Protection Laws
In general, there are two prevailing trends in data protection laws worldwide:
- Comprehensive data protection similar to the protection provided by the GDPR of the EU, with significant requirements for transparency, accountability, guarantees of data subject rights, and many safeguards for data security, or
- Non-comprehensive data protection laws, requiring some transparency from businesses, and providing guarantees for data subject rights.
There are differences between the two and they are not insignificant.
Most of the countries that have passed new data privacy laws since the introduction of the landmark European legislation try to meet the standards set by it. Some of them are almost identical, some others are very similar.
On the other hand, the United States restrains itself from passing a federal data privacy law. It leaves it to the federal states to pass their own laws.
For now, very few of them have such laws and they are not as comprehensive as the GDPR.
In most cases, global companies do business in the developed world, which includes both the EU and the US. Therefore, compliance with data protection laws worldwide requires following the two major trends in comprehensiveness.
Also, users from both sides of the pond need to understand these two trends in order to understand their rights better.
To explain them better, we will make GDPR vs. CCPA comparison.
Related guide: CCPA Compliance Made Simple – Step-by-Step Guide
It doesn’t mean that it applies only to these two laws, though. Brazil, Thailand, Canada, Argentina, Turkey, and many other countries have laws similar to the GDPR.
Colorado and Virginia, at the moment of writing this article, follow the example of the CCPA.
We’ll compare the GDPR and the CCPA, but you’ll get the idea about the differences between the two.
We are going to compare them through the lens of:
- Consumer protection v. data protection
- Opt-in v. opt-out principle
- International data transfers
- Data breach rules
- Enforcement, and
- Data subject rights.
Consumer Protection vs. Data Protection
The GDPR is a law on data protection. It is a separate law that treats the protection of personal data.
The laws of the US states regulating personal data, on the other hand, are part of laws on consumer protection. The law of California is called California Consumer Protection Act. The law of Virginia is called the Consumer Data Protection Act. Only the law of Colorado is called the Colorado Privacy Act, but its essence is too similar to the previous two laws.
The GDPR focuses on the protection of data. It regulates what happens to personal data from the moment of collection, through the processing, storage, and transfer, all the ebay to deleting the data the business does not need anymore.
The CCPA focuses on the protection of the consumer who, among other things, needs to have their personal information protected.
Basically, the GDPR focuses on data privacy. The CCPA focuses on the consumer.
Related guide: GDPR Compliance for Businesses: Step-by-Step Ultimate Guide
GDPR applies to businesses that:
- Are incorporated in the EU, or
- Collect and/or process personal data of EU citizens.
So, it applies to all European businesses without exception, as well as to all businesses worldwide that get in touch with the personal data of at least one European individual.
It doesn’t discriminate based on size of the business. It applies to every single business that meets this criteria. It applies to giant companies as well as to small online stores and blogs.
CCPA, on the other hand, applies only to a limited number of businesses.
It applies only to for-profit businesses that collect, process personal information of consumers and do business in California provided the business meet at least one of the following thresholds:
- Have annual gross revenue of more than $25M
- Processes personal information of at least 50.000 California residents annually (the bar moves to 100.000 from 2023)
- Earns at least 50% of the annual revenue from selling consumers’ personal information.
Only a small number of companies meet these thresholds, therefore no US state privacy law applies to them. This also means that users’, i.e. consumers’ personal information is not protected in any way.
The paradox is in the fact that any US citizen has a better chance to have their data protected by the GDPR (if dealing with an EU company) or a similar law over the laws of the US states.
For example, if a California citizen interacts with a UK clothing store online, the UK GDPR applies. This Californian is protected by the UK GDPR because it applies to the UK company, but at the same time he is not protected by any US law.
If the very same user interacts online with a small California online clothing store, there is no way to protect their personal information. US small businesses do not owe any data protection to US citizens until they meet any of the thresholds.
The legal basis for data processing and the concept of opt-in v. opt-out will give you a better picture of why this is important.
Related guide: How to Transfer Data to the US in Compliance with the GDPR
Opt-in vs. Opt-out
When the GDPR applies, the user decides how much of themselves they will uncover. When CCPA applies, the user is uncovered as soon as they arrive on the website and is shown a privacy notice.
The GDPR requires businesses to have a good reason and a legal basis to collect and process personal data. It clearly specifies what the possible legal bases are and if the business cannot use any of that, they must not collect personal data. Period.
That’s the concept of opt-in. The data can be collected by the user and processed only if the user opts-in for the processing or there is some public interest for that.
Most often businesses rely on user’s consent. If the user allows their data to be processed, businesses are good to go. If they enter voluntarily into a contract, such as a purchase of a shirt from an online clothing store, then the user has to provide their data to have the shirt delivered home.
Related guide: Sneaky Ways Websites Interfere With Your Privacy Online
Public interest or the legitimate interests of the controller can be a legal basis as well, but they are an exception to the opt-in rule and are rarely used. In general, the business should not touch users’ data without some form of opt-in.
With CCPA it is different. Businesses are free to collect and process personal data as much as they want as long as they inform the user about that.
However, consumers have the right to opt-out. They can request businesses not to sell their personal data or simply request deletion of their data. That would prevent the business from further processing or sales of the data, but that about it.
That’s the concept of opt-out. Businesses are free to process data as long as the user does not oppose that.
It is important to note, though, that California and Nevada are the only US states that provide an opportunity to opt-out. This opportunity is available only if the user is from any of these two states, or the business is from any of those two states and meets the applicable thresholds.
The user who lives in Michigan and interacts with the hotel in Florida is not protected whatsoever.
International Data Transfers
The differences between the European and the US model in data protection is also visible in the rules on international data transfer.
An international data transfer occurs when a piece of data moves from one country to another.
For example, when a US online store collects a German user’s email address and stores it in the US, it transfers data of a German user from Germany to the US. If the US company uses the services of Canadian email automation company, it further transfers the data to Canada.
When it comes to personal data protection, the EU gives weight to human rights and the US to homeland security.
The GDPR prevents companies from transferring data to countries or organizations that do not provide equal protection as the EU law itself. Businesses can transfer the data only to adequate countries or have to opt for transfer tools, such as standard contract clauses or user’s consent.
Related guide: How to Transfer Data to the US in Compliance with the GDPR
The US, on the other hand, does not prevent any business from transferring data worldwide. If an incident occurs, the business will be held responsible. But if nothing happens, no one cares.
But, that’s not all. According to the Foreign Intelligence Surveillance Act (FISA) 1978 and the Clarifying Overseas Use of Data Act (CLOUD Act) 2018, the US government can get the personal data of any person whose data is stored in the US or by a US company anywhere in the world.
Basically, this even means that the US government can access the data of a German citizen stored by a German company on AWS servers since AWS is a US company and owes them access to the data.
That’s why the CJEU annulled the Privacy Shield with the Schrems II decision and made data transfers to the US very complicated.
The EU and the US are still looking for a solution, but this important difference is on their way.
Data Breach Rules
GDPR and CCPA differ in data breach rules as well.
GDPR requires implementation of technical and organizational measures to ensure the data security by controllers and processors. If a breach occurs anyway, they have to inform the data protection authority in most cases and data subjects, i.e. users in many cases.
Data breach rules are part of the law that ensures comprehensive data protection.
Related guide: How to Complain to the Data Protection Authority When Your Rights Have Been Violated
The CCPA, on the other hand, has no provisions on data breaches.
Most of the US states have no data protection laws yet, but many of them have data breach laws. While personal information is being protected through consumer laws, data breaches are regulated by separate laws.
GDPR and CCPA approach enforcement of the laws differently.
The GDPR and similar laws establish a government agency for enforcement of the respective law. Each country has its own agency that enforces the law in relation to the users and companies from that county.
When a user thinks their data privacy rights have been violated, they can complain to the relevant agency and they will investigate the case. If the business is responsible for violation, they will pay a fine.
Related guide: GDPR Fines List
If the user has suffered damages due to the violation, they can proceed to the court to get damages compensation. If the agency finds that there has been no violation of the GDPR, the user can still go to court and seek justice.
Things are not so simple over the Atlantic. In California, users can initiate a lawsuit only in the case of data breach or a lack of security measures.
But, in any other case, consumers are left to the initiative of the Attorney General. Since the Attorney General cannot know about all the CCPA violations, any consumer can reach out to them and they will investigate. If the investigation shows a violation, the Attorney General will give a 30-day notice to the business to cure the violation.
If the business complies, nothing happens further. If they don’t, they will be fined.
Comparing the two solutions, it is clear that the CCPA does not offer as much opportunity to seek justice as the GDPR does.
Moreover, many things are left in the hands of the Attorney General, who has many competences other than consumer protection they need to take care of. This is going to change in 2023 when the CPRA, widely known as CCPA 2.0, comes into force. It will establish a dedicated enforcement agency for data privacy for the very first time in US legislation history.
Aside from granting non-comprehensive data protection, the CCPA is not as easy to enforce in the case of a violation from a business.
The GDPR obliged every EU country to establish a dedicated and well-equipped data protection agency to address the violations. Although it still seems impossible to make all businesses respect the law, the GDPR does a much better job with enforcement.
Data Subject Rights
Finally, both approaches lead to different data subject rights.
There is no other data privacy law worldwide that grants more rights than the GDPR. Even those that mimic the GDPR sometimes guarantee less rights.
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
The CCPA, however, is even more limited in that area. It has provided a significant improvement compared with the era of no data protection laws in the US, but it does not provide as many rights to consumers yet.
To give you an idea how CCPA v. GDPR compare in terms of data subject rights, the following table provides a good overview:
||Not be subject of automated decision making
||Opt-out of the sales of personal data
||Opt-in after opting out
In Europe, people have a number of data subject rights. In the US, they can only know and access data, and then opt-out or delete it. In the meantime, the controller can process the data freely and consumers have no way to intervene, not counting on the deletion and opting-out.
There is one more trend actually – not having a data protection law at all. India and Indonesia are the world’s largest economies without such law.
They are in the process of introducing a comprehensive data privacy law, though, as per the example of the GDPR.
At the same time, the US states passing new privacy laws remain similar to the CCPA, making it obvious that the world is headed in one direction, and the US in another.