Comparison: CCPA vs. GDPR
The California Consumer Privacy Act (CaCPA) is the first major privacy legislation to follow implementation of the European Union General Data Protection Regulation (GDPR). Enforcement of the GDPR began in May 2018 after adoption two years prior. The adoption of the CaCPA followed at the end of June 2018. It will go into effect on January 1, 2020 with enforcement to begin between January 1, 2020 and July 1, 2020 (six months after the California Attorney General issues the final regulations, but no later than July 1st).
How does the California Consumer Privacy Act compare to GDPR?
The CaCPA is less than a fifth of the size of the GDPR, coming in at under 11,000 words compared to the more than 55,000 words in Europe’s new privacy law. So there is a lot less stuff there. Many businesses that just completed preparations for GDPR are already beginning to wonder what changes they will have to make for the California Consumer Privacy Act vs. GDPR now that we have the text of both laws. So we are going to look at a few key differences between the CaCPA and GDPR today:
Subject Access Rights
Let’s look first at the right to access, right to correction, right to be forgotten and the right to data portability. These are the four major subject access rights in the GDPR.
Right to Access and Delete
The Right to Access and the Right to Delete are both contained in the CaCPA as well as GDPR, although there are a few minor differences. For example:
Timing for Response: California initially provides a business 45 days to respond to a verified consumer request under the new privacy law. The initial time period to respond to a request under GDPR is one calendar month.
Lookback Period: In California, the right to access is subject to a 12 month lookback period. GDPR provides no such limitation.
Right to Rectification
The CaCPA does not deal with the problem of inaccurate information. The only option for a consumer dealing with bad information is to request that their personal information be deleted. The California law provides the “right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” Ultimately, if the word “any” is interpreted to mean that people can request the deletion of some of their information rather than all of it, then individuals can simply request the deletion of the incorrect information. However, if the language is interpreted to mean only that the individual can request deletion of all data, then it won’t serve as an effective substitute.
The CaCPA requires businesses to provide some information to consumers in a portable format. Section 1798.100(d) says that the fulfillment of a consumer request to access their personal information shall be portable if the business provides the information electronically to the consumer. If technically feasible, it needs to be in a readily useable format that can be transmitted to another entity without hindrance by the consumer. If the information is delivered by mail, the law does not require it to be portable.
Do businesses have the option of providing all information by mail and avoiding the data portability requirement? No. The law says that disclosures should be delivered through the consumer’s account with the business. In most cases of online commerce today, this is online and would require electronic delivery of the information from the right to access in a portable manner. If the consumer does not have an account, then the consumer may choose the option of receiving their information by mail or electronically.
Worth Noting: Section 1798.130(a)(2) seems to contradict Section 1798.100(c) and provide for a portability requirement through the mail as well. This is ultimately going to need to be clarified by either the California legislature or the Attorney General.
For the GDPR right to data portability to apply, processing must be based on either consent, a contract to which the data subject is a party, or the fact that the processing is performed via automated procedures. The CaCPA, on the other hand, applies whenever the personal information to respond to the right to access is provided electronically.
Both GDPR and CaCPA have as principles an increase in transparency from businesses about their privacy practices. GDPR specifies certain information that must be provided and requires that all business be transparent in their data processing. CaCPA sets forth certain information that must be provided and authorizes the CA Attorney General to set forth additional rules, procedures and exceptions to ensure that they are easily understood by the average consumer.
GDPR Article 32 requires businesses to take appropriate technical and organizational security precautions. CaCPA does not mention security other than to provide a cause of action for lawsuits on behalf of consumers for the unauthorized access, exfiltration, theft or disclosure of their nonencrypted and nonredacted personal information as a result of the failure to implement and mantain reasonable security procedures and practices.
Processors vs. Service Providers
Article 28 of the GDPR requires controllers to execute a written contract meeting certain requirements with processors handling the personal data of a data subject. A processor is any natural person or organization processing data on behalf of the controller. At a high level, the purpose of the agreement is to ensure that the processor acts within the instructions of the controller.
The CaCPA, on the other hand, only requires a written agreement with a third-party if the business wants to remove the transfer of personal information to the business from the definition of the sale of personal information. If the service provider exception is met, then the business can continue sharing information with them even if the California resident declares that they do not want their personal information sold.
Other Important Requirements Contained in GDPR but not CaCPA
Privacy by design and privacy by default
Foreign company registration requirement
Data protection impact assessments
72 Hour Breach Notifications
Data protection officer requirement
Restrictions on transfers between countries
Learn more about California’s new law:
Overview of the California Consumer Privacy Act
Right to Opt Out
Right to Access
Right to Delete
Opt In Consent for Kids
Effective Date for Compliance
Application to non-CA Businesses
Do Not Sell My Personal Information Link
Financial Incentives for Information Sharing
Deidentified and Aggregate Consumer Information
Government Fines and Consumer Damages
Text of AB-375
Blog Posts on the Privacy Law:
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law
California Consumer Privacy Act Expected on November Ballot