Contact us Today!

A DSAR Comparison Between GDPR and CCPA

Data subject access requests (DSARs) will need to be fulfilled under GDPR and CCPA starting in 2020. In order to assist organizations operating under both the new California Consumer Privacy Act and the European Union’s General Data Protection Regulation, we have put together this handy guide to the differences between the key data subject access rights under the two privacy laws.

Before diving into the specifics of the right to delete, the right to data portability and the right to be forgotten, there are a few preliminary issues that apply across the different DSAR types:

What identity verification is needed?

GDPR: Recital 64 provides that the controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. Additionally, it is generally accepted that verification should not involve more sensitive information than is involved in the request and any verificaton procedure should not be unduly burdensome.

California: The AG has been tasked with establishing rules and procedures to govern the determination that a request is a verifiable consumer request. The first draft of these regulations is expected in Fall 2019. It is expected that a request submitted through a password-protected account maintained by the customer with the business will be considered a verifiable consumer request.


Third-Party Authorization to exercise rights?

GDPR: The ICO has said that the GDPR does not prevent an individual from making a subject access request via a third party. According to the ICO, it is the responsibility of the third party to establish authority to act on the data subject’s behalf. The information may also be sent directly to the data subject if the individual may not understand what information would be disclosed to the third party.

California: Permits a natural person or a person registered with the Secretary of State authorized by the consumer to act on their behalf.

Timing for Compliance?

GDPR: The ICO says within one calendar month. An extension of two months is permitted if the request is complex.

California: Within 45 days. An extension is permitted of up to 90 days where necessary.


What must be provided?

GDPR: The information that must be provided includes (1) whether processing happened; (2) the categories of personal data processed; (3) the recipient of any disclosures; (4) the data retention period; (5) the right to correct or erase data as well as object or restrict processing; (6) the right to complain to the supervisory authority; (7) the source of information not collected from the data subject; (8) meaningful information about automated decision-making; (9) for data transfers between countries, the appropriate safeguards; and (10) a copy of the data processed.

California: Must disclose (1) categories of personal information collected; (2) categories of sources; (3) business or commercial purposes for collecting or selling the information; (4) categories of third parties with whom the the business shares personal information; and (5) the specific pieces of information collected. Businesses must also disclose the categories of personal information sold and the categories of third parties to whom personal information was sold, by the categories of personal information for each third party.


What needs to be provided?

GDPR: All information provided by the data subject to the controller where the processing was carried out by automated means and the lawful basis for processing is based on either consent or a contract.

California: All right to access responses provided electronically

What is Involved?

GDPR: Structured, commonly used and machine readable format

California: portable format.

Transfers to third parties?

GDPR: Must be allowed to transfer without hindrance. Right to have the personal data transmitted directly to another controller where technically feasible.

California: To the extent technically feasible, provided in a readily useable format that the consumer can transmit to another entity without hindrance.


What information must be deleted?

GDPR: Any personal data covered by one of the six grounds for erasure and not covered by one of the five exemptions

California: Any personal information covered by the law and not covered by an exemption.

What are the general exemptions/qualifications on what is included/excluded?

GDPR: The requests are limited to personal data. It only applies to personal data (1) no longer necessary for the purpose collected or processed; (2) where consent has been withdrawn; (3) it is an Article 21(1) or (2) objection; (4) unlawful processing of personal data; and (5) the collection relates to the Article 8(1) offer of information society services. Exemptions include processing necessary for (1) exercising the right of freedom of expression and information; (2) compliance with a legal obligation; (3) public interest in public health; (4) archiving of certain public interest, scientific or historical research; and (5) establishment, exercise or defence of legal claims.

California: The requests are limited to personal information. There is no right as to information not covered by the law – such as HIPAA or GLB Act information. The exemptions for rejecting the deletion request include (1) completion of the transaction; (2) security; (3) debugging; (4) exercise of free speech; (5) California Electronic Communications Privacy Act compliance; (6) certain scientific, historical, or statistical research in the public interest; (7) certain solely internal uses; (8) compliance with a legal obligation; and (9) certain other internal, lawful uses.

We hope this comparison of the data subject access requests between GDPR and CCPA proves helpful.