July 27, 2020
Personal privacy, and businesses' access to it, is being seen more and more as a basic human right in the digital era. Both CCPA and GDPR are four-letter acronyms that protect it.
The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) are pieces of legislation that focus on privacy being a human right, given that personal information is increasingly being monetized in an economy powered by demographic and psychographic data points.
A key element that makes the CCPA different from the GDPR is that the latter operates on prior consent before data collection while the former is geared toward giving the right to opt out of data collection after the fact.
There's more to it than that, obviously, but let's start with a clear definition of each.
(Editorial note: This is by no means an exhaustive overview of either CCPA or GDPR, nor is it in any way legal advice for any business.)
What is the CCPA?
The CCPA was born on the West Coast of the United States of America, specifically California. Only residents in California benefit from the CCPA, but other states in the U.S. are joining the charge for data protection.
According to the State of California Department of Justice, the CCPA gives consumers control over their personal information, securing four rights that allow them to...
- Know what personal information is collected about them
- Delete personal information collected about them
- Opt-out of the sale of information collected about them
- Not be discriminated against for exercising these rights.
The CCPA gives Californians the ability to ask businesses what information they've collected about them and what they've done with that information.
"Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records," according to the State of California Department of Justice.
If you are a business curious on whether or not CCPA affects you and your data collection check out our blog on "Who Must Comply With The CCPA?"
What is the GDPR?
The GDPR was created by the European Parliament and the Council of the European Union. Europe's data privacy regulation is binding for all 27 member states of the European Union.
It's not a new legal concept in Europe, however. The right to privacy can be found in Article 8 of the European Convention on Human Rights, presented in 1950: "Everyone has the right to respect for his private and family life, his home and his correspondence."
Like the CCPA, the GDPR applies to businesses who process the personal data of EU citizens or residents and to businesses that offer goods or services to citizens or residents.
According to the EU, there are eight privacy rights applicable to data subjects:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
How are CCPA and GDPR different?
The differences between the two at first seem to be geographic origin, but it clearly goes deeper.
Processing private information of Europeans requires adherence to Chapter II, Article 6 of the GDPR, which requires that one of six criteria apply, the first and foremost being that the data subject has given consent to processing of personal information. This is often the reason for the pop-up window showing that cookies will be tracked on a site.
The CCPA does not operate in that way. Instead, it calls for businesses to transparently communicate the fact they're collecting and processing personal information, and subsequently offer the option to opt out. The only consent required in the CCPA for data collection is when financial incentives are offered based on the personal information provided.
Both include the right to erasure, allowing for the data subject to request that their data be deleted, with certain exceptions. However, the right to erasure is waived in the GDPR when consent is withdrawn
DataGuidance and Future of Privacy Forum spell out the differences and similarities between the two personal privacy laws.
On page 31 of their comparison of the two similar pieces of legislation, they call to attention an important distinction in language:
Processing versus selling.
The GDPR provides the right to object to the processing of their personal information. The CCPA provides the right to opt-out of the sale of their personal information — outside of that, but within the bounds of the law, businesses can still use their personal information.
The CCPA requires that businesses must have a link on their homepage labeled "Do Not Sell My Personal Information," whereas the GDPR doesn't have specific, required language.
In the CCPA, another distinction is that the right to access the information businesses have about a consumer only applies to personal information collected in the 12 months prior to the request.
Naturally, there are other differences between the two and this is in no way an exhaustive list of every difference. Each is worth reading if you want to learn the exact details, whether you're a business or consumer.