2 minutes read

CCPA vs GDPR

The GDPR and The CCPA are two of the most comprehensive data protection laws in the world to date and represent some of the most significant legislative privacy developments globally. The two laws bear similarity in relation to their definition of certain terminology, however, the CCPA differs from the GDPR in some significant ways, here Gail Chalmin takes a closer look...

Data Protection is key in both territories, yet there are both similarities and noteable differences

The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date.

The CCPA took effect on 1 January 2020 and is considered to be one of the most significant legislative privacy developments in the US.

The two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals  and the inclusion of rights to access and delete personal information.

However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.

For example, the GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. Conversely, the CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.

It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA.

In addition, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies. Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their website.

The CCPA applies to organizations “doing business in California”.

The GDPR applies to all processing of personal data in the EU, and to transfers of personal data from the EU, but  also applies to organizations that do not have any presence or data processing operations in the EU, but that offer goods or services into the EU or monitor the behaviour of persons in the EU.

Where an organisation does not have a presence in the EU, or data processing operations in the EU, but is still subject to the GDPR, such organisation is required to appoint an “EU Representative” under Article 27 of the GDPR.  An organisation not having such an EU Representative is the most obvious sign to EU regulators of non-compliance with the GDPR.  EU REP offers compliance with this provision for a very low, cost-effective fee.