CCPA vs GDPR - Eu Rep - EU Representatives

The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date.

The CCPA took effect on 1 January 2020 and is considered to be one of the most significant legislative privacy developments in the US.

The two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals and the inclusion of rights to access and delete personal information.

However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.

For example, the GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. Conversely, the CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.

It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA.

In addition, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies. Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their website.

The GDPR applies to organizations that do not have any presence in the EU, but that offer goods, services or monitor the behaviour of persons in the EU. The CCPA applies to organizations “doing business in California. EU Representative for the GDPR, organisations who don’t have an EU presence must appoint an EU Representative under Article 27 of the GDPR. But how many of you know what an EU Representative does for you? Our website should provide some insight for you.