Comparing CCPA, CDPA, GDPR: Similarities and Differences
CCPA, CDPA, GDPR Similarities and Differences
Many new state privacy regulations are being introduced or coming into enforcement and are creating a complicated compliance environment that many organizations are having trouble reckoning with.
Privacy laws in effect and coming into effect include the European Union’s GDPR, California’s CCPA and CPRA, and Virginia’s CDPA. Here’s the information you need to know to stay compliant and get back to business.
A Refresher on CCPA, CDPA, GDPR, and DSAR
Before we outline the requirements for each regulation, let’s define some terms:
General Data Protection Regulation (GDPR): is the governing privacy law in the European Union, one of the largest economies in the world. It is based on the premise of notice, choice and consent, privacy rights, 3rd party accountability, auditing and security. Specifically, GDPR defines how companies lawfully collect, use, store and protect personal information. GDPR has influenced many other privacy laws around the world.
California Consumer Privacy Act (CCPA): is privacy legislation passed by the state of California and in some respects modeled after GDPR.
Virginia Consumer Data Protection Act (CDPA): is privacy legislation passed by the state of Virginia and in some respects modeled after GDPR and CCPA.
Data Subject Access Requests (DSAR): this term defined by GDPR is associated with their specific set of data privacy rights and obligations. DSARs are often referred to as Individual Rights Requests (IRR) or Subject Rights Requests (SRR). While CCPA, CDPA, and GDPR each have defined privacy rights they differ slightly, and your process to accommodate and honor DSARs needs to be set differently for each of these (and any future laws).
The US economy is large enough, and its influence is strong enough, to establish an approach to privacy that can compete with the GDPR. Although there is no US privacy law at the federal level, the CPRA and the CDPA may provide an early look at this developing US consensus on privacy.
CCPA is here and CPRA (amendment to CCPA) and the CDPA come into effect on January 1, 2023. The US state laws focus on protecting personal information not covered by existing sectoral laws. Although the US laws state or imply some privacy principles, the more focused approach makes them feel more pragmatic than the GDPR.
For more information about CCPA, CDPA and GDPR, you can check out our articles that go more in-depth into each one:
Preparing for Compliance
To estimate what it will take you to prepare for CCPA/CPRA and CDPA, consider the experience many organizations had with GDPR. When GDPR came into force it was the biggest change in EU data protection laws in 25 years. For many businesses, GDPR was the first time they had documented and categorized where all data resided and how it was processed. Preparation meant sorting through paperwork, tracking down contracts, classifying data, and recording information manually. GDPR took companies many months or years to be ready and continues to demand resources as compliance is ongoing.
Preparing for GDPR was costly. For a Financial Times Stock Exchange 100 firm, costs averaged $19 million. Across different sized businesses, costs averaged $380-$505 per employee.
Not updating and tailoring data privacy operations built for GDPR to meet CCPA/CPRA and CDPA might cause you to miss nuanced differences in the relevant requirements. It could also mean “over- complying” by giving consumers a much wider scope of information than is required.
Let’s Review the Most Important Similarities and Differences Between These Three Laws
(ii) * above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”
(iii) * above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information.
Covered Personal Information
The CDPA and the CPRA exempt personal information covered by existing sectoral laws including Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and The Fair Credit Reporting Act (FCRA). GDPR does not make these exemptions.
Private Right of Action
Penalties and Damages
Data Protection Impact Assessments
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Privacy Notice Requirements