GDPR vs. CCPA: Crucial Differences You Need To Know
All the new privacy regulations coming out are creating a complicated compliance environment that many organizations are having trouble reckoning with.
Not to worry! WireWheel is here to explain the differences between these related policies so you can stay compliant and get on with business.
A Refresher on CCPA, GDPR, and DSAR
General Data Protection Regulation (GDPR) is the original privacy law that originated in Europe and placed restrictions and responsibilities on how companies need to handle customer data.
California Consumer Privacy Act (CCPA) is legislation passed by the state of California.
Data Subject Access Requests (DSAR) specifically is a term introduced by GDPR and is associated with a specific set of rights and obligations, but has since taken on a more general meaning. It is often used interchangeably with IRR, VCR, and SRR. While both CCPA and GDPR have requirements around DSAR, your GDPR DSAR process needs to be different than your CCPA DSAR process.
For more information about CCPA and GDPR, you can check out our articles that go more in-depth into each one:
- Privacy Laws Comparison Table: compare CCPA and GDPR requirements side-by-side
- The Ultimate Guide to DSAR
- What is CCPA?
GDPR vs. CCPA
To estimate what it will take you to prepare for CCPA, consider the experience many organizations had with GDPR. When GDPR came into force it was the biggest change in EU data protection laws in 25 years. For many businesses, GDPR was the first time they had documented and categorized where all data resided and how it was processed. Preparation meant sorting through paperwork, tracking down contracts, classifying data, and recording information manually. GDPR took companies many months or years to be ready and continues to demand resources as compliance is ongoing.
Preparing for GDPR has been costly. For a Financial Times Stock Exchange 100 firm, costs averaged $19 million. Across different sized businesses, costs averaged $380-$505 per employee.4
Not updating and tailoring data privacy operations built for GDPR to meet CCPA might cause you to miss nuanced differences in the relevant requirements. It could also mean “over- complying” by giving consumers a much wider scope of information than is required.
Let’s Review the Most Important Similarities and Differences Between the Two Laws on DSAR.
DSAR Under GDPR
GDPR protects individuals within the EU. It applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored.
It covers “processing” of personal data, defined to include any operation performed on personal data, including collection.
DSAR Under CCPA
CCPA protects consumers who are residents of California, including households.
It covers collection, processing, as well as the sale of PI.
DSAR Under GDPR
GDPR addresses personal data, defined as any information relating to an identified or identifiable natural person (data subject), including publicly available data.
It does not apply to anonymized data.
DSAR Like Requests Under CCPA
CCPA addresses information that relates to, describes, is capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household.
It does not apply to de-identified data (i.e., data that cannot be reasonably linked with a consumer or household), or aggregate data that cannot be linked to a consumer or household.
Right to Erasure/Deletion
GDPR’s deletion right applies to all data concerning a data subject.
Under GDPR individuals have the right to erasure of their personal data. Controllers/processors must delete a data subject’s personal data if:
- The personal data are no longer necessary in relation to the purposes for which they were collected.
- The processing of the data was subject to consent and no other legal ground for processing exists.
- The data subject protests under Art. 21(1) and there is no other legal ground for processing.
- The personal data have been unlawfully processed.
- Personal data must be erased for compliance with a legal obligation.
- The data may have been collected from a child under Art. 8(1).
Controllers do not need to erase personal data if it is necessary:
- For exercising the right of freedom of expression and information.
- For compliance with an EU or Member State legal obligation.
- For reasons of public health and medicine under Art. 9(2)(h)&(i) and 9(3).
- For archiving, scientific or historical research, or statistical purposes, subject to minimization (e.g., pseudonymization) under Art. 89(1).
- For establishing or exercising a legal claim or defense.
The CCPA’s deletion right applies only to data collected from the consumer (i.e. not to data about the consumer collected from third party sources).
Under CCPA, consumers have the right to deletion of their PI, except when it is necessary to:
- Complete the transaction for which the PI was provided or perform a contract with the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity and prosecute those.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech (of business or another consumer) or other rights.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed research in the public interest.
- Enable internal uses reasonably aligned with the expectations of the consumer based on their relationship with the business.
- Comply with a legal obligation.
- Use consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Right to Access/Disclosure
Businesses must inform consumers of their rights at the point of data collection.
Data subjects have the right to request access to their personal data.
If the controller has made the personal data public, it must take reasonable steps to inform others that are processing the data that the data subject has requested erasure and must inform the data subject about those steps upon request.
Controllers and processors must know how to identify a request for access. They must provide the personal data undergoing processing. If it has been requested electronically, data must be provided electronically.
Businesses must inform consumers at or before the point of collection as to the categories of PI to be collected and the purposes for which the PI will be used.
Consumers have the right to request information about what personal information is collected, how it is processed, for what purposes, and with whom it is shared.
Businesses must disclose within 45 days of receipt of a verifiable request. Business may exercise one 45-day extension when reasonably necessary if they notify the consumer within the first 45-day period.
Disclosure must include data covered 12 months before request.
Where the request was made by electronic means, and unless otherwise requested by the data subject, the information should be provided in a commonly used electronic form.
In certain circumstances a data subject has additional rights to:
- receive a copy of their personal data in a structured, commonly used, machine-readable format; and
- transmit the data to another controller without hindrance from the original controller, including to have the personal data transmitted directly from the first controller to the second controller.
Disclosures must be delivered by mail or electronically. If delivered electronically, information must be portable and in a readily useable format.
How WireWheel Can Help
Whether you’re working to meet CCPA, GDPR, and DSAR requirements or any other privacy mandate now or in the future, building your privacy operations on these four pillars gives you the visibility and control you need to be successful.