Hear the brightest minds talk at the Spokes Privacy Technology Conference.
Register free

Comparing CCPA, CDPA, GDPR: Similarities and Differences

Apr 29, 2021 | CCPA & CPRA, Regulations

Comparing CCPA, CDPA, GDPR: Similarities and Differences, cover image

Written by Rick Buck, Chief Privacy Officer, WireWheel

CCPA, CDPA, GDPR Similarities and Differences

Many new state privacy regulations are being introduced or coming into enforcement and are creating a complicated compliance environment that many organizations are having trouble reckoning with.

Privacy laws in effect and coming into effect include the European Union’s GDPR, California’s CCPA and CPRA, and Virginia’s CDPA. Here’s the information you need to know to stay compliant and get back to business.

A Refresher on CCPA, CDPA, GDPR, and DSAR

Before we outline the requirements for each regulation, let’s define some terms:

General Data Protection Regulation (GDPR): is the governing privacy law in the European Union, one of the largest economies in the world. It is based on the premise of notice, choice and consent, privacy rights, 3rd party accountability, auditing and security. Specifically, GDPR defines how companies lawfully collect, use, store and protect personal information. GDPR has influenced many other privacy laws around the world.

California Consumer Privacy Act (CCPA): is privacy legislation passed by the state of California and in some respects modeled after GDPR.

Virginia Consumer Data Protection Act (CDPA): is privacy legislation passed by the state of Virginia and in some respects modeled after GDPR and CCPA.

Data Subject Access Requests (DSAR): this term defined by GDPR is associated with their specific set of data privacy rights and obligations. DSARs are often referred to as Individual Rights Requests (IRR) or Subject Rights Requests (SRR). While CCPA, CDPA, and GDPR each have defined privacy rights they differ slightly, and your process to accommodate and honor DSARs needs to be set differently for each of these (and any future laws).

The US economy is large enough, and its influence is strong enough, to establish an approach to privacy that can compete with the GDPR. Although there is no US privacy law at the federal level, the CPRA and the CDPA may provide an early look at this developing US consensus on privacy.

CCPA is here and CPRA (amendment to CCPA) and the CDPA come into effect on January 1, 2023. The US state laws focus on protecting personal information not covered by existing sectoral laws. Although the US laws state or imply some privacy principles, the more focused approach makes them feel more pragmatic than the GDPR.

For more information about CCPA, CDPA and GDPR, you can check out our articles that go more in-depth into each one:

Preparing for Compliance

To estimate what it will take you to prepare for CCPA/CPRA and CDPA, consider the experience many organizations had with GDPR. When GDPR came into force it was the biggest change in EU data protection laws in 25 years. For many businesses, GDPR was the first time they had documented and categorized where all data resided and how it was processed. Preparation meant sorting through paperwork, tracking down contracts, classifying data, and recording information manually. GDPR took companies many months or years to be ready and continues to demand resources as compliance is ongoing.

Preparing for GDPR was costly. For a Financial Times Stock Exchange 100 firm, costs averaged $19 million. Across different sized businesses, costs averaged $380-$505 per employee.

Not updating and tailoring data privacy operations built for GDPR to meet CCPA/CPRA and CDPA might cause you to miss nuanced differences in the relevant requirements. It could also mean “over- complying” by giving consumers a much wider scope of information than is required.

Suggested Blog Posts

Let’s Review the Most Important Similarities and Differences Between These Three Laws

Effective Date

CCPA

* Effective 1/1/23 Under CPRA

January 1, 2020
* January 1, 2023
CDPA
July 31, 2022
GDPR
May 25, 2018

Applicability

CCPA

* Effective 1/1/23 Under CPRA

Who does CCPA apply to?

For-profit entities that collect personal information from California residents and meet any of the following thresholds:

  • At least $25 million in gross annual revenue
  • Buys, sells or receives personal information about at least 50,000 CA consumers, householders or devices for commercial purposes or
  • Derives more than 50% of its annual revenue from the sale of personal information

(ii) * above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”

(iii) * above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information.

CDPA

Who does CDPA apply to?

For-profit entities that conduct business in Virginia or offer products or services targeted to residents in Virginia and

  • Control or process the data of at least 100,000 consumers or
  • Control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.
GDPR

Who does GDPR apply to?

Data controllers and data Processors:

  • Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
  • Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU or monitoring their behavior.

Covered Personal Information

The CDPA and the CPRA exempt personal information covered by existing sectoral laws including Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and The Fair Credit Reporting Act (FCRA). GDPR does not make these exemptions.

CCPA

* Effective 1/1/23 Under CPRA

What is personal information under the CCPA?

Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.

CDPA

What information does CDPA cover?

Any information that is linked or reasonably associated to an identified or identifiable natural person – also includes households.

GDPR

What information does GDPR cover?

Personal data is any information relating to an identified or identifiable data subject.

The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.

Consumer Rights

CCPA CDPA GDPR comparison chart
CCPA

* Effective 1/1/23 Under CPRA

CCPA rights include:

  • Know and access
  • Deletion
  • Opt out of sale (more broadly defined as the exchange of personal information for monetary or other valuable consideration)
  • Nondiscrimination
  • Data portability
  • * Rectification and correction
  • * Opt out of sharing for cross-context behavioral advertising
  • * Limit use and disclosure of sensitive personal information
  • * Opt out of the use of automated decision-making
CDPA

CDPA rights include:

  • Know, access and confirm
  • Deletion
  • Opt out of sale (defined as the exchange of personal data for monetary consideration)
  • Opt out of processing for targeted advertising
  • Opt out of profiling
  • Nondiscrimination
  • Data portability
  • Rectification/correction
GDPR

GDPR rights include:

  • Information
  • Access
  • Rectification
  • Erasure
  • Restriction of Processing
  • Data Portability
  • Objection
  • Avoid Automated Decision-Making

Cure Period

CCPA

* Effective 1/1/23 Under CPRA

30 days

* CPRA removes the CCPA 30-day cure period and gives the Agency discretionary power to provide the business with a time period to cure

CDPA
None
GDPR
None

Enforcement

CCPA

* Effective 1/1/23 Under CPRA

Enforced by the Attorney General

* Creation of new California Privacy Protection Agency (Agency) for enforcement, rulemaking and guidance

CDPA
Enforced by the Attorney General
GDPR

Enforced by

  • the European Data Protection Board
  • Binding decision-making by the Data Protection Authorities of the member states

Private Right of Action

CCPA

* Effective 1/1/23 Under CPRA

Limited private right of action for breach of unredacted or unencrypted personal information due to failure to maintain reasonable security practices.

* Will be available for breach of email address and password or security question and answer that would allow access to account

CDPA
None
GDPR
Yes

Penalties and Damages

CCPA Fines

* Effective 1/1/23 Under CPRA

CCPA penalties include up to:

  • $2,500 for each violation
  • $7,500 for each intentional violation

* Automatic $7,000 fine for a violation involving the personal information of minors

Statutory damages from $100-$750 per violation.

CDPA Fines
Up to $7,500 per violation
GDPR Fines
Administrative GDPR penalties can reach $20 million Euros or 4% of annual global revenue, whichever is highest.

Data Protection Impact Assessments

CCPA

* Effective 1/1/23 Under CPRA

Not currently required

* Cybersecurity audits and risk assessments will be required for companies whose processing presents a significant risk to consumer privacy or security.

CDPA

Virginia CDPA requires data protection assessmentsfor the following activities:

  • Processing personal data for targeted advertising
  • Selling personal data
  • Processing personal data for purposes of profiling
  • Processing sensitive data
  • Processing activities involving personal data that present a heightened risk of harm to consumers.
GDPR

GDPR Article 35, requires data protection assessments when processing personal data for certain functions such as:

  • Targeted advertising
  • Selling personal data
  • Certain types of profiling
  • Processing sensitive data
  • Processing that presents a heightened risk of harm to consumers

Sensitive Data

CCPA

* Effective 1/1/23 Under CPRA

Not currently covered

* New categories of “sensitive personal information,” including:

  • Social Security numbers (SSNs),
  • Driver’s license
  • Financial account or card numbers
  • Precise geolocation
  • Racial and ethnic characteristics
  • Religious and philosophical beliefs
  • Union membership,
  • Contents of mail, email and text messages
  • Genetic and biometric data
CDPA
Consent is required to process “sensitive data” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child and precise geolocation data
GDPR

The following personal data is considered ‘sensitive’ and is subject to specific processing conditions:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Genetic data
  • Biometric data processed solely to identify a human being
  • Health-related data
  • Sex life or sexual orientation

Anonymous, De-identified, Pseudonymous, or Aggregated Data

CCPA De-identified Data & Pseudonymous Data

* Effective 1/1/23 Under CPRA

The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated.

However, the CCPA establishes a high bar for claiming data is deidentified or Aggregated Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information.

CDPA De-identified Data
The definition of personal data goes on to explicitly exclude “de-identified data or publicly available information,” but not pseudonymous information.
GDPR Anonymous & Pseudonymous Data
Pseudonymous data is considered personal data.

Anonymous data is not considered personal data.

While the GDPR does not mention de-identified data, the CCPA definition is similar to GDPR’s concept of anonymous data.

Privacy Notice Requirements

CCPA

* Effective 1/1/23 Under CPRA

Businesses must inform consumers about:

  • The personal information categories collected.
  • The intended use purposes for each category.

Further notice is required to:

  • Collect additional personal information categories.
  • Use collected personal information for unrelated purposes.

Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.

CDPA
CDPA does not expressly require businesses to display a privacy notice at or before the point of the collection of personal data, nor does it require businesses to provide a “do not sell my information” link.
GDPR
Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.

Contracting

CCPA

* Effective 1/1/23 Under CPRA

Mandatory contracting requirements for “service providers” and “third parties” to whom the company does not sell data.

* Mandatory contracting requirements for “contractors” to whom the company makes available personal information for a business purpose.

CDPA

Requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller.

The contract should include:

  • Type of data
  • Duration of processing
  • The rights and obligations of both parties, with specific obligations for the processor
GDPR

Requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller

The contract should include:

  • Type of data
  • Duration of processing
  • The rights and obligations of both parties, with specific obligations for the processor

Children’s Data

CCPA

* Effective 1/1/23 Under CPRA

The CCPA prohibits selling personal information of a consumer under 16 without consent.

Children aged 13-16 can directly provide consent.

Children under 13 require parental consent.

Protections provided in the Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.

CDPA
Sensitive data is provided greater protection and includes personal data collected from children.

Businesses that comply with verifiable parental consent requirements under the Children’s Online Privacy Protection Act are deemed compliant with the CDPA obligations to obtain parental consent.

GDPR
The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.

Children must receive an age-appropriate privacy notice.

Children’s personal data is subject to heightened security requirements.

How WireWheel Can Help

Future proof your privacy program with WireWheel’s Trust Access and Consent Center to manage DSARs and consent and WireWheel’s Privacy Operations Manager for managing assessments.

Request a demo to learn more.

Suggested Blog Posts