Let’s start this blog with a short warning. This is not a detailed gap analysis for the GDPR versus the CCPA. You can find loads of good ones on the internet. I am not a privacy expert, but I am in the lucky position to work with passionate privacy experts on a daily basis in the field of data protection. So the topic CCPA, California Consumer Privacy Act is a hot topic these days.
The CCPA is the new privacy bill that becomes effective on January 1st 2020 in the state of California. This blog gives you a high level insight in the CCPA. To make it more easy to digest, the GDPR is used as a reference.
In this factsheet you can find the main differences in GDPR versus CCPA for the Reach & Governance, Personal Data, Data Subject Rights and Accountability.
Whereas the GDPR and the CCPA are both considered to be privacy regulations that will cause turn arounds in the mindset about data protection; the actual scope of the CCPA is much more narrow than the scope of the GDPR, which is rather broad. The CCPA is centered around the right to Say No to the Sale of Personal Data.
The CCPA is restricted to organisations that collect consumers' personal data. It does only apply for organisations that collect consumers’ personal data with >25 million dollar turnover and the ones that collect a significant amount of personal data.
GDPR applies to all organisations located within the EU and organisations outside the EU that offer goods or services to EU data subjects, or residents. Not limited by company size or turnover.
Another big difference: the CCPA uses another definition of personal data as the GDPR, and the CCPA does not consider Publicly Available Information as personal data.
Under the GDPR, data processing can only be done based on a legitimate ground. Data subjects and protecting their data and privacy, results in a long list of data subject rights: the right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.
The CCPA offers no right to rectification, no right to object and no rights in relation to automated decision making and profiling. Under the CCPA, consumers can OPT OUT for trading their personal data and OPT OUT for marketing purposes.
Both the CCPA and the GDPR offer the right to be informed, though with different timelines for follow up.
In our (Privacy Companies) broad experience with GDPR implementations, I can really recommend to start with a good preparation and in an early stage with preparing for a new legal framework. It definitely takes time to raise awareness, get the impact assessments done and implement all measures, on top of the running business.
After you have checked whether the CCPA applies for your organisation (scans are available), make sure you are prepared before the 1st of January 2020, by having the following in place:
So although the scope and the data subject rights differ significantly. The operational implementation you need to do for CCPA can be quite similar to the one for the GDPR.
Do you want to know more about preparing your organisation for CCPA, or how you can prepare for CCPA with Privacy Nexus, please get in touch and let’s discuss.
Written by Renske Nouwens