GDPR and CCPA are laws, emphasizing the security and privacy of any personal data collected and processed. Therefore, addressing compliance issues with privacy laws is essential if your application is in the design phase.
Software providers are responsible for contracting them for data collection and processing work. And because of the types of information that web and mobile apps can collect, app developers and publishers need to be extra careful. You must consider legal requirements when you process users’ data while building and testing your product. Implementing these rules is undoubtedly a challenge for many companies.
In this article, we will focus on comparing these two privacy laws in the context of software development. What is required in the case of GDPR or CCPA for this application to meet the legal requirements? First, we will refer to the definitions of these two laws.
What CCPA means?
CCPA is California’s consumer privacy law. It is the first primary statewide privacy law in the United States. It went into effect on January 1, 2020. Currently, the act’s main application is to any entity doing business in California that collects, shares, or sells personal data of consumers from the state and has gross annual revenues of more than $25 million.
The CCPA gives new rights to California residents to require companies to disclose or delete data they have already collected or to refrain from selling data to third parties altogether. This means that the CCPA imposes new obligations on commercial entities doing business in California.
The CCPA was amended by the California Privacy Rights Act (CPRA), which went into effect in January 2023. As of July 2023, it will apply retroactively to the processing of personal data until January 2022. Therefore, we are updating some of the information in the article with CPRA guidelines.
What GDPR stands for?
The Global Data Protection Regulation (GDPR) came into effect on May 25, 2018, and stands for General Data Protection Regulation. It is a European Union law that protects the personal data of people who live in the EU. It imposes strict data protection requirements and severe penalties for non-compliance. The law protects every EU citizen from collecting and using their data without their consent – whether online or in person.
GDPR versus CCPA. Main differences
Although GDPR and CCPA differ in some significant respects, CCPA is generally a less restrictive version of GDPR. If your company is already compliant with GDPR, maintaining compliance with the CCPA should be manageable.
However, to ensure there are no violations, companies that prioritize compliance must understand the practical differences between the two.
1. Type of law and scope
The CCPA is a statutory law, meaning that any violation will result in immediate action that can be used to file a civil lawsuit in California state court. The CCPA is much narrower in scope, as it applies only to California residents and does not extend beyond the United States.
GDPR is only regulatory. It does not directly affect the outcome of civil disputes in its jurisdiction but applies to the personal data of EU residents no matter where the data is processed. It is broader in the sense that the number of organizations holding the personal data of EU customers is likely to be larger than the number of California customers.
2. Entities affected by the application of the law
The CCPA applies to any for-profit organization that collects the personal information of California residents for commercial purposes or sells goods or services to California residents. Companies that must comply with the CCPA’s essential criteria are those that:
- their annual revenue is higher than $25 million,
- serve more than 50,000 California users
- derive at least 50% of their annual revenue from the sale of personal data.
The CCPA goes more and covers personal data about a household or device.
The GDPR applies to any organization that collects data about individuals in the European Union (EU) and the European Economic Area (EEA), regardless of location. Therefore, any entity that handles personal data from the EU – be it eCommerce companies, websites, nonprofit organizations, or public institution websites – must comply with the GDPR. This law does not apply to personal data used for personal or household activities.
3. The type of protected data
The CCPA is quite specific about the types of data protected in different circumstances. It covers information that can be reasonably linked to a particular consumer, device, or household. This includes data such as, for example, name, email address, purchase record, browsing history, location, biometric data, or conclusions from other personal data.
CCPA does not protect data such as:
- medical information protected by CMIA (The Confidentiality of Medical Information Act) or HIPAA (Health Insurance Portability and Accountability Act),
- information collected for clinical trials,
- sales of transmission to or from consumer reporting agencies;
- information covered by the California Driver’s Privacy Protection Act
- any data publicly available information from federal, state, or local government records.
The GDPR covers processing all personal data, regardless of what the data is for and how it is processed. This includes information such as an identification number, an online identifier, an email address, a telephone number, or sensitive data related to the data subject’s physical, mental, economic, cultural, or social identity.
The only exceptions to this rule are
- processing data in a non-automated manner and without recording it,
- data processed for personal or domestic purposes,
- data on deceased persons.
4. Users’ rights
Under the CCPA, data subjects are given rights that they can exercise. These include
- The right to information and access to personal data.
Companies must send regular reports informing data subjects about collecting, selling, or disclosing their personal information for business purposes after 12 months.
- Right to delete personal data if collected from consumers.
Consumers have the right to opt out of having their personal data (including the personal data of minors) shared for behavioral advertising in various contexts. However, this right does not apply to untargeted advertising.
Under the CCPA, Californians can opt out of having their personal information sold to third parties. “Sell” refers to processing a consumer’s data “in exchange for money or other valuable consideration.”
If your company has a website, you need to add a “Don’t sell my personal information ” link on the home page of your site and on all other pages where personal information will be collected. This link should lead to a particular page or setting where users can exercise their right to opt-out. Once users opt out, you cannot collect personal information for 12 months.
The CCPA gives companies 45 days to respond to requests and can extend that time for another 45 days after notifying consumers. The CCPA allows companies to collect personal data from users as long as the data relates to a person over 16.
*CPRA : In addition to expanding existing rights granted under the CCPA, the CPRA introduces several new rights for consumers. These include
- The right to be informed and to opt out of automated decision-making,
- The right to rectification of personal information (PI),
- the right to limit the use of sensitive personal information (SPI)
- the right to opt out of the sharing and to sell sensitive personal data.
Under GDPR, companies must provide options for both consent and opt-out. Companies that process many data in their business model must ask users for explicit consent to collect and use their information.
The GDPR gives the following rights to data subjects:
- The right to access personal data.
Each person must be informed of how long their data may be kept and reminded that they always have the right to withdraw consent to the data they previously provided.
- The right to correct personal data if it is inaccurate
- The right to delete personal data
- The right to restrict the processing of personal data
Data subjects must be notified by one month that a third party is processing their data and be informed exactly from which source the third party obtained their data.
- The right to transfer data to another controller
- The right to object to the processing of personal data
Users can opt out of data collection and use at any time, even if they have previously consented.
- The right to object to automated data processing for decision-making and profiling.
Companies have 30 days to respond to requests. They can extend it for another two months if a request is made. Still, they should provide a legitimate reason.
5. Cookies Control
According to the CCPA, websites do not require explicit consent to store cookies on visitors’ devices. Websites should allow visitors to opt out of cookies that sell their personal information. They should also inform what kind of cookies the website uses, why, and how visitors can manage them.
*CPRA: Expands on cookies that share consumers’ personal information with third parties.
Unlike CCPA, GDPR requires websites to explicitly ask users for consent before storing cookies on their devices. It also requires websites to provide precise settings for users to opt out of cookies.
GDPR also requires websites to disclose what types of cookies are used and why they are used and provide clear instructions on how visitors can control or delete them.
6. Security requirements
CCPA does not focus on specific security requirements but allows consumers to take action against companies that do not maintain adequate security measures.
*CPRA : requires companies to implement additional measures to protect sensitive personal data and conduct
- regular risk assessments,
- conduct cybersecurity audits,
- maintain records of data processing activities.
GDPR requires that data security be maintained. Companies must implement the necessary technical and organizational measures to ensure the safety of personal data. It includes using techniques such as encryption and pseudonymization to protect personal data.
7. Financial fines
Any organization that sells to California residents and manages personal information must comply with the CCPA. Failure to do so can result in consequences. CCPA fines depend on the violation but can include fines of $100 to $700 per consumer for violations or civil penalties of up to $7,500.
The CCPA allows a consumer to sue a company for an infringement. However, the CCPA law gives each company a 30-day period to correct the violation, where possible, to prevent a private civil action.
The GDPR requires all organizations that sell to or collect data from EU consumers to comply with the regulation entirely. If a company is found to be at risk of a data breach, GDPR will apply the necessary sanctions. Penalties also result in loss of credibility, reputation, and financial status.
Fines for minor violations of the GDPR cost €10,000,000 or 2% of annual revenue, whichever is higher. For major violations, the cost can be at least €20,000,000 or 4% of yearly income, whichever is higher.
Fortunately, organizations can prevent data breaches and other risks by hiring a data protection officer and implementing security measures.
If so, does the GDPR cover the CCPA?
GDPR compliance is certainly a reasonable basis for compliance with the CCPA. The two laws overlap regarding certain rights in terms of consumers’ right to privacy and transparency requirements about the type of data they collect and for what purpose. The laws also allow individuals to request data access and withdraw consent. Knowing the similarities can also help ensure compliance with future laws in different geographic regions, likely to mirror the existing ones.
However, compliance with one rule does not mean compliance with both. Compliance with GDPR for U.S. companies may give a significant advantage regarding CCPA compliance, but the CCPA applies broader regulations to a smaller and distinct group of people.
In turn, most professionals consider the CCPA less stringent than GDPR. If your company already complies with GDPR, complying with the CCPA should also be accessible. Understanding each law’s requirements is critical to ensure your systems and processes are fully compliant with both.
Data protection and privacy regulations are now considered fundamental human rights. Organizations should be transparent with customers about why they use data and what they do with it.
Both the GDPR and CCPA are significant steps in the right direction regarding data protection and privacy for all of us. They are documents still very much in flux – as cybersecurity evolves, you can expect these documents to be updated. Organizations need to understand the implications of cookies and consent, paying particular attention to how they collect, store and deploy personal data through their web tracking tools and mobile apps.
Want to talk about compliance in your organization? We help companies build value based on trust and ensure data compliance with customized consent and preference management technology.