top of page

CCPA vs GDPR: The Californian Take On Data Privacy

On 1 January 2020 the California Consumer Privacy Act (CCPA) went into effect as the toughest data privacy state law in the US to date. As of 1 January, Californians will be able to uncover what personal information a business collects on them, in addition to their devices and even their children. Although the office of Attorney General Xavier Becerra says enforcement will not begin until 1 July 2020, it all other matter the law is in effect.

What is the CCPA?

The CCPA enables consumers to opt out of the sale of their personal information. Reasonable security practices must be put in place by all companies dealing with California consumers, and if personal information is breached due to the lack of such security practices, then the consumer is allowed to sue the company. Additionally, consumers may ask for their data to be deleted but companies can deny this request in the specific cases that the data is required to complete a financial transaction or protect against fraud.

However, it is important to note even though the consumer now has the ability to opt out of the sale of their data, this does not mean that companies have to stop collecting personal information. Furthermore, if a company sells the consumer data even after a consumer has requested to be opted out, the consumer cannot sue the company unless in the case of a data breach.

In order for the law to apply, a company must meet any one of three thresholds annually: at least $25 million in revenue, half of money is earned by selling data, or gathers information on at least 50,000. If a company violates the law and does not fix the violation within 30 days of being notified, it can be fined up to $7,500 for each intentional violation.

What is the difference between the CCPA and the GDPR?

The CCPA is focused on creating transparency in California’s data economy and rights to its consumers, whereas the GDPR takes a ‘privacy by default’ approach by creating a framework for the entirety of the EU. Essentially, the CCPA allows the Californian consumer the ability to understand what is happening with their data, while the GDPR allows the consumer to lock their data from companies. It is a matter of difference between opt out and prior consent.

Although the CCPA will reach beyond California stateliness, and possibly even beyond country borders, it does not have as wide a reach as the GDPR. The GDPR protects anyone in the EU, whereas the CCPA only protect California residents. It does not matter whether the consumer is located in California at the time of collection or processing, only permanent residents of the state are protected by the law. However, the CCPA extends the definition of personal data to extra-personal, meaning it includes data that is not specific to the individual such as household data, whereas the GDPR remains strictly individual with only a special category exception.

What’s next?

While some companies such as Microsoft are implementing the new rules from the CCPA nationwide, other companies are adopting forms and notices for consumers. For this reason, the attorney general’s office has released a Standardized Regulator Impact Assessment.

It is important to keep in mind that the provisions in the CCPA require companies to provide consumers with information on data collect, processed and sold for up to twelve previous months. This being said, in order to comply with the new CCPA, steps towards compliance must begin now.



bottom of page