With privacy scandals like the one involving Facebook and Cambridge Analytica, and a seemingly endless stream of massive data breaches at firms like Equifax, Yahoo and Sony, personal privacy on the internet is at the top of mind for many consumers around the world. It’s also on the top of mind for many lawmakers, particularly for the Council of the European Union, the governing body of the EU. On April 14, 2016, the EU passed sweeping privacy reforms known as the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
This action by the EU, along with the frequency of data breaches, has inspired other legislatures to act. For instance, California lawmakers passed the California Consumer Privacy Act (CCPA) on June 28, 2018. Though it’s not set to take effect until 2020, it’s the first overarching privacy legislation of its kind passed in the United States.
While both are designed to give consumers visibility and control over their data and how it’s used, the two laws seek to achieve this goal very differently. In this article, we’ll discuss each law, what they do and how they differ.
Pathways to Passage
The first big divergence between the laws happened before either was even passed, before they were even drafted. The EU announced their plans to update their privacy laws in 2012, which led to a 4-year debate and drafting process culminating with the GDPR we know today. The CCPA had a notably different journey. The bill was drafted, passed unanimously and signed into law incredibly quickly, in order to prevent a stricter privacy initiative that had gathered the necessary signatures from being included on the 2018 general election ballot. This not only led to a weaker law, it made it much easier for lawmakers to amend it in the time before it takes effect in 2020. While we don’t know if the CCPA’s current text will be its final text, we can still compare the two laws based on what we know now.
How they work
From a broad view, the GDPR and CCPA look fairly similar. Both privacy laws offer increased transparency to consumers about who collects their data, creates opt-out options and protections for consumers who do opt out. But once you get into the weeds of how each law works, their differences become increasingly clear.
The GDPR seeks to protect consumers’ “personal data,” as defined in Article 4 of the law. Personal data is “any information relating to an identified or identifiable natural person…” This data includes name, gender, demographic data, email or mailing addresses, unique ID or IP addresses, web or search history, and more. The law requires all companies that collect or handle data of Europeans, whether they operate inside or outside of Europe, to get consent from consumers and provide a clear, jargon-free, opt-out option on their websites. Noncompliance of any part of the law can be met with a maximum penalty of €20 million or 4% of annual global sales (whichever is higher).
The CCPA as stated in section 2(b) of the law’s text, “…is intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.” This information category includes similar data to the GDPR, and also includes California IDs and driver’s licenses. Unlike its European counterpart, the CCPA doesn’t require businesses get consumer consent to collect or sell data, nor must they offer a clear opt-out option. Instead, Californians must request that a company share, and possibly delete, any data it collected on them. This process can take up to 90 days. Failure to comply can result in a fine of up to $7,500 per violation, with no maximum on how many fines can be levied.
Where they work
Both laws regulate businesses’ activities on the internet, but each has a different geographical scope. Put more simply, each law regulates a different segment of businesses based on where those businesses operate.
The GDPR, as stated in Article 3, applies to all personal data processing conducted by entities established in the EU. Additionally, entities established outside the EU must comply with the law to the extent that the data processing relates to the entity’s offering of goods or services and behavior monitoring within the EU.
The CCPA is more limited in scope. Similar to the GDPR, the law applies to all “businesses” that operate in the state. However, it defines “business,” in section 1798.140, subdivision (c), as an entity that “…does business in the State of California,” that satisfies one or more of the following thresholds:
- Annual gross revenues exceeding $25,000,000
- Buys or sells the data of more than 50,000 individuals or devices
- Derives 50% or more of its revenues from selling personal information
How they differ
Though there are many differences between the two bills, they can be summed up by how they regulate. The GDPR directly regulates businesses by requiring they engage in active transparency with consumers, get their consent and offer a clear opt-out option. The CCPA, on the other hand, shifts the action to consumers by empowering them to learn how a company uses their data and requesting to opt out of it.
While both laws introduce sweeping changes and require serious investment in compliance for businesses they regulate, those changes and investments will be different in both jurisdictions. One can’t assume that compliance for one law translates into compliance for the other.