CCPA and GDPR Comparison Chart

Home , Consumer privacy, Information privacy, Personal data, Privacy law, Pseudonymization

Resource ID: w-016-7418

LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP, WITH PRACTICAL LAW DATA PRIVACY ADVISOR

Search the Resource ID numbers in blue on Westlaw for more. A Chart comparing some of the key The CCPA grants California resident’s new rights regarding their personal information and imposes various data protection duties requirements of the California Consumer Privacy on certain entities conducting business in California. While it Act (CCPA) and the EU General Data Protection incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the Regulation (GDPR). CCPA requirements are more specific than those of the GDPR or where the GDPR goes beyond the CCPA requirements.

The EU General Data Protection Regulation (Regulation (EU) This Chart provides a high-level comparison of key requirements 2016/679) (GDPR) took effect on May 25, 2018 and replaced the under the CCPA and the GDPR. It is not a comprehensive list of all EU Directive and its member state implementing laws. On June 28, measures required under the CCPA or the GDPR. 2018, California became the first U.S. state with a comprehensive For an overview of the CCPA, see Practice Note, California Privacy consumer privacy law when it enacted the California Consumer and Data Security Law: Overview: General Data Protection and the Privacy Act of 2018 (CCPA), which becomes effective January 1, California Consumer Privacy Act (6-597-4106) and Article, Expert Q&A: 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). The California Consumer Privacy Act of 2018 (CCPA) (W-015-6908). Given their comprehensiveness and broad reaches, each law may have significant impact on entities that collect and process For an overview of the GDPR, see Practice Note, Overview of EU personal data. General Data Protection Regulation (W-007-9580).

Practical Law Resources CCPA GDPR Comparison and Citations Who is Regulated? Any for-profit entity doing business Data controllers and data The scope and territorial CCPA in California, that meets one of the processors: reach of the GDPR is Cal. Civ. Code § 1798.140(c). following: Established in the EU much broader. Has a gross revenue greater than that process personal Substantially different in Boxes, CCPA Definitions $25 million. data in the context parties regulated. and CCPA Exceptions to Annually buys, receives, sells, or of activities of the Extraterritorial Applications. shares the personal information EU establishment, Practice Note, California of more than 50,000 consumers, regardless of whether Privacy and Data Security households, or devices for the data processing Law: Overview: CCPA Scope commercial purposes. takes place within the EU. (6-597-4106). Derives 50 percent or more of its annual revenues from selling Not established in the GDPR consumers’ personal information. EU that process EU data subjects’ personal Article 3. The law also applies to any entity that data in connection Practice Note, Determining either: with offering goods the Applicability of the Controls or is controlled by a covered or services in the EU, GDPR (W-003-8899). business. or monitoring their behavior. Shares common branding with a covered business, such as a shared name, service mark, or trademark.

Practical Law Resources CCPA GDPR Comparison and Citations Parts of the CCPA apply specifically to: Service providers. Third parties. Who is Protected? Consumers, defined as California Data subjects, defined as Substantially different in CCPA residents that are either: identified or identifiable approach, but similarly Cal. Civ. Code § 1798.140(g) In California for other than a persons to which personal broad in effect. data relates. and Cal. Code Regs. tit. 18, temporary or transitory purpose. Both laws focus on §17014. Domiciled in California but are information that relates currently outside the State for a to an identifiable natural Practice Note, California temporary or transitory purpose. person, however the Privacy and Data Security definitions differ. Law: Overview: CCPA Scope Consumers include: (6-597-4106). Customers of household goods and Both have potential GDPR services. extraterritorial effects that businesses located Employees. Article 4(1). outside the jurisdiction Business-to-Business transactions. must consider. Practice Note, Overview of EU General Data Protection Regulation: Identifiability (W-007-9580). What Information is Personal information that identifies, Personal data is any Substantially similar. CCPA Protected? relates to, describes, is capable of being information relating to an However, the CCPA associated with, or may reasonably identified or identifiable definition also includes Cal. Civ. Code §§ 1798.140(o) be linked, directly or indirectly, with a data subject. information linked at the and 1798.145(c)-(f). particular consumer or household. household or device level. The GDPR prohibits Boxes, Categories of Personal The statutory definition includes a processing of defined Information Under the CCPA list of specific categories of personal special categories of and Information Excluded information. personal data unless a From the CCPA’s Personal lawful justification for Information Definition. Personal information does not include processing applies. certain publicly available government Practice Note, California records. The CCPA also excludes certain Privacy and Data Security personal information covered by other Law: Overview: Personal sector specific legislation from its Information under CCPA coverage scope. (6-597-4106). GDPR Articles 4(1) and 9(1). Practice Note, Overview of EU General Data Protection Regulation: Personal Data and Data Subjects (W-007-9580) and Special Categories of Personal Data (W-007-9580). Anonymous, The CCPA does not restrict a business’s Pseudonymous data is The CCPA and GDPR CCPA Deidentified, ability to collect, use, retain, sell, or considered personal data. pseudonymization Pseudonymous, or disclose a consumer information that is definitions are very similar Cal. Civ. Code §§ 1798.140(a), Aggregated Data deidentified or aggregated. Anonymous data is not and both require technical (h), (o), (r), and 1798.145(a)(5). considered personal data. controls to prevent Practice Note, California However, the CCPA establishes a high reidentification to qualify. bar for claiming data is deidentified or Privacy and Data Security aggregated Law: Overview: Personal Information under CCPA (6-597-4106).

Practical Law Resources CCPA GDPR Comparison and Citations Pseudonymous data may qualify as While the GDPR does The CCPA GDPR personal information under the CCPA not mention deidentified primarily discusses because it remains capable of being data, the CCPA definition pseudonymization in the Article 4(5). associated with a particular consumer is similar to GDPR’s context of using personal Practice Note, Anonymization or household. However, the statute concept of anonymous information collected and Pseudonymization under does not clearly categorize or exclude data. from a consumer for other the GDPR (W-007-4624). pseudonymous data as personal purposes, for research. It information. does not appear to help businesses generally avoid the CCPA’s requirements. At this point, it is unclear how different the position under the GDPR is. Privacy Notice / Businesses must inform consumers Data controllers must Similar disclosure CCPA Information Right about: provide detailed requirements, but information about its differences in the specific Cal. Civ. Code §§ 1798.100(a)- The personal information categories (b), 1798.105(b), 1798.110, collected. personal data collection information required and and data processing the delivery methods. 1798.115, 1798.120(b), 1798.130, The intended use purposes for each activities. The notice and 1798.135. category. must include specific The CCPA notice requirements on personal Practice Note, California Further notice is required to: information depending Privacy and Data Security Law: on whether the data is information disclosed or Collect additional personal Overview: Consumer Rights collected directly from sold to third parties only information categories. covers the 12 months under the CCPA (6-597-4106) the data subject or a third and CCPA Business Use collected personal information preceding the request. party. Obligations (6-597-4106). for unrelated purposes. GDPR The CCPA requires that businesses provide specific information to Articles 13-14. consumers and establishes delivery requirements. Practice Note, Data Subject Rights under the GDPR: Third parties must also give consumers Personal Data Collected explicit notice and an opportunity to Directly from a Data Subject opt out before re-selling personal (W-006-7553) and Personal information that the third party acquired Data Collected from a Third from another business. Party (W-006-7553). Security The CCPA does not directly impose data The GDPR requires Substantially similar CCPA security requirements. However, it does data controllers and in statutory approach establish a right of action for certain data processors to take though reasonable Cal. Civ. Code § 1798.150(a)(1). data breaches that result from violations appropriate technical and security measures Practice Note, California of a business’s duty to implement and organizational measures may vary to some Privacy and Data Security Law: maintain reasonable security practices to ensure a level of extent according to Overview: CAG Enforcement and procedures appropriate to the risk security appropriate to an organization’s and Private Actions under the arising from existing California law. the risk. circumstances and CCPA (6-597-4106). regulator interpretation. GDPR Article 24(1). Practice Note, Data security under the GDPR (GDPR and DPA 2018) (UK) (W-013-5138).

Practical Law Resources CCPA GDPR Comparison and Citations Opt-Out Right for Businesses must enable and comply The GDPR does not Substantially different. CCPA Personal Information with a consumer’s request to opt-out of include a specific right to Sales the sale of personal information to third opt-out of personal data Cal. Civ. Code §§ 1798.120 and parties, subject to certain defenses. sales. 1798.135(a)-(b). Must include a “Do Not Sell My However, the GDPR does GDPR Personal Information” link in a clear contain other rights a Practice Note, Overview of and conspicuous location on a website data subject may use to EU General Data Protection homepage. obtain a similar result in Regulation: Processing for certain circumstances. For Direct Marketing Purposes Must not request reauthorization to example, it does permit sell a consumer’s personal information (W-007-9580) and Lawfulness data subjects, at any of Processing (W-007-9580). for at least 12 months after the person time, to: opts-out. Opt-out of processing data for marketing purposes. Withdraw consent for processing activities. This allows data subjects to opt-out of third-party sales that support marketing purposes or rely on consent for their legal processing basis. Children The CCPA prohibits selling personal The GDPR’s default Substantially different CCPA information of a consumer under 16 age for consent is 16, requirements, other than without consent. although individual ages involved. Cal. Civ. Code § 1798.120(c)-(d). member state law may Children aged 13 – 16 can directly The CCPA only requires Practice Note, California lower the age to no lower Privacy and Data Security Law: provide consent. Children under 13 than 13. The person with parental consent for require parental consent. personal data sales, while Overview: Consumer Rights parental responsibility Under the CCPA (6-597-4106). must provide consent GDPR’s parental consent Importantly, protections provided by requirement applies to the federal Children’s Online Privacy for children under the GDPR consent age. all processing consent Protection Act (COPPA) still apply on top requests. Article 8(1). of the CCPA’s requirements. Children must receive an age appropriate privacy Practice Note, Overview of notice. EU General Data Protection Regulation: Children’s consent Children’s personal data (W-007-9580). is subject to heightened security requirements. Right of Disclosure or Consumers have a right to request Data subjects have a right Broadly similar rights of CCPA Access disclosure of their personal information, to access their personal disclosure/access. and to receive additional details data, including receiving Cal. Civ. Code §§ 1798.100(d), regarding the personal information a a copy and to obtain The CCPA’s right is 1798.110, 1798.115. business collects and its use purposes, certain information about only to obtain a written disclosure of the Practice Note, California including any third parties with which it the data controller’s Privacy and Data Security Law: shares information. processing. information. The GDPR allows broader access, Overview: Consumer Rights which is not limited to a Under the CCPA (6-597-4106). written disclosure in a GDPR portable format. Article 15. Practice Note, Data Subject Rights Under the GDPR: Personal Data Access Right (W-006-7553).

Practical Law Resources CCPA GDPR Comparison and Citations Right of Data In response to a request for disclosure, The GDPR includes Broadly similar rights. CCPA Portability a business must provide personal a new right to data information in a readily useable format portability to: The GDPR provides a Cal. Civ. Code §§ 1798.100(d) to enable a consumer to transmit the specific right to request a and 1798.130(a)(2). Receive a copy of the data controller to transfer information from one entity to another personal data in a Practice Note, California entity without hindrance. their personal data to structured, commonly another data controller. Privacy and Data Security Law: used and machine- Overview: Consumer Rights readable format. Under the CCPA (6-597-4106) Transmit the personal GDPR data to another data controller (including Article 20. directly by another data controller where Practice Note, Data Subject possible). Rights Under the GDPR: Data portability right (W-006-7553). Right to Deletion / A consumer has the right to deletion Data subjects have the Similar data deletion CCPA Erasure (The Right to of personal information a business has right to request erasure rights. be Forgotten) collected, subject to certain exceptions. of personal data under six Cal. Civ. Code § 1798.105. The GDPR right only circumstances (the right Practice Note, California The business must also instruct its to be forgotten). applies if the request service providers to delete the data. meets one of six specific Privacy and Data Security Law: Data controllers must conditions while the CCPA Overview: Consumer Rights also take reasonable right is broad. Under the CCPA (6-597-4106) steps to inform any other GDPR data controllers also However, the CCPA also processing the data. allows business to refuse Article 17. the request on much broader grounds than the Practice Note, Data Subject GDPR. Rights under the GDPR: Personal data erasure right The GDPR’s obligation to (”Right to be forgotten”) inform downstream data (W-006-7553). recipients of the person’s deletion request is also broader. Right of rectification None. The GDPR grants data Substantially different. GDPR subjects the right to: Article 16. Correct inaccurate personal data. Practice Note, Data Subject Complete incomplete Rights under the GDPR: personal data. Personal Data Rectification Right (W-006-7553). Right to Restrict None, other than the right to opt-out of Right to restrict Substantially different. CCPA Processing personal information sales. processing of personal data, under certain Cal. Civ. Code § 1798.120. circumstances. GDPR Article 18. Practice Note, Data Subject Rights under the GDPR: Data Processing Restriction Right (W-006-7553). Right to Object to None, other than the right to opt-out of Right to object to Substantially different. CCPA Processing personal information sales. processing for profiling, direct marketing, and Cal. Civ. Code § 1798.120. statistical, scientific, GDPR or historical research purposes. Article 21. Practice Note, Data Subject Rights under the GDPR: Data Processing Objection Right (W-006-7553).

Practical Law Resources CCPA GDPR Comparison and Citations Right to Object None. Data subjects have the Substantially different. GDPR to Automated right to not be subject Decision-Making to automated decision- Article 22. making, including Practice Note, Data Subject profiling, which has Rights under the GDPR: legal or other significant Automated Decision- effects on the data Making Objection Right subject, subject to certain (W-006-7553). exceptions. Non-Discrimination A business must not discriminate It is implicit in the GDPR Similar idea, different CCPA against a consumer because they that organizations cannot obligations. exercised their rights. discriminate against Cal. Civ. Code § 1798.125. a data subject that However, a business may charge exercises his rights, for differently if that difference reasonably example by references relates to the value provided by the prohibiting processing consumer’s data. that adversely affects the Businesses may also offer financial rights and freedoms of incentives if they are disclosed in terms data subjects. or online privacy policy, and require opt-in consent. Responding to A business must: A data controller must: Substantially similar. CCPA Rights Requests Comply with a verifiable consumer Verify the identity of Cal. Civ. Code §§ 1798.100(c)- request (as defined in Cal. Civ. Code a data subject before (d), 1798.105(c), 1798.110(b), § 1798.140(y)). responding to a 1798.115(b), 1798.130(a)(2), (b), Respond within 45 days after receipt, request. 1798.140 (y), and 1798.145(g). potentially extendable once for Respond to requests another 45 or 90 days on customer without undue delay GDPR notification. and at the latest Article 12. Inform the consumer of the reasons within one month., for not taking action. extendable for up to Practice Note, Data Subject two more months if Rights Under the GDPR: Provide the information free of necessary after data Responding to Data Subject charge, unless the request is subject notice. manifestly unfounded or excessive. Requests (W-006-7553). Give reasons if the Consumers may only make most data controller does information requests twice a year and not comply with any only for a 12-month look-back. There requests. are no limits on deletion and do not sell requests. Requests do not have to be free to data subjects. Penalties (Private The CCPA establishes a narrow The GDPR establishes a Substantially different CCPA Rights of Action) private right of action for certain data private right of action for in scope, but violations breaches involving a sub-set of personal material or non-material of either may potentially Cal. Civ. Code § 1798.150. information. However, the CPPA grants damage caused by a result in significant Practice Note, California companies a 30-day period to cure data controller or data economic liability. Privacy and Data Security Law: violations, if possible. processors breach of the Overview: CAG Enforcement GDPR. Consumers may seek the greater of and Private Actions Under the actual damages or statutory damages CCPA (6-597-4106). ranging from $100 to $750 per GDPR consumer per incident. Article 82. Courts may also impose injunctive or declaratory relief. Practice Note, GDPR and DPA 2018: enforcement, sanctions and remedies (UK): Remedies, liability and penalties (W-005-2487).

Practical Law Resources CCPA GDPR Comparison and Citations Penalties (Civil Fines) The California AG may bring actions for Administrative fines can Approach to calculating CCPA civil penalties of $2,500 per violation, or reach EUR20 million fines differs, but violations up to $7,500 per violation if intentional. or 4% of annual global of either may potentially Cal. Civ. Code §1798.155. However, the CCPA also grants revenue, whichever is result in significant Practice Note, California businesses a 30-day cure period for highest. economic liability. Privacy and Data Security Law: noticed violations. EU Member States Overview: CAG Enforcement can impose their own and Private Actions Under the penalties applicable to CCPA (6-597-4106). infringements of the GDPR GDPR that are not subject to administrative fines Article 83-84. under Article 83, GDPR. Practice Note, GDPR and DPA 2018: enforcement, sanctions and remedies (UK) (W-005-2487).

CCPA DEFINITIONS CCPA. However, the third party definition excludes personal The CCPA has a long list of defined terms (Cal. Civ. Code information recipients who obtain the data: §1798.140). This box discusses certain defined terms used in Directly from the business. this Chart. For the definition of personal information, see Box, Personal Information Categories Under the CCPA. For a business purpose. Under a written contract that contains specific clauses. Controls means: To qualify for the exclusion, the business’s written contract with Ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a the recipient must: business. Prohibit the recipient from: Control in any manner over the election of a majority of the zzselling the personal information; directors or of individuals exercising similar functions. zzretaining, using, or disclosing the personal information for any The power to exercise a controlling influence over the purpose other than for the specific purpose of performing the management of a company. services specified in the contract, including retaining, using, or (Cal. Civ. Code § 1798.140(c)(2).) disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and Common branding means a shared name, service mark, or zzretaining, using, or disclosing the information outside of the trademark. direct business relationship between the recipient and the (Cal. Civ. Code § 1798.140(c)(2).) business. Include a certification that the recipient understands the Service provider means a sole proprietorship, partnership, restrictions and will comply with them. limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial (Cal. Civ. Code § 1798.140(w).) benefit of its shareholders or other owners that: Processes information on behalf of a business. Receives personal information from a business; CCPA EXCEPTIONS TO EXTRATERRITORIAL zzfor a business purpose only; and APPLICATIONS zzunder a written contract, which prohibits the service The CCPA does prevent collections or sales of a California provider from retaining, using, or disclosing the personal resident’s (consumer’s) personal information if every aspect of information for any purpose other than for performing the the commercial conduct takes place wholly outside California. services specified in the contract or as otherwise permitted To qualify the business must: by this title. Collect the personal information while the consumer is (Cal. Civ. Code § 1798.140(v).) outside of California. Third party means a person or entity other than the business Ensure no part of the consumer’s personal information sale collecting personal information from consumers under the occurs in California.

Not sell personal information collected while the consumer sexual orientation (see State Q&A, Anti-Discrimination Laws: was in California. California). The CCPA exception does not permit a business to store, Commercial information, including records of: including on a device, personal information about the consumer zzpersonal property; while present in California, and then collect that personal zzproducts or services purchased, obtained, or considered; or information when the consumer or stored personal information zzother purchasing or consuming histories or tendencies. is later outside of California. Biometric information. (Cal. Civ. Code § 1798.145(a)(6).) Internet or other electronic network activity information, including: zzbrowsing history; zzsearch history; or PERSONAL INFORMATION CATEGORIES UNDER THE CCPA zzinformation regarding a consumer’s interaction with an internet website, application, or advertisement. The CCPA defines personal information more broadly than California’s other laws. It includes any information that directly Geolocation data. or indirectly identifies, describes, relates to, is capable of being Audio, electronic, visual, thermal, olfactory, or similar associated with, or can reasonably link to a particular consumer information. or household. The statutory definition includes eleven specific Professional or employment-related information. categories that businesses must use when providing their Education information, defined as nonpublic personally required disclosures. Those categories are: identifiable information under the Family Educational Rights and Identifiers, such as: Privacy Act (FERPA) (20 U.S.C. § 1232g and 34 C.F.R. Part 99). zzreal name; Inferences drawn from any of these personal information zzan alias; categories to create a profile about a consumer reflecting the zzpostal address; consumer’s: zzpreferences; zzemail address; zzcharacteristics; zzunique personal or online identifier; zzpsychological trends; zzinternet protocol (IP) address; zz zzaccount name; predispositions; zzbehavior; zzsocial security number (SSN); zzattitudes; zzdriver’s license or passport number; or zzintelligence; zzother similar identifiers. zz Personal information categories described in the California abilities; or Customer Records statute (Cal. Civ. Code § 1798.80(e)), which zzaptitudes. in addition to the identifiers described above, also lists a person’s: zzsignature. zzphysical characteristics or description; INFORMATION EXCLUDED FROM THE CCPA’S PERSONAL INFORMATION DEFINITION zzstate identification card number; Personal information does not include “publicly available” zzinsurance policy number. information. However, the CCPA narrowly defines the “publicly zzeducation. available” term to only mean information lawfully made zzemployment or employment history. available from federal, state, or local government records. zzbank account number, credit card number, debit card The publicly available term does not include: number, or any other financial information. Data used for a purpose not compatible with the public zzmedical information or health insurance information. recordkeeping purpose that caused the government entity to Characteristics of protected classifications under California maintain or make the data available. or federal law, like race, religion, gender, national origin, or

Biometric information collected without the person’s knowledge. Deidentified or aggregate consumer data. (Cal. Civ. Code §1798.140(o)(2).) The CCPA does not apply to: Medical information or protected health information governed by California and federal health information privacy laws. Clinical trial information subject to the Federal Policy for the Protection of Human Subjects (the Common Rule). Personal information regulated by the Fair Credit Reporting Act (FCRA). (Cal. Civ. Code §1798.145(c)-(d).) Only one CCPA section providing a private right of action for certain data breaches applies to personal information governed by: The Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act. Driver’s Privacy Protection Act of 1994. The CCPA’s other provisions do not. (Cal. Civ. Code 1798.145(e)-(f).)

ABOUT PRACTICAL LAW Practical Law provides legal know-how that gives lawyers a better starting point. Our expert team of attorney editors creates and maintains thousands of up-to-date, practical resources across all major practice areas. We go beyond primary law and traditional legal research to give you the resources needed to practice more efficiently, improve client service and add more value.

If you are not currently a subscriber, we invite you to take a trial of our online services at legalsolutions.com/practical-law. For more information or to schedule training, call 1-800-733-2889 or e-mail [email protected].

11-18 © 2018 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf) and Privacy Policy (https://a.next.westlaw.com/Privacy). 9