CCPA and GDPR Comparison Chart
Total Page:16
File Type:pdf, Size:1020Kb
Resource ID: w-016-7418 CCPA and GDPR Comparison Chart LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP, WITH PRACTICAL LAW DATA PRIVACY ADVISOR Search the Resource ID numbers in blue on Westlaw for more. A Chart comparing some of the key The CCPA grants California resident’s new rights regarding their personal information and imposes various data protection duties requirements of the California Consumer Privacy on certain entities conducting business in California. While it Act (CCPA) and the EU General Data Protection incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the Regulation (GDPR). CCPA requirements are more specific than those of the GDPR or where the GDPR goes beyond the CCPA requirements. The EU General Data Protection Regulation (Regulation (EU) This Chart provides a high-level comparison of key requirements 2016/679) (GDPR) took effect on May 25, 2018 and replaced the under the CCPA and the GDPR. It is not a comprehensive list of all EU Directive and its member state implementing laws. On June 28, measures required under the CCPA or the GDPR. 2018, California became the first U.S. state with a comprehensive For an overview of the CCPA, see Practice Note, California Privacy consumer privacy law when it enacted the California Consumer and Data Security Law: Overview: General Data Protection and the Privacy Act of 2018 (CCPA), which becomes effective January 1, California Consumer Privacy Act (6-597-4106) and Article, Expert Q&A: 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). The California Consumer Privacy Act of 2018 (CCPA) (W-015-6908). Given their comprehensiveness and broad reaches, each law may have significant impact on entities that collect and process For an overview of the GDPR, see Practice Note, Overview of EU personal data. General Data Protection Regulation (W-007-9580). Practical Law Resources CCPA GDPR Comparison and Citations Who is Regulated? Any for-profit entity doing business Data controllers and data The scope and territorial CCPA in California, that meets one of the processors: reach of the GDPR is Cal. Civ. Code § 1798.140(c). following: Established in the EU much broader. Has a gross revenue greater than that process personal Substantially different in Boxes, CCPA Definitions $25 million. data in the context parties regulated. and CCPA Exceptions to Annually buys, receives, sells, or of activities of the Extraterritorial Applications. shares the personal information EU establishment, Practice Note, California of more than 50,000 consumers, regardless of whether Privacy and Data Security households, or devices for the data processing Law: Overview: CCPA Scope commercial purposes. takes place within the EU. (6-597-4106). Derives 50 percent or more of its annual revenues from selling Not established in the GDPR consumers’ personal information. EU that process EU data subjects’ personal Article 3. The law also applies to any entity that data in connection Practice Note, Determining either: with offering goods the Applicability of the Controls or is controlled by a covered or services in the EU, GDPR (W-003-8899). business. or monitoring their behavior. Shares common branding with a covered business, such as a shared name, service mark, or trademark. © 2018 Thomson Reuters. All rights reserved. CCPA and GDPR Comparison Chart Practical Law Resources CCPA GDPR Comparison and Citations Parts of the CCPA apply specifically to: Service providers. Third parties. Who is Protected? Consumers, defined as California Data subjects, defined as Substantially different in CCPA residents that are either: identified or identifiable approach, but similarly Cal. Civ. Code § 1798.140(g) In California for other than a persons to which personal broad in effect. data relates. and Cal. Code Regs. tit. 18, temporary or transitory purpose. Both laws focus on §17014. Domiciled in California but are information that relates currently outside the State for a to an identifiable natural Practice Note, California temporary or transitory purpose. person, however the Privacy and Data Security definitions differ. Law: Overview: CCPA Scope Consumers include: (6-597-4106). Customers of household goods and Both have potential GDPR services. extraterritorial effects that businesses located Employees. Article 4(1). outside the jurisdiction Business-to-Business transactions. must consider. Practice Note, Overview of EU General Data Protection Regulation: Identifiability (W-007-9580). What Information is Personal information that identifies, Personal data is any Substantially similar. CCPA Protected? relates to, describes, is capable of being information relating to an However, the CCPA associated with, or may reasonably identified or identifiable definition also includes Cal. Civ. Code §§ 1798.140(o) be linked, directly or indirectly, with a data subject. information linked at the and 1798.145(c)-(f). particular consumer or household. household or device level. The GDPR prohibits Boxes, Categories of Personal The statutory definition includes a processing of defined Information Under the CCPA list of specific categories of personal special categories of and Information Excluded information. personal data unless a From the CCPA’s Personal lawful justification for Information Definition. Personal information does not include processing applies. certain publicly available government Practice Note, California records. The CCPA also excludes certain Privacy and Data Security personal information covered by other Law: Overview: Personal sector specific legislation from its Information under CCPA coverage scope. (6-597-4106). GDPR Articles 4(1) and 9(1). Practice Note, Overview of EU General Data Protection Regulation: Personal Data and Data Subjects (W-007-9580) and Special Categories of Personal Data (W-007-9580). Anonymous, The CCPA does not restrict a business’s Pseudonymous data is The CCPA and GDPR CCPA Deidentified, ability to collect, use, retain, sell, or considered personal data. pseudonymization Pseudonymous, or disclose a consumer information that is definitions are very similar Cal. Civ. Code §§ 1798.140(a), Aggregated Data deidentified or aggregated. Anonymous data is not and both require technical (h), (o), (r), and 1798.145(a)(5). considered personal data. controls to prevent Practice Note, California However, the CCPA establishes a high reidentification to qualify. bar for claiming data is deidentified or Privacy and Data Security aggregated Law: Overview: Personal Information under CCPA (6-597-4106). 2 © 2018 Thomson Reuters. All rights reserved. CCPA and GDPR Comparison Chart Practical Law Resources CCPA GDPR Comparison and Citations Pseudonymous data may qualify as While the GDPR does The CCPA GDPR personal information under the CCPA not mention deidentified primarily discusses because it remains capable of being data, the CCPA definition pseudonymization in the Article 4(5). associated with a particular consumer is similar to GDPR’s context of using personal Practice Note, Anonymization or household. However, the statute concept of anonymous information collected and Pseudonymization under does not clearly categorize or exclude data. from a consumer for other the GDPR (W-007-4624). pseudonymous data as personal purposes, for research. It information. does not appear to help businesses generally avoid the CCPA’s requirements. At this point, it is unclear how different the position under the GDPR is. Privacy Notice / Businesses must inform consumers Data controllers must Similar disclosure CCPA Information Right about: provide detailed requirements, but information about its differences in the specific Cal. Civ. Code §§ 1798.100(a)- The personal information categories (b), 1798.105(b), 1798.110, collected. personal data collection information required and and data processing the delivery methods. 1798.115, 1798.120(b), 1798.130, The intended use purposes for each activities. The notice and 1798.135. category. must include specific The CCPA notice requirements on personal Practice Note, California Further notice is required to: information depending Privacy and Data Security Law: on whether the data is information disclosed or Collect additional personal Overview: Consumer Rights collected directly from sold to third parties only information categories. covers the 12 months under the CCPA (6-597-4106) the data subject or a third and CCPA Business Use collected personal information preceding the request. party. Obligations (6-597-4106). for unrelated purposes. GDPR The CCPA requires that businesses provide specific information to Articles 13-14. consumers and establishes delivery requirements. Practice Note, Data Subject Rights under the GDPR: Third parties must also give consumers Personal Data Collected explicit notice and an opportunity to Directly from a Data Subject opt out before re-selling personal (W-006-7553) and Personal information that the third party acquired Data Collected from a Third from another business. Party (W-006-7553). Security The CCPA does not directly impose data The GDPR requires Substantially similar CCPA security requirements. However, it does data controllers and in statutory approach establish a right of action for certain data processors to take though reasonable Cal. Civ. Code § 1798.150(a)(1). data breaches that result from violations appropriate technical and security measures Practice Note, California of a business’s duty to implement and organizational measures may vary to some Privacy