Cookie Consent

The cookie consent like GDPR has revolutionized the processing of personal data for organisations. Its implementation, on May 25, 2018, has been emulated and several states have taken inspiration from it to legislate on personal data. Among them, the state of California with the CCPA (California Consumer Act) which came into force on January 1, 2020. This text nevertheless has some differences with the GDPR.

What is GDPR?

The General Data Protection Regulation (GDPR) was adopted by the European Parliament in 2016 and entered into force in 2018. It establishes a legal framework for the protection of personal data for Europe. Any entity handling personal data of European residents must comply with the Regulation. Its application goes beyond the borders of Europe: foreign controllers and processors, who process personal data from the European Union (EU), must apply the GDPR even if the processing is done outside the EU.

The text strengthens the protection of the people whose data is collected and the rights they can exercise. In particular, they can access their collected data, decide for example to rectify or erase them and request their portability. The GDPR confers numerous obligations on data controllers, such as the obligation to keep a register of processing operations or to notify the CNIL in the event of a data breach. These obligations are accompanied by the accountability of data actors. The data controller is responsible for the compliance of its activities and must be able to demonstrate it.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a California data privacy law designed to enhance privacy rights and consumer protection for residents of California (USA). The CCPA regulates how companies can collect, share and process the personal data of California residents. The new law, which came into force on January 1, 2020, results from a strengthening of the role of personal data in current business practices and the privacy implications related to the collection and processing (use) of users’ personal information. Failure to comply with the CCPA can result in penalties of up to $7,500 (approximately €6,400) for each violation and $750 (approximately €640) in damages for each affected user.

What is LGPD?

Inspired by the GDPR (the data protection regulation promulgated by the EU), the LGPD is a Brazilian law that governs the processing of personal data. It was approved on July 10, 2018 and entered into force on August 15, 2020.

CookieHub helps you make your website LGPD compliant using a variety of methods designed to meet requirements related to the storage and processing of personal information. Read on to learn more about the LGPD and the exact things you should do to stay in good standing.

The LGPD establishes the conditions under which personal data can be processed, defines a set of rights for data subjects, creates specific obligations for data controllers and creates a series of procedures and standards so that greater care is taken. brought to the processing of personal data and sharing with third parties.

Read also: How to handle a personal data breach in company?

CCPA and GDPR: Similar objectives with notable differences

Whether you are DPO, Compliance Officer or Legal Director, you have certainly been alerted to the arrival of this text promulgated on June 29, 2019. And, if you work in an international Group, this double compliance is a great challenge to take up!

As much to tell you right away, the compliance of an organization with the GDPR does not de facto lead to compliance with the CCPA: there are specific obligations under Californian law.

In this video, I come back to the 7 main differences that exist between the GDPR and the CCPA. Listing these differences will allow you to identify the actions and projects to be undertaken within your organization. You will be able to calmly consider your compliance with the CCPA.

CCPA and GDPR, what are the differences?

1. The people concerned

The GDPR targets all natural persons on the territory of the European Union without any residence requirement.

The CCPA is limited to California resident consumers only.

2. Data concerned

The CCPA recognizes as “Personal Information” data concerning individual consumers but also household data. The scope of Californian law therefore has an extra-individual dimension. This dimension does not exist in the GDPR.

On the other hand, unlike the GDPR, the CCPA explicitly excludes certain categories of data from its scope (health data, public data, etc.).

Similarly, the CCPA does not integrate the distinction between sensitive personal data and personal data.

3. Organizations concerned

The CCPA has a much narrower scope than the GDPR.

The GDPR applies to natural or legal persons, public or private bodies, for profit or not.

Conversely, the CCPA only applies to for-profit companies that meet one of the following threshold criteria:

Have an annual gross turnover of more than $25 million
Sell personal information of more than 50,000 California residents per year
Generate more than 50% of annual revenue from the sale of personal information of California residents.
4th difference: The Collection of Consent
Unlike the GDPR, the CCPA does not require prior consent to processing. Businesses can process California consumer data as they choose except when they exercise their right to object to the sale of their data.

No Opt-in logic as we can see with the European regime therefore.

Exceptions for minors under 16: Between the ages of 13 and 16, the minor’s consent is required for the sale of their personal data. For minors under the age of 13, the agreement of the legal guardian will be required.

5th difference: The rights of data subjects

Right to information

In both regimes, companies are required to mention the categories of personal data processed. But, unlike the GDPR, the CCPA only requires mentioning the categories of personal data processed during the last 12 months.

Right of access and portability

Unlike the GDPR, the rights of access and portability only relate to personal information collected in the 12 months preceding the request.

Right to erasure

On this subject again, the CCPA and the GDPR differ. Whether in the methods of formulating the request or the need to justify the request.

Right of opposition

The GDPR allows data subjects to stop any processing of their personal data.

With the CCPA, the State of California has decided to limit this right only to the sale of personal information to third parties. On this subject, and contrary to the GDPR, the consumer does not have to justify himself: this right is absolute. In addition, in order to guarantee this right, the CCPA requires organizations to set up a specific link on their website with the title “Do Not Sell My Personal Information”.

6. Sanctions

With the arrival of the CCPA, companies incur penalties of up to $7,500 per violation with damages of $750 per user affected by the violations. At first glance, the amounts are quite low compared to the penalties provided for by the GDPR, which can amount to up to 20 million euros or 4% of the annual worldwide turnover. Be careful, however, because one can imagine that with this mechanism the sanctions can reach substantial sums.

7. The sale of personal data

For the CCAC, data is seen as intangible property with monetary value. Conversely, for Europeans, rights to personal data are extra-patrimonial rights and are therefore not considered as property.

Implication: The CCPA allows financial incentives to obtain personal information about its consumers. This possibility is completely absent from the GDPR.

Data Breach | Personal datas in US, Europe and Asia and Fines, Settlement Examples

Sources: GDPR, California Consumer Privacy Act, LGPD Brazil – General Personal Data Protection Act

Photo credit: ponce_photography via Pixabay