The California Consumer Privacy Act (CCPA) is expected to significantly strengthen data collection and privacy in the USA when it goes into effect on January 1, 2020. The law, which was created directly in response to the Cambridge Analytica-Facebook data hijacking scandal, is similar to the European Union’s General Data Privacy Regulation (GDPR). In fact, some are saying that CCPA is the American version of GDPR.
Nevertheless, significant differences exist between the two data privacy regulations. How do they compare? Here are a few insights.
They’re for different populations, but both are far-reaching.
GDPR protects European Union citizens, but applies to any companies that do business with them—including those located outside Europe. For example, Amazon and Facebook must comply since many of their customers are located in EU member states.
CCPA technically only applies to large organizations that conduct business in California. But bear in mind that nearly 40 million people live in California, which is more people than in Canada and about 12% of the US population. California also has the fifth largest economy in the world, with a GDP of more than $2.7 trillion.
Because of the global reach of GDPR, many businesses have concluded that it makes sense to be GDPR-compliant for all customers rather than just European ones. Similarly, many companies will likely conclude that it’s easier to comply with CCPA for all customers, rather than just for those who reside in California.
They have different terms, but both include broad privacy rights.
GDPR and CCPA are fairly consistent in the sense that they guarantee certain privacy rights.
GDPR grants EU citizens the rights to:
Similarly, CCPA grants California residents the rights to:
Because of the similar privacy requirements, those businesses that already comply with GDPR should have a much easier time complying with CCPA.
They have different penalties for non-compliance, but both could cost businesses a lot.
Organizations can be sure that doing nothing to comply with either regulation will cost dearly. That being said, the differences in fines are significant.
The stakes are quite high for organizations that do not comply with GDPR. Penalties can be as high as €20 million or 4 percent of annual revenue—whichever is greater.
With CCPA, the penalties are lower, but they can add up. Organizations can be fined up to $2,500 for each negligent violation and up to $7,500 for each intentional violation. However, CCPA does not specify a maximum amount, meaning that theoretically, organizations can be fined several penalties for each violation.
Is CCPA the new GDPR for Americans? As we've seen, the answer is yes and no. But the two regulations have at least one more characteristic in common: Both require your business to be ready.
Interested in learning how you can make sure your third parties comply with GDPR and CCPA? Contact us today for a free demo.