In terms of personal data protection, the General Data Protection Regulation (GDPR) is the law in the European Union. Across the Atlantic, the State of California has had the California Consumer Protection Act (CCPA) in place since 2020 to protect its residents. Although similar in inspiration, the two regulations do, however, display some fundamental distinctions. The main differences between the two standards are explained below.
What is GDPR?
Protection (Regulation No. 2016/679 of April 27, 2016) is the European reference standard for the protection of personal data. It came into force on May 25, 2018 and imposes numerous restrictions related to the use of personal data.
The RGPD is based on five founding principles:
- Purpose principle
- Principle of proportionality
- Principle of limited shelf life
- Principle of respect for the rights of individuals
- Principle of security and confidentiality.
For more details on this ambitious regulation, please read our article: "Data and GDPR, what you need to know".
What is the CCPA?
Often compared to the GDPR, the California Consumer Protection Act aims to regulate the processing of personal data of California citizens. Initiated several years ago and finalized in 2018, the text came into force on January 1, 2020. Thanks to the CCPA, California residents now enjoy various rights:
- The right to know about the personal information collected and its use;
- The right to erase collected information;
- The right to opt-out or the option to refuse the sale of their personal data. A specific button "do not sell my personal data" is also provided for this purpose; and
- The right to non-discrimination.
The adoption of the CCPA was a real tour de force. Many pillars of Silicon Valley lobbied hard to limit the scope of the legislation. Although some concessions were made, the existence of such a text in the United States remains a major step forward in terms of respecting the privacy of personal data.
Differences between CCPA et GDPR: Data concerned
Both regulations propose a relatively similar definition of personal data. Nevertheless, the CCPA specifically excludes from its scope medical data as well as data collected by public bodies.
The data scope of the GDPR is therefore broader than that of the California Consumer Protection Act.
Differences between CCPA and GDPR: Protected persons and consent
The CCPA only protects individuals (consumers) residing in the State of California.
The GDPR, on the other hand, protects the personal data of any individual, as stated in recital 14 of the Regulation:
"The protection conferred by this Regulation should apply to natural persons, regardless of their nationality or place of residence, with respect to the processing of their personal data. »
This means that, in theory, an individual residing outside the European Union can invoke the protection of the GDPR provided, for example, that a European company processes his or her data.
At the level of consent, the logic is also quite different. Under the GDPR, the individual must consent to the use of his or her data in advance. On the other hand, the CCPA stipulates that the individual has a right of withdrawal which he can exercise. The approach is therefore the reverse.
Difference between GDPR and CCPA: Scope of application
The General Regulation on Data Protection applies very broadly, it is referred to as extraterritorial scope of application. It concerns all organizations established in the European Union but also any organization collecting data from European residents. The lucrative or not lucrative nature of the activity is not relevant in this context.
The CCPA applies to for-profit companies doing business in California that meet one of the following conditions:
- Have annual revenues in excess of $25 million;
- Hold personal data about at least 50,000 users (households, individuals, etc.);
- Or derive at least 50% of revenue from data sales.
While there can be no doubt that California-based businesses and entities related to such businesses are affected, certain issues arise with respect to other businesses. While legal controversy exists (over the concept of "doing business in California"), it seems to be generally accepted that any company using data from California residents that meets one of the above conditions should comply with the CCPA requirements.
Differences between GDPR and CCPA: Sanctions
In terms of potential sanctions, the GDPR is much stricter. Fines for certain violations can be as high as 4% of the previous year's sales or 20 million euro (depending on the higher amount).
In contrast, the CCPA provides for a fine of up to $7,500 per violation but with an unlimited number of fines. On the other hand, only infractions related to data collected within the last twelve months can be subject to sanctions, whereas the GDPR does not impose such a time limit.
There are also different ways of appealing and lodging complaints. Californian residents have the option of directly suing the company responsible. However, in order for the CCPA to apply, a violation must be actually found by an individual, which is not necessarily the case under the GDPR.
The protection of personal data, a major challenge
The CCPA can therefore in no way be assimilated to the GDPR. This would be tantamount to comparing the French Constitution with the U.S. Constitution. The California Consumer Protection Act and the General Regulation on Data Protection have differences regarding who is protected, the organizations that must comply with the obligations, the procedures to be followed and other essential elements.
Beyond these fundamental differences, there are several nuances that are subject to interpretation. Many subtleties could not be discussed in the context of this article. There is no doubt that specialized law firms and consulting firms will be delighted in the coming years. Both regulations are complex, and the technological environment is constantly evolving.
Apart from the intention, the two standards therefore have little in common. However, we can only welcome the existence of texts aimed at protecting citizens at a time when our personal data is acting as a goose that lays golden eggs. The trend is, moreover, worldwide. By the summer of 2020, more than 60 jurisdictions had already ratified or were working on regulations governing the use of data.
At the company level, an adequate policy regarding the use of personal data starts with an overview of the data collected and its processing. Ryax offers a unified framework for data use. Thanks to our SaaS, data processing is harmonized within the company, which makes it much easier to comply with regulations.
La Ryax Team.