What Is the CCPA and How Is It Different From the GDPR?

Nearly two years since its introduction, businesses are growing accustomed to the European Union’s General Data Protection Regulation (GDPR), a piece of legislation that puts power back in the hands of consumers when it comes to how their own data is used and who has it. Compliance with the GDPR may have seemed like a nuisance to begin with, but everyone has quickly seen that the penalties for failing to comply are too heavy to ignore and GDPR compliant businesses earn greater trust from consumers anyway.

It’s a little bit of extra work, but well worth it. The success of the GDPR and the recognition that the questions surrounding the use of data cannot go unanswered any longer have driven other jurisdictions towards relevant regulation as well – most notably California, the world’s third-largest economy and author of the California Consumer Privacy Act (CCPA).

But the CCPA isn’t a carbon copy of the GDPR. The world’s leader in the data industry has its own ideas of how to start addressing the topic of data use and privacy. As with the GDPR however, businesses are going to find that the CCPA is not a regulation to ignore or take lightly. So, before it comes into effect on January 1, 2020, what are the differences between the two and what do businesses need to know about the CCPA?

Who needs to be CCPA compliant?

Europe’s GDPR is generally considered to be broader and more ambitious in scope than the CCPA – a characteristic that can be seen in stipulations regarding which businesses must comply. The GDPR applies equally to all businesses, European or otherwise, that process the data of EU citizens. African, Australian, Asian and American businesses must all comply with the GDPR if they intend to process and profit from the data of Europeans.

The CCPA, on the other hand, applies strictly to California-based businesses and only businesses earning more than $25 million annually or those whose primary business is the sale of personal information. Even If none of these apply to you, the CCPA should still be followed closely as it impacts and relates to future data regulation.

What CCPA means for the future

The CCPA’s impact on the future of data regulation could be significant, in fact. While it may not be as robust as the GDPR, the CCPA is seen by many as just the first step in regulated data protection, meant to introduce California and the U.S. as a whole to a workable framework to address the urgent issue of data usage and protection.

The same way the general outline of the GDPR has influenced the CCPA, the CCPA is expected to impact legislators throughout the U.S. and possibly even abroad as data protection becomes an ever-more immediate concern. The CCPA, which goes into effect on January 1, 2020, specifically addresses American concerns over cases like that of Facebook and Cambridge Analytica while the GDPR, which came into force in 2018, took a broader stance in trying to foresee future issues that may arise as well.

The price of non-compliance

One of the biggest differences between the two pieces of legislation is how they allot penalties for non-compliance and violations. Under the GDPR, businesses may be fined as much as 4% of annual global turnover or 20 million euros (whichever is greater). Sanctions may also be applied to a company under the GDPR simply for being at risk of a breach or behaving irresponsibly.

The CCPA, on the other hand, mandates fines per violation, up to $7,500 for each. The total cost of penalties is limited only by the number of violations discovered and, while still subject to change before enforcement in 2020, there is currently no threat of sanctions for non-compliance. Notably, violations are only considered violations at the point of breach, which proponents of the GDPR model believe is too late.

Consumer rights

Finally, the CCPA and GDPR differ on some of the specifics regarding the rights granted to, and protected for consumers. For example, while the GDPR requires that consumers opt-in to allowing their data to be stored and/or sold, the CCPA instead requires that companies give consumers the ability to opt-out.

There is one important similarity between the GDPR and CCPA that should be mentioned: both directly address encryption. Though both regulations keep most stipulations broad to allow for some flexibility and changing technologies, both feature articles with technical stipulations for responsible encryption of data, meant to reduce the likelihood of data being compromised even in the event of a breach.

Such specific requirements addressing technical aspects of security highlight the importance and urgency of adopting more rigorous security practices across the entire data industry. After all, regulations like the GDPR and CCPA are not only important to keeping your business out of trouble, they are crucial to creating a healthy data ecosystem backed by good practices and security.