CCPA vs GDPR
California voted and signed in the California Consumer Privacy Act in June 2018, which will go into effect January 1, 2020. California is no stranger to privacy laws. The state of California has introduced privacy laws such as the California Shine the Light Law, California Invasion Privacy Act, California Online Privacy Protection Act, California Anti-Phishing Act of 2005, Privacy Rights for California Minors in the Digital World, and the California Electronic Communications Privacy Act. However, the California Consumer Privacy Act is harsher than any of the previous laws enacted by the state of California rivaling the most recent General Data Protection Regulation of the EU. The CCPA does not cover all that is required by the GDPR, but creates the strictest privacy laws the United States has ever seen.
Personal information of individuals is at an all-time high risk. The misuse of personal data and privacy rights is now a primary concern worldwide. The California Consumer Privacy Act introduces never before seen consumer privacy regulations in America. The legislation aims to protect personal information by creating a broad definition: Personal Information (PI) is “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” stated by the California Consumer Privacy Act. The legislation addresses organizations using, compiling, and distributing personal information. By doing so, the act aims to protect California consumers by enforcing the protection of personal information and forcing organizations to respect the privacy of citizens. The organizations will have to comply with the CCPA for those operating in California or do business within California if they fall under one of the three categories:
1. Annual gross revenue is greater than $25 million, 2. Buy, receive, or sell PI of 50,000 or more consumers, households or devices, or 3. 50 percent or more of annual revenue by selling California-based consumers’ PI. If these regulations are not followed, fines will be made by the Attorneys General up to $7,500 per international violation and lawsuits can result in $100-750 per consumer per incident.
The California Consumer Privacy act aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:
• The right to know what and where personal information is being collected, sold and disclosed about them
• The ability to deny the sale of personal information.
• The right to have equal service and price, if one decides to exercise their privacy rights.
• The right to be able to have personal information deleted
While the CCPA and the GDPR are similar, they have a fair amount differences in regulations. In the table below, it will go into comparison on showing both similarities and differences within both policies. For organizations that comply with GDPR, you will be forced to make further provisions to comply with the CCPA as well.
Fines√√ (Will be Higher)
|Major Requirements||California Consumer Privacy Act||General Protection Data Regulation|
|Encrypted/Redacted Personal Data||√||√|
|Privacy by Design||X||√|
|Compliance by all businesses collecting/personal data||X||√|
|Limit sale of Personal Data||√||X|
|Reporting of Data Breaches||X||√|
|Options for Minors||√||√|
|Policies for Cookiess||X||√|
|Equal service and price, if exercising their privacy rights.||√||X|
About the author:
Fazel Ahsan is a cybersecurity expert specializing in the Encryption space. He is currently working as an Encryption Consultant at Encryption Consulting LLC.