The European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have many similarities. For starters, they both outline and enforce new regulations regarding the personal data of individual consumers. Both require organizations to provide individuals access to their own personal data, as well as the right to have it deleted. And both are regional laws with global implications.
The GDPR and CCPA also have several key differences. With the CCPA going into effect January 2020, it’s wise to study up on the parameters of the CCPA to ensure you don’t face fines in the future, even if you think your business may not be affected.
Read on for more information on the CCPA and how it’s different from GDPR.
Legal Disclaimer: We applied our best understanding of the California Consumer Privacy Act when building this article. However, we are not legal professionals. To minimize risks, we urge you to read the actual text of the CCPA and seek the advice of your corporate lawyer.
The CCPA vs. The GDPR
The most notable difference between the CCPA and GDPR is that the CCPA concern consumers in the state of California, while the GDPR concerns those in the EU.
Here are 9 more key differences between the GDPR and CCPA (via SalesHacker.com):
Covers any entity that processes the personal data
of protected consumers/residents
Applies only to businesses
Allows covered entities to establish equivalent mechanisms
Prescribes disclosures, communication channels, and other measures
More narrow definition of personal information
Broader definition of personal information
Outlines conditions for access and deletion requests
Different conditions for access and deletion requests
Looser restrictions for commercial sharing of
More rigid restrictions for commercial sharing of personal data
Includes the right to correct errors in processed personal data
Does not expressly include the right to correct errors in processed personal data
Include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect)
Does not expressly include the right to stop automated decision making
Penalty limit set at 4% of global annual revenues
No limit on regulator penalties
No minimum or maximum for damages
Sets minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators
If you’re worried about preparing for the CCPA, Sales Hacker has you covered with a detailed webinar on five straight-forward steps to prepare your organization for the CCPA, featuring security experts from DataGrail and Outreach.
Learn tactical steps to prepare for the CCPA (and beyond)
Outreach & CCPA
Given that Outreach is already GDPR compliant, adjusting to the new regulations of the CCPA was the shift of a speed boat rather than The Titanic. For CCPA, there are a lot of similarities, so we could leverage the compliance pieces we already have in place.
The ways that we are GDPR and CCPA-compliant include:
- We require an active banner on our website so that customers can control the "sale" of their data, and we educate folks on what the sale of data really means
- Data is only “personal information” as long as it can be "reasonably linked" to an individual, and we already had to review our data for GDPR to understand what is required to reasonably link a person in our backend
- GDPR requires stricter data inclusions, so we are prepared to provide a more comprehensive personal data profile upon request than required under CCPA
- We require our data processors to not further process personal information except as required to fulfill the processing activities
- We will respond to data access or deletion requests well before the 90 day period allowed in the law is up
- We have a “cookie banner” on our site as a notice before or at the point of collection of data
- We do not discriminate against an individual that has exercised their rights under CCPA/GDPR
See how Outreach is GDPR-compliant