GDPR vs CCPA - How different are they?

After decades of free lawless internet, the tech world has entered an era of legal reformation. Twenty years ago, this wasn't even a topic, but today we have arrived at this point, discussing data privacy laws such as GDPR and CCPA.

GDPR, the General Data Protection Regulation, went into action in 2018, redefining the entire perspective of data privacy and the manner of handling it. In January 2020, the California Consumer Privacy Act (CCPA) came into effect, causing businesses to get concerned.

Both laws deal with data protection, but they impose different requirements on different companies.

Let's take a look at the scope each law covers. First, we will understand that the GDPR protects all EU/EEA residents from having their data collected and used without their concern, whether online or offline, wherever their geographical location.

Whereas the CCPA protects Californian based businesses and residents, including any profitable entity that collects consumers' data and meets one of the following:

a- earns at least 25 million USD in gross annual revenue or

b- buys, sells, or receives personal information for at least 50,000 California consumers or

c- originates more than 50% of its yearly income from selling personal data.

Now that we have introduced the two leading players in data privacy, let us discuss what we know about their main differences. So far, we can assign five significant differences between the two laws:

1- Personal Data  

2- Data Processing

3- Data Security

4- User Right

5- International Data Transfer

The five major differences between GDPR and CCPA:

1- Personal Data:

The GDPR laws affect any business and its websites.

Any entity from e-commerce, webpages, NGOs and even websites of public institutions that deal with personal data from the EU must comply with the GDPR.

While the GDPR protects any identifiable person through direct or indirect data regardless of their residence or citizenship status, the CCPA law protects only residents of California, meaning identifiable persons who legally reside in California.

2- Data Processing:

The GDPR has six lawful based data processing listed as follows:

• explicit consent

• legal obligation

• Contractual obligation

• legitimate interest of the organization

• a public interest

• vital interest

While the CCPA had no legal basis, businesses can process data non-misleading and unfair.

3- Data Security:

The GDPR requires organizations to implement appropriate security measures according to the risk involved.

The CCPA has no specific security requirements but imposes a right of action against businesses for inappropriate security measures.

4- User Right:

While comparing user rights, we notice that the GDPR states seven rights, while the CCPA states four clear rights. The GDPR gives its users the right to access, delete, and correct personal data. It also provides the right to object and restrict personal data processing, the right to object automated data processing, including profiling, and the right to port data.

The CCPA gives its users the right to know about and access personal data, delete personal information, opt out of the sale of personal data, and the right to non-discrimination for exercising the CCPA rights.

 

5- International Data Transfer:

When it comes to international data transfer, the GDPR requires non-EU countries to provide adequate protection and organizations to comply with standard contractual clauses SCC or similar agreements. At the same time, the CCPA has absolutely no restrictions.