The California Consumer Privacy Act (CCPA) isn’t simply a U.S. version of the European Union’s General Data Protection Regulation (GDPR). If you’ve already prepared for GDPR, you won’t have to start over to prepare for CCPA, but that doesn’t mean you have all the bases covered.

CCPA has additional requirements and is more prescriptive than GDPR. In particular, differences in the scope of application, nature, and extent of collection limitations, and rules concerning accountability presents different operational challenges for compliance.

Not updating and tailoring data privacy operations built for GDPR to meet CCPA might mean you miss differences in the requirements.

GDPR VS

CCPAHOW T HE DIFFERENCE IMPACTS YOUR DATA PRIVACY OPERATIONS

2

SCOPE Protects individuals in the EU.

Applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored.

Applies both to data “controllers” and data “processors,” irrespective of size and whether activity is for-profit or not. Several obligations apply to “processors,” entities that process personal data on behalf of “controllers.”

Covers “processing” of personal data, defined to include any operation performed on personal data, including collection.

Protects consumers who are residents of CA, including households and individuals.

Applies to companies that do business in CA and:

• have annual gross revenue in excess of $25 million

• alone or in combination, annually buys, receives for commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices

• derives 50% or more of its annual revenues from selling consumers’ PI

Covers collection, processing, as well as sale of PI.

PERSONAL DATA/

INFORMATION

Focuses on personal data, defined as any information relating to an identified or identifiable natural person (data subject), including publicly available data.

Applies to pseudonymization for information that could be attributed to a person by use of additional information.

Addresses information that relates to, describes, is capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household.

KEY DIFFERENCES PRIVACY, SECURITY AND IT TEAMS NEED TO KNOW

GDPR CCPA

3

RIGHT TO ERA-

SURE/ DELETION

Deletion right applies to all data concerning a data subject.

Individuals have the right to erasure of their personal data. Controllers/processors must delete a data subject’s personal data if:

1. Data are no longer necessary in relation to the purposes for which they were collected

2. Processing of the data was subject to consent and no other legal ground for processing exists

3. Data subject protests and there is no other legal ground for processing

4. Data have been unlawfully processed

5. Data must be erased for compliance with a legal obligation

6. Data may have been collected from a child

Controllers don’t need to erase personal data if it’s necessary:

1. For exercising the right of freedom of expression and information

2. For compliance with an EU or Member State legal obligation

3. For reasons of public health and medicine

4. For archiving, scientific or historical research, or statistical purposes, subject to minimization (e.g., pseudonymization)

Deletion right applies only to data collected from the consumer (i.e. not to data about the consumer collected from third-parties).

Consumers have the right to deletion of their PI, except when it is necessary to:

1. Complete the transaction for which the PI was provided or perform a contract with the consumer

2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity and prosecute those

3. Debug to identify and repair errors that impair existing intended functionality

4. Exercise free speech (of business or another consumer) or other rights.

5. Comply with the California Electronic Communications Privacy Act

6. Engage in public or peer-reviewed research in the public interest

7. Enable internal uses reasonably aligned with the expectations of the consumer based on their relationship with the business

8. Comply with a legal obligation

9. Use consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

GDPR CCPA

4

RIGHT TO

ACCESS/

DISCLOSURE

Requires businesses inform consumers of their rights at the point of collection.

Data subjects have the right to request access to their personal data.

If the controller has made the personal data public, it must take reasonable steps to inform others that are processing the data that the data subject has requested erasure and must inform the data subject about those steps upon request.

Controllers and processors must know how to identify a request for access. They must provide the personal data undergoing processing. If it has been requested electronically, data must be provided electronically.

Data subject’s requests must be complied within one month from receipt of request and can extend two months if they notify the data subject.

Requires businesses inform consumers at or before the point of collection as to the categories of PI to be collected and the purposes for which the PI will be used.

Consumers have the right to request information about what personal information is collected, how it is processed, for what purposes, and with whom it is shared.

Businesses must disclose within 45 days of receipt of verifiable request. Business may exercise one 45-day extension when reasonably necessary if they notify the consumer within the first 45 day period.

Disclosure includes data covered 12 months before request.

PORTABILITY RE-

QUIREMENT

Where the request was made by electronic means, and unless otherwise requested by the data subject, the information should be provided in a commonly used electronic form.

In certain circumstances, a data subject has additional rights to:

• receive a copy of their personal data in a structured, commonly used, machine-readable format

• transmit the data to another controller without hindrance from the original controller, including to have the personal data transmitted directly from the first controller to the second controller

The CCPA does not enumerate an explicit right to data portability, in those terms, but if a consumer makes a request, they have the right to receive their information delivered by mail or electronically. If delivered electronically, information must be portable and in a readily useable format.

GDPR CCPA

5

RESTRICTION OF

PROCESSING/

RIGHT TO OPT-OUT

Data subjects may request that a controller restrict any type of data processing of personal data if:

1. The accuracy of the personal data is contested

2. The processing is unlawful, but the data subject prefers restriction to erasure

3. The controller no longer needs the personal data for processing, but data are required by the data subject to establish or exercise a legal claim or defense

4. The data subject has objected to processing pending verification of whether the controller can process on other legal grounds.

Consumers have the right to opt-out of the sale of their PI, not the collection or other uses.

Businesses must provide notice of opt-out rights. They must provide a link titled “Do Not Sell My Personal Information” on the home page, along with a description of opt-out rights, in a privacy policy and any CA-specific description of privacy rights.

HIGH RISK AS-

SESSMENT/DATA

PROTECTION

IMPACT ASSESS-

MENT

Requires DPIAs for any processing likely to risk a data subject’s rights.

No DPIA required.

Includes a duty to implement and maintain reasonable security procedures and practices appropriate to the information.

Think of data privacy operations as a continuous program, not a one and done activity. As CCPA’s implementation date approaches, expect that the California Attorney General will continue to clarify language and refine requirements. Other states may pass privacy laws already in the works, and you’ll need to adjust your systems accordingly. When you have full visibility over your data inventory, classification system, and data supply chain, you can adapt as you need.

Build a flexible privacy program on a solid foundation with WireWheel.

Schedule a live demo and see how it works.

GDPR CCPA

PREPARE FOR GDPR, CCPA, AND WHATEVER COMES NEXT