Jul 6, 2019

Comparing privacy laws: GDPR vs. CCPA

Comparing privacy laws: GDPR vs. CCPA

Reference:
https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf

General Data Protection Regulation (GDPR) Effected date: 25 May 2018
California Consumer Privacy Act (CCPA) Effected date: 1 January 2020
(Can be sooner due to certain provisions requires organizations to provide consumers with information regarding the preceding 12-month period.)

Both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.

Both have additional protections for individuals under 16 years of age.

Difference:
  1. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data.
    That is not the case for the CCPA.
  2. Scope of application.
  3. The nature and extent of collection limitations.
  4. Rules concerning accountability.
  5. CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies.
  6. The CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage.
  7. The CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to op-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”





Scope

Personal scope

Same:
  • Protects natural persons (individuals) and does not cover legal persons.
  • A controller is defined by the fact that it establishes the means and purposes of the processing.

Diff:
GDPR:
  • Data subject is "an identified or identifiable natural person."
  • Do not specifically require that the data subject holds EU residency or citizenship, or is located either within or outside the EU.
  • GDPR does not cover the processing of personal data of deceased persons.
  • Obligations apply to “controllers,” which can be natural or legal persons, irrespective of whether their activity is for profit or not, irrespective of their size and whether they are private law or public law entities, as long as they determine the means and purposes of processing activities.
  • Several obligations also apply to “processors,” which are entities that process personal data on behalf of controllers.

CCPA:
  • A "consumer" who has rights under the CCPA is "a natural person who is a California resident."
  • Obligations apply to an organization (“business”) that:
    • is for-profit
    • collects consumers’ personal information, or on the behalf of which such information is collected;
    • determines the purposes and means of the processing of consumers’ personal information;
    • does business in California;
    • meets any of the following thresholds:
      • has annual gross revenue in excess of $25 million;
      • alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
      • derives 50% or more of its annual revenues from selling consumers’ personal information.
  • The CCPA also applies to any entity that controls or is controlled by the business. 
  • There are no obligations directed specifically at "service providers", other than using the personal information solely at the direction of the business they serve.
  • Businesses may also direct service providers to delete consumers’ personal information from their records.



Territorial scope

Same:
  • GDPR applies to organizations that do not have any presence in the EU, but that offer goods, services or monitor the behavior of persons in the EU.
  • CCPA applies to a business established outside of California if it collects or sells California consumers personal information while conducting business in California and meet one of the other quantitative thresholds. 
Diff:
GDPR:

tbd
Posted by at
Labels: ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)