CCPA v. GDPR
The game of data collection has changed for the better — for consumers. New regulations with effects around the globe require better transparency, higher security, and strengthen consent. Whether you’re in the business of marketing, technology, or e-retail, these new data protection laws could apply to your business.
The California Consumer Privacy Act (CCPA), and its counterpart the California Privacy Rights Act (CPRA), creates rights and requires transparency for Californians. (FYI: It applies to businesses outside of California). The CCPA is currently the strictest data security law in the U.S. in effect, soon to be followed by the CPRA, which enhances many of the elements within the CCPA.
The General Data Protection Regulation (GDPR) is an EU law that protects the processing of data of individuals within the EU. (Again: It applies to businesses outside of the EU).
Many features of the CCPA and GDPR go hand-in-hand — both are meant to protect the privacy, power, and data security of certain individuals, and both have global effects . . . but there are areas where the two laws diverge in scope and enforcement.
If you’re concerned about whether your business is required to comply with the laws of either, the attorneys at Rockridge® can work with you to see if (or when) the GDPR or CCPA will apply to your business and draft a plan to ensure you’re in compliance (and avoid significant fines).
To learn more, check out our article: Key Elements of an Effective Data Privacy Compliance Program.
Scope of Protection
The GDPR protects any individual located inside the EU, whereas the CCPA protects California residents.
Although similar, the scope of protection for the two laws is not quite the same. The GDPR protection extends to anyone that enters the EU’s borders — whether they live there or not. That protection goes away when the individual exits the EU’s borders — whether they live there or not. The CCPA, on the other hand, offers protection to its citizens and residents — whether or not they are currently within the state.
The scope of businesses that must comply with the regulations also slightly diverge. Under the GDPR, any website, company or organization that processes personal data on individuals inside the EU must comply. Under the CCPA, only companies or for-profit organizations that meet the law’s definition of business are required to comply. Either law may apply to a business, despite the business’s physical location or state of incorporation.
Consumers are entitled to similar rights under the GDPR and CCPA. These include the right to be forgotten, the right to access, the right to portability, and strengthen consent.
While there are minor differences in how the GDPR and CCPA define the right to be forgotten, the right essentially allows for consumers to request that companies delete the consumer’s information. This not only includes information the consumer provided, but any other information collected by the business, i.e., analytics, notes, etc.
The right to access entitles individuals to request that a company share with the consumer all of the information that has been stored about them. The consumer typically does not have to pay for this information transaction.
Closely following the right to access is the right to port any of that information to another business, if the consumer so requests. The idea behind this element is to allow for the free movement of consumers from company-to-company. The information that is ported must be shared in a common, machine-readable format.
Lastly, and here is where the GDPR and CCPA truly differ, is the idea of strengthen consent. The GDPR centers on the concept of “privacy by design.” The CCPA, conversely, is focused on creating transparency for its citizens. While business obligated to follow the CCPA must provide California residents with a method to opt out of data collection, the GDPR requires that individuals within the EU must first opt-in before a company may collect any data.
When it comes to the enforcement of the GDPR and the CCPA, the two data privacy laws are similar in type, but again different in their scope.
Fines for non-compliance of the GDPR can range as high as 4% of a company’s total global net profits or 20 million euros, whichever is highest. The amount of the fine will depend on the nature, gravity and duration of the infringement.
The CCPA, on the other hand, is less reaching. Non-compliance can lead to a maximum of $2,500 per violation, with international violations of up to $7,500.
The GDPR is a broader privacy law, with a larger scope of protection than the CCPA. The concept of privacy is tossed upside-down, where the consumer is first handed a key to lock up their data before a company ever takes a look. The CCPA, in comparison, is a smaller, more specific law meant to protect Californians and their decisional rights over their data. It is also the law that most U.S. states are aiming to imitate. The two laws are different on a fundamental level and creates two very different legal frameworks for privacy and data autonomy in Europe and California.
About Lauren Hughes
Lauren Hughes is the privacy and branding lead at Rockridge Venture Law®. Equally adept at creative campaigns as well as technology transactions, Lauren leads clients through copyright, privacy, regulatory, and trademark considerations in optimizing successful e-commerce portfolios. She is a leading voice among women practicing in technology and tech law. Her primary practice areas include copyright and trademark law, data privacy, sports and entertainment law, and technology transactions. Lauren also leads the Knoxville Technology Council’s Women in Tech Committee, and is a Director of the Tennessee Women’s Theater Project. Read more about Lauren, connect with her, and Calendly her.
RVL® Articles by Lauren
Rockridge Venture Law®, or RVL®, was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.
In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. RVL® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition.
Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional Rockridge Venture Law alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
Learn about global impact and innovation leaders at Rockridge I-Suite®.
See case studies on how we’ve helped transformative companies at Rockridge Portfolio.