Data is one of today’s most important commodities. Along with its increasing prominence in digital business comes an increasing need to regulate its collection, processing, and sale. Leading the new age of data privacy legislation are two important laws: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
While the GDPR is based in Europe, the law applies to any business that collects data from residents of the European Economic Area (EEA) — regardless of where the business itself is located. Similarly, the CCPA is based in California, but applies to any business that collects information about California residents.
These privacy laws are packed with similarities, including new user data rights, strict transparency requirements, and hefty penalties for noncompliance. However, there are also differences woven throughout each of the laws.
Let’s look at some key examples of how the laws are both similar and different.
You may also like: CCPA, GDPR, Smart Data Discovery, and Compliance: ASAP.
One of the most notable similarities between the two laws is their emphasis on transparency.
The GDPR’s guidelines state that information regarding data processing should be made available to users “…in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” (Article 12).
Taking a similar approach, the CCPA outlines consumer rights — prominently including the right to access. The right to access means that consumers (consumers being California residents) have the right to information regarding how their data is collected and handled.
Furthermore, the text of the CCPA makes statements similar to the GDPR, clarifying that data-handling information must be written in clear and plain English.
Through the transparency requirements in both laws, we can understand a common theme in the world’s changing data privacy standards. Legislation is shifting toward user awareness, and laws like the CCPA and the GDPR are determined to give internet users greater access to information about how their data is treated.
Similarity: New User Rights
Both the GDPR and the CCPA establish new rights for users. Both laws grant users the right to modify the data that a company has collected about them.
For example, European and Californian users protected by either of these laws can request copies of their data from a business, request to edit that information, or even request that data be deleted altogether.
Allowing consumers this level of control over their data is a big leap forward for user rights.
Difference: Consent Requirements
While there’s overlap in the rights each law grants users, there are also major differences. The biggest of these differences is in the way each law addresses user consent to data collection.
The GDPR outlines six legal bases on which data can be collected. Among these is the basis of user consent. Lawful examples of GDPR consent include opt-in forms, pop-ups, banners, and boxes that are unchecked and not bundled with other actions or promotions.
In other words, the GDPR is strict when it comes to user consent. To collect data on this basis, companies need to be incredibly diligent in obtaining affirmative and authentic consent.
Under the CCPA, on the other hand, consumers don’t need to consent to data collection, save for one group — minors under the age of 16. While the CCPA does require active consent to data collection from children (or from their parent or guardian if the child is under 13 years old), there are no consent requirements for adults.
Comparing the GDPR and CCPA
These examples are just a few of the similarities and differences between these two privacy laws. To learn more, check out Termly’s CCPA vs GDPR infographic below:
CCPA vs GDRP (Source: termly.io)