Altos Web Solutions, inc. – 5725 Bravo Ave, Reno, NV 89506 USA

EU GDPR vs CCPA and CPRA

Source: securiti.ai

The GDPR applies to any organization that processes the personal data of EU/UK citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU/UK, you will still need to comply with the GDPR if you process the personal data of EU/UK citizens.

La compliancy sulla privacy ha diversi nomi ed è diversa da un paese e l’altro.
Negli Stati Uniti, ad esempio, la Califorina è stata la prima a dotarsi di una legislazione piuttosto simile alla GDPR (General Data Protection Regulation) Europea. Il suo nome è CCPA (California Consumer Privacy Act).

CCPA
See the infographic below

Topic GDPR CCPA CPRA
#1 Type of law GDPR is merely regulatory. Unlike CCPA, it does not have a direct impact on the outcome of civil litigation in its jurisdiction. The EU and the EEA Member States can incorporate the GDPR framework into their national laws and enforce it. The CCPA is a statutory law, which means that it can be enforced without further action from the state’s legislature. Any violation of the CCPA will immediately trigger a cause of action that can be used to file a civil lawsuit in California state court.
#2 Subjected entities The GDPR applies to all organizations that collect data on individuals within the European Union (EU) and European Economic Area (EEA), regardless of where those organizations are located.

 

The GDPR is much broader in the sense that the number of organizations holding personal data on EU customers will most likely be more than California customers.

The CCPA applies to any for-profit organization collecting personal data about California residents for commercial purposes or selling goods or services to California residents. They should meet at least one of the following criteria:

 

At least $25 million in gross annual revenue

Buys, sells, or receives personal information (PI) about at least 50,000 California consumers, householders or devices for commercial purposes or

Derives more than 50% of its annual revenue from the sale of personal information

It has similar criteria except that it applies to buying, selling, or sharing of at least 100,000 consumers or households.
#3 Type of data covered Both laws have a nearly similar definition of personal data. However, the information covered by CCPA is broader than GDPR.

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”. E.g. identification number, online identifier, email address, phone number, or sensitive type ofdata related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:

 

Data related to deceased persons,

Data processed through non-automated means,

anonymous data, and“

data processed for personal or houseful purposes.

Both laws have a nearly similar definition of personal data. However, the information covered by CCPA is broader than GDPR.

“Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer, device or household.” E.g. name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information.

excludes the following personal data sets from its scope:

 

medical information protected under CMIA or HIPPA,

information collected for clinical trials,

sale of information to or from consumer reporting agencies;

personal information under the Gramm-Leach-Bliley Act,

information covered by California’s Driver’s Privacy Protection Act and

any publicly available information from federal, state, or local government records.

expands on the PI covered by CCPA and covers additional types of personal information called Sensitive Personal Information (SPI)—like GDPR. This includes race, sexual orientation, political views, etc.
#4 Disclosure to users The GDPR requires that organizations inform users how long they will retain their personal data, the users’ right to withdraw consent at any time, and when they share the data with other organizations. Transparency is a common requirement between the two laws. Both laws require organizations to disclose how they handle the users’ personally identifiable information (PII). Both the CCPA and GDPR require businesses to inform users about what type of PII they collect, how and why,  and to whom they share (or sell) the data,  what rights users have to control their data, and how they can contact you.  However, there are minor but key differences in the information the GDPR and CCPA require you to inform users.

There is a 12-month look-back period in CCPA where businesses must inform users when their personal information was collected and processed after 12 months.

 

Read more about CCPA Notices.

 

Third parties are also liable to inform users when they sell personal information to another third party.

#5 Rights of users

Under both laws, people get certain data rights that they can exercise.

Right to access personal data

Right to correct personal data in case of inaccuracy

Right to delete personal data

Right to restrict personal data processing

Right to port data to another controller

Right to object to personal data processing

Right to object automated data processing for decision-making and profiling

The businesses have one month to respond to the requests. They may extend it by another two months if the request is complex, but they should provide a legitimate reason for doing so.

Right to know about and access personal information

Right to delete personal information if collected from consumers

Right to opt out of the sale of personal information

Right to non-discrimination for exercising the CCPA rights

The CCPA allows businesses 45 days to respond to the requests and they can extend it by another 45 days with notification to consumers.

In addition to expanding upon the existing rights granted under CCPA, CPRA introduces several new rights for consumers. These include the right to know about and opt out of automated decision-making, the right to correct personal information (PI), the right to limit the use of sensitive personal information (SPI), and the right to opt out of the sharing and selling of sensitive PI.
#6 Right to opt-out GDPR’s right to opt-out is similar to CCPA’s, but with a notable difference. Under GDPR, businesses must provide options for both opt-in and opt-out. This means that businesses that rely on the processing of data for their business model must ask users to explicitly consent to the collection and use of their information.

 

The users have the right to opt out of data collection and use at any time, even if they previously opted in.

CCPA allows businesses to collect personal information from users as long as the information is of an individual over the age of 16. However, you must provide users with an opt-out choice and give them a chance to object to the collection.

 

If your business has a website, then you must add a “Do Not Sell My Personal Information” link on your website’s homepage and all other pages where personal information will be collected. This link should lead to a dedicated page or setting where users can exercise their right to opt-out. Once users opt out, you cannot collect personal information for 12 months.

Consumers have the right to opt out of the sharing of their personal information (including the PI of minors) for cross-context behavioral advertising. However, this right does not apply to non-targeted advertising. You must add a “Do Not Sell or Share My Personal Information” link on your website’s homepage and all other pages.
#7 Age of consent GDPR states that the minimum age of consent is 16 years old. Member States may lower the minimum age of consent to 13, but parental consent is necessary if the user is under 16. Businesses are not required to seek consent before collecting or selling consumer data unless the consumers are below 16 years of age. Children under 13 years of age require parental consent. This expands to sharing of consumer data as well.
#8 Cookie control Unlike CCPA, GDPR requires websites to explicitly ask for consent from users before storing cookies on their devices. It also requires websites to provide clear settings that allow users to opt out of the cookies.

 

Like CCPA, the GDPR also requires websites to disclose information on what kind of cookies are being used and why they are being used as well as providing clear instructions on how visitors can control or delete them.

CCPA is not as strict as GDPR in terms of requiring explicit consent from visitors to store cookies on their devices. Websites do not require explicit consent for storing cookies on visitors’ devices. It only requires websites to let visitors opt out of cookies that sell their personal information. They should also provide information about what kind of cookies are used by the website, why, and how can visitors manage them. This expands to cookies that share the personal information of consumers with third parties.
#9 Security requirements Data security is one of the main requirements of the GDPR. Organizations are expected to implement necessary technical and organizational measures to ensure the security of personal data. The GDPR advises organizations to use techniques like encryption and pseudonymization to protect personal data. Although the CCPA does not focus on any specific security requirements, it allows consumers to take action against companies that do not maintain adequate security measures. Builds upon the existing requirements by requiring businesses to implement additional measures to protect sensitive personal information. It also requires businesses to conduct regular risk assessments, perform cyber security audits, and maintain records of data processing activities.
#10 Fines and penalties for non-compliance There are two levels of GDPR fines depending on the severity of the violation:

 

For less severe violations, Up to €10 million or 2% of annual global turnover, whichever is higher.

For severe, high-risk violations, up to €20 million or 4% of annual global turnover, whichever is higher.

Data protection authorities in the EU Member States impose GDPR fines.

Up to $2,500 per violation and $7,500 per intentional violation. Consumers can claim statutory damages up to $750 per violation (minimum is $100). CCPA gives businesses a 30-day cure period for rectifying the violation.

 

The fines are imposed by the California state court.

CPRA removes the 30-day cure period that allowed businesses to correct any violations before facing penalties. In addition to that, the CPRA imposes a penalty of $7,500 for any violations related to the rights of minors under the age of 16.
#11 Enforcing Authority The law is enforced by the EU Commission, EDPB, and data protection authorities of EU Member States. They can adopt the GDPR standards in their own state’s data protection laws.

 

In general, the two acts by themselves are immensely similar, but certain differences need to be taken into account when considering the effects of each. The regulations they put in place do have a breadth that reaches beyond the boundaries of their respective home countries. Companies that want to comply with both laws should understand the differences between them, or risk making decisions that could land them in legal trouble.

California Attorney General enforces CCPA. It establishes a new agency, California Privacy Protection Agency (CPPA) which will investigate, enforce, and make decisions under CPRA.

Source: cookieyes.com

Since CPRA will amend CCPA and will come into effect from January 1, 2023, we will also mention how CPRA differs from GDPR.

CPRA stands for California Privacy Rights Act

  • CPRA establishes the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor of the CPRA/CCPA data privacy regime.
  • CPRA changes the definition of business to exclude smaller businesses and include bigger businesses that generate a large income from collection, sharing and/or selling of Californians’ personal information (PI).
  • CPRA empowers California residents with four brand-new rights and five modified rights.
  • CPRA creates the new category sensitive personal information (SPI) that is regulated separately and stronger than personal information (PI).
  • CPRA changes the opt-out right to specifically regulate cross-contextual behavioral advertising and its use of personal information.
  • CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place.
  • CPRA adds GDPR-like provisions to the CCPA.
  • CPRA expands the requirement for consent to cover more scenarios.

source: cookiebot.com

Last Updated on February 12, 2024

Leave A Comment
Last Updated on February 12, 2024