When the General Data Protection Regulation (GDPR) took effect back in 2018, the digital world was thrust into a new era of data privacy regulation. The new law set unprecedented standards for transparency, user control, and accountability. Shortly after its institution, a similar law emerged in California — the California Consumer Privacy Act (CCPA).
Based largely off the GDPR, the CCPA brought Europe’s push for better transparency, user control, and accountability into US borders. However, the California law is notably less extensive and less stringent than its EU predecessor, earning the nickname, “GDPR Lite.”
So what makes these laws so similar, and yet so different?
Arguably the biggest commonality shared by the privacy law giants, transparency is the key to GDPR and CCPA compliance.
Both laws require more transparent privacy policies, including detailed descriptions of data-handling practices, and added sections on what rights EU and California consumers now have, and how they can act upon those rights.
The GDPR and the CCPA truly diverge in what new rights and controls they grant users — specifically when it comes to consent.
For example, the GDPR mandates businesses only collect and process data on at least one of six legal bases outlined in the legislation. One of those bases — the one which many businesses rely on — is user consent. Under the GDPR, users have the right to consent to or opt in to the collection of their data before it’s actually collected.
Conversely, the CCPA allows businesses to collect data from consumers without first acquiring consent. Instead, the law grants California consumers the right to opt out of the sale of their personal information.
Both laws are making strides in their attempts to hold businesses around the world more accountable for their data-collecting-and-sharing practices.
Under the GDPR, millions of dollars in fines have already been levied against tech giants like Facebook and Google, along with a handful of smaller companies.
As for the CCPA, consumers now have the right to bring action (through the California Attorney General) against a company that violates CCPA guidelines. However, companies have a grace period in which they can comply, meaning no CCPA violations will be logged until after July 1, 2020. So, how accountable the California legislation and its enforcers will actually hold companies is yet to be seen.
Key Similarities & Differences Between the CCPA and GDPR
There are plenty of similarities and differences in how each data privacy law fleshes out their own concepts of transparency, user control, and accountability. To learn more about how the CCPA and GDPR compare, check out Termly’s infographic below: