CCPA vs GDPR

When you work to improve users' data security at your organization, you will likely hear about the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). The CCPA and the GDPR aim to provide people more security and control over their data when they give it to an organization. Many businesses and organizations have adopted these information privacy laws and set a new standard for online privacy. 

Find out more about what GDPR and CCPA are, their main impact on users and businesses, and their similarities and differences.

The GDPR is the European Union's privacy law that defines how organizations should handle personal data

What is the GDPR?

The GDPR is the European Union's (EU's) privacy law that defines how organizations should handle their subjects' personal data. This law went into effect on May 25, 2018, and it applies to any organization that collects or targets data from people in the EU. 

The EU created the GDPR in response to the increase in people giving their personal data to organizations and the need for greater online privacy regulations. Since bad actors want to use sensitive personal data to damaging ends, the GDPR aims to prevent data breaches and increase transparency. It also institutes various regulations about data handling procedures, user consent, and documentation. With all of its rules, the GDPR helps to create and protect the rights of data subjects online. A "data subject" is any living person who has personal data that an organization collects or holds. Personal data includes things like home address, credit card numbers, and name. 

When organizations violate the security and privacy standards the GDPR sets, they can be hit with harsh fines. These fines can reach up to 4% of an organization's global revenue or 20 million euros — whichever is higher. Data subjects can also seek compensation for damages under the GDPR, meaning an organization's financial losses could be even higher than the initial fines. 

Organizations must now have consent from people before receiving information from them

European Data Protection Board adoption of GDPR

The European Data Protection Board (EDPB) adopted the GDPR's guidelines on valid consent on May 4, 2020. The EDPB's adoption of these guidelines is especially important due to its role as the GDPR's highest supervisory authority. It is also impactful because any guidelines it sets make up the basis of enforcement for every EU member state's national data protection authorities.

Organizations must now have consent from their data subjects before receiving information from them. Valid consent is defined as a user freely giving an unambiguous, informed, and specific indication of their wishes.

One of the biggest effects of the EDPB's adoption of valid consent is on cookies. The guidelines make it clear that cookie banners are not permitted to feature pre-ticked checkboxes. The EDPB also ruled that a user continuing to browse or scroll on a website doesn't count as valid consent and that cookie walls are non-compliant with the GDPR. 

How GDPR impacts users and organizations - 1. Establish meaning of content 2. Creates an online Bill of Rights 3. Ensures policies make sense 4. Enforces accountability 5. Encourages end-to-end encryption

How GDPR impacts users and organizations

The GDPR establishes standards to better protect users' personal data privacy and changes how organizations utilize sensitive information from EU citizens or residents. This impact takes shape in a variety of areas. Below are some of the ways GDPR impacts users and organizations:

1. Establishes meaning of consent

The GDPR clearly defines consent, giving users more control over how their personal data is used. Organizations now have to receive explicit permission from data subjects before they use their information. For example, organizations must have a user's consent before gathering their personal information or sending them marketing emails.

2. Creates an online Bill of Rights

EU citizens and residents now have an online Bill of Rights that clearly defines their rights regarding user protection. Since the GDPR holds organizations responsible for facilitating these rights, they must be aware of the online Bill of Rights and ensure they do not violate it.

3. Ensures policies make sense

Before the GDPR went into effect, organizations usually had very confusing and vague privacy notices and policies that users could not decipher. With the GDPR implemented, organizations must have easy-to-understand and specific policies and explanations for what they plan to do with a person's information. As a result, it's much easier for data subjects to understand what a company wants to do with their personal information and withhold or give their consent.

4. Enforces accountability

The GDPR holds organizations accountable if they don't follow the law and protect their users' personal data. Since companies can face harsh fines, in the millions of euros, the GDPR increases accountability by penalizing organizations that fail to comply. This greater accountability helps protect users and allows them to sue companies for mishandling their data.

5. Encourages end-to-end encryption

Since the GDPR encourages encryption, organizations are more likely to implement end-to-end encryption technologies to better secure any personal data they collect. With encryption, only the data owner has access to the data, reducing the danger of data breaches, as hackers will not be able to read the data. Encryption technology also protects users by improving their data's security whenever they give it to an organization. 

The CCPA regulates how business collect personal information and gives consumers greater control over their information

What is the CCPA?

The CCPA establishes various regulations for how qualifying businesses collect personal information and provides consumers greater control over their personal information. This law applies to how certain businesses handle California residents' personal information. The CCPA is groundbreaking, as it's the most extensive set of consumer privacy laws ever passed by a state in the U.S.

Major elements of the CCPA include various rights California residents now have over their personal information. These unwaivable rights include:

  • Right to know: California residents have the right to know what personal data a business is collecting from them and how this personal information is used, shared, or sold
  • Right to nondiscrimination: The CCPA guarantees California residents the right to nondiscrimination for exercising their CCPA rights and ensures those exercising their rights won't receive lower levels of service or be penalized by higher prices
  • Right to opt out: California residents have the right to opt out of their personal information being sold
  • Right to delete: After a California resident has given their data to an organization, the right to delete gives them the ability to delete the personal data collected from them

Data protection by the CCPA - name, email address, Internet browsing history, fingerprints, social security number, records of products purchased, geolocation data

What is and is not considered personal information under the CCPA?

Under the CCPA, personal information is defined as details that could reasonably link with, relate to, or identify a California resident's household or the resident. Common pieces of data that fall under personal information include a California resident's:

  • Name
  • Email address
  • Internet browsing history
  • Fingerprints
  • Social security number
  • Records of products purchased
  • Geolocation data

Personal information also includes data that someone could use to create a profile about a California resident's characteristics and preferences. The CCPA additionally defines what doesn't qualify as personal data, including publicly available personal data. Examples include information that can be found in local government, state, and federal records, such as public property and real estate records and professional licenses.

While the CCPA is the most extensive set of data privacy laws in the U.S. it has a smaller scope than the GDPR

How the CCPA impacts users and businesses

While the CCPA is the United State's most extensive set of data privacy laws, it has a smaller scope than the GDPR. The CCPA only applies to businesses that meet a few different criteria, including:

  • A business with a gross annual revenue higher than $25 million
  • A business that sells, receives, or buys personal information from 50,000 or more California devices, households, or residents
  • A business receiving 50% or more of its annual revenue from the sale of personal data of California residents

If any of the above criteria applies to a business, they fall under the CCPA's regulations. If applicable businesses don't follow these regulations, they can face CCPA fines that are assessed per violation. Under threat of the fines' financial impact, these businesses must change their practices to give consumers more information and control over their personal information. Businesses often have to make major changes to their data information collection and handling practices to comply with the CCPA.

While CCPA only applies to certain businesses, it impacts all California residents. Essentially, the CCPA gives consumers power to choose how a business uses their data. Businesses have to follow a customer's directions about various data privacy requests, such as deleting information or opting out of information being sold. These rights empower all California residents when it comes to their personal data online.

Another major impact of the CCPA for California residents is the ability to sue companies that allow hackers to steal personal information. Since California residents can sue, they can receive compensation if a company mishandles their personal data and hold the company accountable. This also incentivizes companies to upgrade their data security. 

Direct comparison of GDPR vs. CCPA

Whereas the CCPA is focused on increasing transparency regarding consumers' rights and the overall Californian data economy, the GDPR aims to establish a legal framework regarding privacy by default for the EU. This difference in focus makes the GDPR and CCPA very different in various areas. 

While both are information privacy laws, their requirements can be different, making it essential for organizations to know the differences. Find out more about how these two laws compare:

1. What information the laws apply to

The CCPA applies to personal information from a particular household or consumer that could be used to describe, relate to, identify, or reasonably link to them. In comparison, the GDPR applies to personal data related to an identifiable or identified data subject. Both laws pertain to similar types of data, however, the CCPA goes one step further by covering data from a consumer's devices and household.

The CCPA only applies to for-profit entities that meet specific revenue and data collection criteria

2. Who is regulated

The CCPA and GDPR apply to different entities, with the GDPR being more wide-reaching than the CCPA. The GDPR regulates any data controller or data processor in or outside the EU that processes personal data coming from activities of those inside the EU. The GDPR defines data controllers and processors as any entity that processes or controls data, meaning the law applies to many kinds of organizations, businesses, and websites.

The CCPA only applies to for-profit entities that meet specific revenue and data collection criteria. Since the GDPR regulates entities that process or collect data, it's far broader than the CCPA. As a result, the CCPA and GDPR are very different in terms of who they regulate.

3. Who the laws apply to

Like the difference in regulation, the CCPA and the GDPR have major differences in who they cover, with the GDPR again more encompassing. The CCPA protects consumers defined as Californians domiciled in California who are only temporarily out of the state or those in California for a non-transitory or non-temporary purpose. Examples of consumers include employees and customers of household services and goods.

The GDPR goes a step further than California, with protections for data subjects in the EU. This law defines data subjects as identifiable or identified persons that personal data relates to. These data subjects do not have to be EU residents or citizens, as they can also include people traveling in the EU. As long as someone is in the EU, they are considered a data subject and receive the benefits of this privacy law.

4. Legal basis and opt-out requirements

One major difference between the CCPA and GDPR is that the GDPR requires businesses and websites to have legal grounds for data processing before processing EU citizens' personal data. This legal basis revolves around a user's consent. 

In contrast, the CCPA does not have any legal grounds for data processing laws. Instead, the CCPA allows businesses to process California residents' data without their prior consent. The law also allows websites to sell data to third parties without a user's consent. While they don't need a legal basis, businesses must stop using this data if a user exercises their right to opt out.

Since the GDPR requires a user's consent before processing personal data, it does not have any opt out requirements like the CCPA. Instead of waiting for the data subject to say no, the GDPR has to receive a clear yes prior to processing their personal data. As a result, the GDPR and CCPA are quite different in this area, with the CCPA relying on consumers to take action if they don't want their personal data processed. 

Data processors and controllers that fall under the GDPR must have measures in place to protect their data subjects

5. Security requirements

Data processors and controllers that fall under the GDPR must have measures in place to protect their data subjects. These security requirements mandate that organizations take adequate organizational and technical measures to keep personal data safe, with the appropriate measures based on risk.

Unlike the GDPR, the CCPA has no direct requirements for organizations to implement security measures over personal information. While the CCPA does not directly require security measures, it does have penalties that can result from a business violating its duty to create and maintain security procedures and practices. Since the CCPA can still inflict penalties for not protecting consumer data, it's relatively similar to the GDPR in this area.

6. Right to deletion and the right to be forgotten

Both the CCPA and the GDPR have similar data deletion rights, albeit with different names. Under the CCPA, consumers have the right to deletion. This means businesses must delete any personal information they have collected from a consumer when the consumer requests it be deleted — with a few exceptions. Besides deleting the data it has collected, a business must also tell its service provider to delete the personal information.

Under the GDPR, data subjects have the right to be forgotten. This means data subjects can request an organization to erase their personal data. If this request falls under eligible circumstances, the data controller or data processor must erase the data. These data controllers and processors must also pass the request along to other controllers that have been processing the data.

7. Data portability

The GDPR and CCPA also have similar data portability rights. The CCPA states that businesses must give personal information to a consumer after they receive a request for disclosure. This data must be in an immediately usable format to ensure the consumer can transmit information to another entity without any difficulty. 

The GDPR lays out a couple of data portability rights for data subjects. Under the GDPR, data subjects have the right to receive a copy of their personal data. Similar to the CCPA, the data controller or data processor must provide this personal data in a machine-readable, structured, and commonly used format. The GDPR also gives data subjects the right to transmit their personal data to a different data controller.

8. Right to access and right to disclosure

The CCPA gives consumers the right to request their personal information be disclosed. This right also gives consumers the ability to receive more details about the personal information the business is gathering from them and the company's use purposes for the personal information. Under the CCPA, consumers can receive information about what third parties the business shares their personal information with.

The GDPR grants data subjects the right to access their personal data. This right also gives data subjects the ability to receive qualifying information about a data controller's processing and receive a copy of their personal data. Both the right to access and the right to disclosure are fairly similar. However, the CCPA only allows consumers to receive a written disclosure of their information, while the GDPR provides data subjects broader access, with more options than a written disclosure.

Learn how Box follows GDPR and CCPA standards

Learn how Box follows GDPR and CCPA standards

If you fall under CCPA or GDPR standards, you'll need to comply with them for the future success of your organization. At Box, we make it easy for you to follow the CCPA and GDPR standards with our governance and compliance solutions. The Box Content Cloud is a platform dedicated to better protecting and managing any personal data you collect, ensuring you have the appropriate security over your data.

When you use Box, you can more easily comply with CCPA and GDPR. For example, Box Governance gives you control over your content deletion, allowing you to quickly delete data if your data subject requests it or a consumer opts out. Box KeySafe also gives you the tools you need to encrypt information, helping you set up greater security measures in line with GDPR and CCPA expectations. With Box Zones, you can better meet data residency obligations across various geographies.

Learn more about our CCPA and GDPR solutions today. If you're ready to get started using Box or have any questions, please request a free trial or contact us for more information.

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.