Summary contributed by Sundar Narayanan, Director at Nexdigm and ethics & compliance professional.
*Authors of full paper & link at the bottom
Mini-summary: The paper is a summary of key similarities and distinctions between GDPR and CCPA. The paper analyses these similarities and distinctions in areas including scope, definitions, legal, rights and enforcement areas.
The scope is fairly inconsistent, definitions are fairly consistent, legal grounds are inconsistent, rights are fairly consistent in some cases and enforcement is inconsistent. These analyses are based on the regulations themselves.
Full summary:
The paper details out the key differences between the two regulations. The similarities and differences are classified in the following areas:
- Scope
- Definitions
- Legal Basis
- Rights
- Enforcement
Scope: The section covers personal scope, territorial scope and material scope.
| Aspect | Degree of similarity | Remarks |
| Personal scope | Fairly inconsistent | Both apply to natural persons. CCPA applies to only residents and only for profit entities unlike GDPR which applies to even non profit entities |
| Territorial scope | Fairly inconsistent | CCPA stresses on doing business in california, while GDPR is applicable for companies outside EU also to the extent they have access to data of data subjects from EU |
| Material scope | Fairly consistent | Definitions of personal data and processing have similarities. CCPA has exclusions for medical info, info regarding clinical trials etc, unlike GDPR which does not have such differences |
Definitions: The section covers the key definitions including personal data, pseudonymisation, controllers, processors etc
| Aspect | Degree of similarity | Remarks |
| Personal data | Fairly consistent | Both have consistent definitions of personal info and do not apply to anonymised/ de identified data. CCPA does not apply to publicly available information, unlike GDPR. Similarly, GDPR prohibits processing of special categories of personal data, unlike CCPA, which does not have such definitions |
| Pseudonymisation | Fairly consistent | Both have consistent definitions of Pseudonymisation. CCPA defines that reidentification is not required if information to link the same as personal information not maintained, unlike GDPR |
| Controllers & processors | Fairly consistent | Both have consistent definitions including data processor/ service provider, binding / written contracts,right to deletion and misuse of personal info. GDPR imposes obligations of privacy impact assessment, appointing DPO and notification of breaches, which are not there clearly in CCPA |
Legal: This section deals with legal grounds for processing
| Aspect | Degree of similarity | Remarks |
| Legal grounds | Inconsistent | GDPR limits data controllers from processing data when there is a legal ground (consent, contractual obligation etc) for it, unlike CCPA, which requires consent when there is a financial incentive out of the personal info |
Rights: This section covers right to erasure, right to be informed right to object and right of access
| Aspect | Degree of similarity | Remarks |
| Right to erasure | Fairly consistent | Both have the scope that extends beyond data collectors to third parties to whom data is sold or passed on, expresses that the right is free of cost and mandates mechanisms for compliance. However both regulations have differences in lead time to respond to such requests. |
| Right to be informed | Fairly consistent | Both mandate that data controllers cannot process data for purposes for which it is collected. |
| Right to object | Fairly inconsistent | Right to opt out in CCPA is an absolute right and cannot be withdrawn. Further in CCPA the right is limited to selling or disclosing of the data and not for processing unlike GDPR. |
| Right of access | Fairly inconsistent | Both express that the businesses must have in place mechanisms to enable such requests. CCPA has limitation of time of data collected (12 months), unlike GDPR |
| Right not to be discriminated | Inconsistent | CCPA provides that consumers must not be discriminated against for exercising their rights including being denied goods or services, charged differential prices or providing different quality of service. Such provision does not exist in GDPR |
| Right to data portability | Fairly consistent | Both reflect that the data shall be portable in readily usable format free of charge |
Enforcement: This section covers monetary penalties and civil remedies for individuals
| Aspect | Degree of similarity | Remarks |
| Monetary penalty | Inconsistent | The penalties are varied with CCPA defining it at a violation level, while GDPR expresses it as a proportion of overall turnover. |
| Civil remedies | Inconsistent | CCPA allows the remedy only when non-encrypted or nonredacted personal information is subject to an unauthorized access, unlike GDPR which can get triggered for any violation. |
Original paper by:
- DataGuidance: Alice Marini, Alexis Kateifides, Joel Bates
- Future of Privacy Forum: Gabriela Zanfir-Fortuna, Michelle Bae, Stacey Gray, Gargi Sen
- Link to paper: https://arxiv.org/ftp/arxiv/papers/2006/2006.16179.pdf