• Skip to primary navigation
  • Skip to main content
  • LinkedIn
  • RSS
  • Twitter
Montreal AI Ethics Institute

Montreal AI Ethics Institute

Democratizing AI ethics literacy.

  • Content
    • The State of AI Ethics
    • The AI Ethics Brief
    • The Living Dictionary
    • Research Summaries
    • Columns
      • Social Context in LLM Research: the BigScience Approach
      • Recess
      • Like Talking to a Person
      • Sociology of AI Ethics
      • The New Heartbeat of Healthcare
      • Office Hours
      • Permission to Be Uncertain
      • AI Application Spotlight
      • Ethical AI Startups
    • Publications
  • Community
    • Events
    • Learning Community
    • Code of Conduct
  • Team
  • Donate
  • About
    • Our Open Access Policy
    • Our Contributions Policy
    • Press
  • Contact
  • 🇫🇷
Subscribe

Research summary: Comparing Privacy Law GDPR Vs CCPA

August 17, 2020 by MAIEI

Summary contributed by Sundar Narayanan, Director at Nexdigm and ethics & compliance professional.

*Authors of full paper & link at the bottom


Mini-summary: The paper is a summary of key similarities and distinctions between GDPR and CCPA. The paper analyses these similarities and distinctions in areas including scope, definitions, legal, rights and enforcement areas. 

The scope is fairly inconsistent, definitions are fairly consistent, legal grounds are inconsistent, rights are fairly consistent in some cases and enforcement is inconsistent. These analyses are based on the regulations themselves.


Full summary:

The paper details out the key differences between the two regulations. The similarities and differences are classified in the following areas:

  1. Scope
  2. Definitions
  3. Legal Basis
  4. Rights
  5. Enforcement

Scope: The section covers personal scope, territorial scope and material scope. 

AspectDegree of similarityRemarks
Personal scopeFairly inconsistentBoth apply to natural persons. CCPA applies to only residents and only for profit entities unlike GDPR which applies to even non profit entities
Territorial scopeFairly inconsistentCCPA stresses on doing business in california, while GDPR is applicable for companies outside EU also to the extent they have access to data of data subjects from EU
Material scopeFairly consistentDefinitions of personal data and processing have similarities. CCPA has exclusions for medical info, info regarding clinical trials etc, unlike GDPR which does not have such differences

Definitions: The section covers the key definitions including personal data, pseudonymisation, controllers, processors etc

AspectDegree of similarityRemarks
Personal dataFairly consistentBoth have consistent definitions of personal info and do not apply to anonymised/ de identified data. CCPA does not apply to publicly available information, unlike GDPR. Similarly, GDPR prohibits processing of special categories of personal data, unlike CCPA, which does not have such definitions
PseudonymisationFairly consistentBoth have consistent definitions of Pseudonymisation. CCPA defines that reidentification is not required if information to link the same as personal information not maintained, unlike GDPR
Controllers & processorsFairly consistentBoth have consistent definitions including data processor/ service provider, binding / written contracts,right to deletion and misuse of personal info. GDPR imposes obligations of privacy impact assessment, appointing DPO and notification of breaches, which are not there clearly in CCPA 

Legal: This section deals with legal grounds for processing

AspectDegree of similarityRemarks
Legal groundsInconsistentGDPR limits data controllers from processing data when there is a legal ground (consent, contractual obligation etc) for it, unlike CCPA, which requires consent when there is a financial incentive out of the personal info 

Rights: This section covers right to erasure, right to be informed right to object and right of access

AspectDegree of similarityRemarks
Right to erasureFairly consistentBoth have the scope that extends beyond data collectors to third parties to whom data is sold or passed on, expresses that the right is free of cost and mandates mechanisms for compliance. However both regulations have differences in lead time to respond to such requests. 
Right to be informedFairly consistentBoth mandate that data controllers cannot process data for purposes for which it is collected. 
Right to objectFairly inconsistentRight to opt out in CCPA is an absolute right and cannot be withdrawn. Further in CCPA the right is limited to selling or disclosing of the data and not for processing unlike GDPR.
Right of accessFairly inconsistentBoth express that the businesses must have in place mechanisms to enable such requests. CCPA has limitation of time of data collected (12 months), unlike GDPR
Right not to be discriminatedInconsistentCCPA provides that consumers must not be discriminated against for exercising their rights including being denied goods or services, charged differential prices or providing different quality of service. Such provision does not exist in GDPR
Right to data portabilityFairly consistentBoth reflect that the data shall be portable in readily usable format free of charge

Enforcement: This section covers monetary penalties and civil remedies for individuals

AspectDegree of similarityRemarks
Monetary penaltyInconsistentThe penalties are varied with CCPA defining it at a violation level, while GDPR expresses it as a proportion of overall turnover.
Civil remediesInconsistentCCPA allows the remedy only when non-encrypted or nonredacted personal information is subject to an unauthorized access, unlike GDPR which can get triggered for any violation. 

Original paper by:

  • DataGuidance: Alice Marini, Alexis Kateifides, Joel Bates
  • Future of Privacy Forum: Gabriela Zanfir-Fortuna, Michelle Bae, Stacey Gray, Gargi Sen
  • Link to paper: https://arxiv.org/ftp/arxiv/papers/2006/2006.16179.pdf

Category iconResearch Summaries

Want quick summaries of the latest research & reporting in AI ethics delivered to your inbox? Subscribe to the AI Ethics Brief. We write every week.
  • LinkedIn
  • RSS
  • Twitter
  • © MONTREAL AI ETHICS INSTITUTE. All rights reserved 2021.
  • This work is licensed under a Creative Commons Attribution 4.0 International License.
  • Creative Commons LicenseLearn more about our open access policy here.