While the California Consumer Protection Act (CCPA) bears a resemblance to the General Data Protection Regulation (GDPR), there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance whatsoever. Among the differences between the CCPA and the GDPR are the following:

  • Definition of personal information. Under the CCPA, the definition of personal information (or PII) includes information that relates to the consumer or his or her household, whereas under the GDPR, it is limited to information relating to the consumer only. Data that identifies a household is a lot broader than data that identifies an individual. Further, unlike the GDPR definition, the CCPA personal information definition includes inferences drawn from data.
  • Disclosures. Under the CCPA, businesses are required to disclose and deliver the sources of information, the categories of information and the specific pieces of consumer information that are collected, sold or disclosed for a business purpose, as well as provide special notice to a particular consumer (above and beyond the privacy policy). The GDPR requires disclosure of, among other things, the identity and contact information of the controller entity, the purpose and legal basis of processing, legitimate interests (if applicable), recipients of the personal data, and whether the controller intends to transfer data to a third country.
  • Deletion. The CCPA provides the consumer the right to make a deletion request for any reason, whereas the GDPR enumerates six grounds that give the data subject the right to request deletion (i.e., data no longer necessary, consent withdrawn, objection made, unlawful processing, compliance with EU law, data collected in relation to the offer of services to a child).
  • Access and data portability. Under the CCPA, once the consumer’s request has been verified, the business must disclose and deliver free of charge the required information within 45 days of receiving the verifiable request. The information is to be delivered in a readily useable format so that the consumer may readily transfer his or her information to another business. Under the GDPR, the right of portability is not absolute. It applies only if the lawful basis for processing the information is consent or contractual necessity.

We have undertaken a detailed analysis of how the CCPA may affect businesses. Dominique Shelton will be speaking at a workshop on the additional requirements under the CCPA, as compared to the GDPR, at the International Association of Privacy Professionals conference, “Privacy. Security. Risk. 2018,” in Austin, Texas on October 17, 2018.