While the California Consumer Protection Act (CCPA) bears a resemblance to the General Data Protection Regulation (GDPR), there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance whatsoever. Among the differences between the CCPA and the GDPR are the following:
- Definition of personal information. Under the CCPA, the definition of personal information (or PII) includes information that relates to the consumer or his or her household, whereas under the GDPR, it is limited to information relating to the consumer only. Data that identifies a household is a lot broader than data that identifies an individual. Further, unlike the GDPR definition, the CCPA personal information definition includes inferences drawn from data.
- Deletion. The CCPA provides the consumer the right to make a deletion request for any reason, whereas the GDPR enumerates six grounds that give the data subject the right to request deletion (i.e., data no longer necessary, consent withdrawn, objection made, unlawful processing, compliance with EU law, data collected in relation to the offer of services to a child).
- Access and data portability. Under the CCPA, once the consumer’s request has been verified, the business must disclose and deliver free of charge the required information within 45 days of receiving the verifiable request. The information is to be delivered in a readily useable format so that the consumer may readily transfer his or her information to another business. Under the GDPR, the right of portability is not absolute. It applies only if the lawful basis for processing the information is consent or contractual necessity.
We have undertaken a detailed analysis of how the CCPA may affect businesses. Dominique Shelton will be speaking at a workshop on the additional requirements under the CCPA, as compared to the GDPR, at the International Association of Privacy Professionals conference, “Privacy. Security. Risk. 2018,” in Austin, Texas on October 17, 2018.