In our last post we covered topics like what the California Consumer Privacy Act (CCPA) is, who it applies to, and how to achieve compliance. We’ve received a lot of questions about how CCPA compares with GDPR. Although similar in spirit, there are significant differences between the two, and compliance with one does not equate to compliance with the other. Let’s dig deeper.
Does GDPR compliance cover CCPA compliance?
No. Even though the CCPA has been dubbed “California’s Mini-GDPR,” it is not interchangeable with the EU’s data protection regulation. There are distinct differences between the two pieces of legislation, one of which is the definition of personal information.
As outlined, the California Consumer Privacy Act’s definition of personal information encompasses many interactions in the digital space, putting companies under significant compliance obligations. For organizations that are already down the path to GDPR compliance, CCPA compliance may be easier, but will still require effort.
How does the CCPA definition of personal information differ from GDPR?
The CCPA’s take on what constitutes “personal information,” as seen below, is even broader than GDPR’s definition:
“Personal information” is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
As a result, the below and more would be considered personal information:
- Identifiers such as name, address, email, IP address, social security number, etc.
- Commercial information such as property owned, purchase histories, etc.
- Biometric information
- Network activity; geolocation data; audio, visual, electronic, or other information
- Professional, employment, education information
- Inferences drawn from any personal information
- Information designated as personal by other statutes
What are the penalties for noncompliance with CCPA versus GDPR?
Noncompliance with GDPR entails fines of up to €20 million, or 4% of the previous financial year’s global turnover. Whichever is greater.
If a company intentionally violates the CCPA, they will be subject to the maximum civil penalty: $7,500. Otherwise, the max penalty, as stated in Section 17206 of the Business and Professions Code, is $2,500. It is likely that each violation will be subject to penalty, so if a company mishandles data for 100 Californians, the penalty would be $250,000.
The CCPA also entitles consumers to between $100-$750 in compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach of sensitive personal information.
Fortunately, the CCPA also provides 30-day windows for companies to address noncompliance after they’ve received notice, and companies are only subject to enforcement actions after the 30-day window closes.
While the penalties may look like a drop in the bucket for larger companies, they’ll quickly stack up if violations are tallied on a per capita basis. There is also the reputational harm that comes with noncompliance that often carries a price tag that cannot be quantified. So while compliance may carry a cost, it’s definitely less than the cost of noncompliance.