Already Using Enzuzo?

Login
Create Free Account
avel-chuklanov-DUmFLtMeAbQ-unsplash

Our Blog

How do the GDPR and the CCPA compare?

The GDPR, or General Data Protection Regulation, came into effect in May 2018. 

The CCPA, or California Consumer Privacy Act, is in effect as of January 2020. 

Though both regulations put the privacy of the individual at the forefront, GDPR is centred around many user rights (access, rectification, deletion), whereas CCPA focuses more on limiting the use of an user’s data (preventing re-selling).

The tables below outline the similarities and differences between the two:

Roles

Each regulation has its own names assigned to the groups of people or businesses that touch the data.

Role

GDPR

CCPA

User Data Subject in the EU Individual or Household in California
Primary Company Controller  
Third Party Company Processor  
Company Contact DPO - Data Privacy Officer DPO - not mandated
Regulator Local Data Protection Authority California State Legislature

*Under CCPA an eligible organization has one or more of:

  • Revenue exceeded $25M USD
  • Handles data from more than 50K devices
  • Makes more than 50% of their revenue off of re-selling of personal data

Rights

An individual, or user, has rights with respect to how their data is collected, used, and processed by the companies. 

The user rights must be acted on free of charge to the user and typically within a limited set of time (30 days for GDPR and 45 for CCPA).

Rights

GDPR

CCPA

Right to be Informed

Articles 13 & 14

User has the right to know what data is collected, how it is being processed, and by whom. There is a list of about 20 pieces of information that must be communicated, typically in a Privacy Policy.

Sections 1798.100, 1798.130 and 178.135

Subset of information in GDPR. Including purpose of the collection and the categories of the personal data.

Right of Access Article 15

Article 15

Users have the right to receive a copy of their personal data that has been collected and processed.

Sections 1798.100, 1798.110 and 178.130, 178.145

Similar to GDPR but involves only the data from the last 12 months.

Right to Rectification

Article 16

User has the right to change any personal data that an organization had should it be incorrect.

This right is not found in CCPA.
Right to Erasure

Article 17

User has the right to have their data deleted entirely from a system.

Sections 1798.105. 1798.130 and 178.145

Similar to GDPR.

Right to Restriction of Processing

Article 18

User has the right to have their data retained by the organization but cease all processing (like a deactivation of their account).

This right is not found in CCPA.
Right to Portability

Article 20

User has the right to receive their data in a form that is “structured, commonly used and machine-readable”. 

Sections 1798.100, 1798.110 and 178.130, 178.145

Similar to GDPR. 

 

Although there are clear differences between the two regulations, the main similarity is the ability for an user or individual to be able to access their data. Since this is a new request of companies, there are multiple processes that must be put in to place to support verifying the user, accessing their data, and packaging it in a way that is usable to the individual. Enzuzo is here to simplify these tasks by providing a seamless way to integrate with existing data, satisfying both the GDPR and the CCPA's rights for data access. 

Written by Cat Coode