How do the GDPR and the CCPA compare?
The GDPR, or General Data Protection Regulation, came into effect in May 2018.
The CCPA, or California Consumer Privacy Act, is in effect as of January 2020.
Though both regulations put the privacy of the individual at the forefront, GDPR is centred around many user rights (access, rectification, deletion), whereas CCPA focuses more on limiting the use of an user’s data (preventing re-selling).
The tables below outline the similarities and differences between the two:
Roles
Each regulation has its own names assigned to the groups of people or businesses that touch the data.
Role |
GDPR |
CCPA |
| User | Data Subject in the EU | Individual or Household in California |
| Primary Company | Controller | |
| Third Party Company | Processor | |
| Company Contact | DPO - Data Privacy Officer | DPO - not mandated |
| Regulator | Local Data Protection Authority | California State Legislature |
*Under CCPA an eligible organization has one or more of:
- Revenue exceeded $25M USD
- Handles data from more than 50K devices
- Makes more than 50% of their revenue off of re-selling of personal data
Rights
An individual, or user, has rights with respect to how their data is collected, used, and processed by the companies.
The user rights must be acted on free of charge to the user and typically within a limited set of time (30 days for GDPR and 45 for CCPA).
Rights |
GDPR |
CCPA |
| Right to be Informed |
User has the right to know what data is collected, how it is being processed, and by whom. There is a list of about 20 pieces of information that must be communicated, typically in a Privacy Policy. |
Sections 1798.100, 1798.130 and 178.135 Subset of information in GDPR. Including purpose of the collection and the categories of the personal data. |
| Right of Access Article 15 |
Users have the right to receive a copy of their personal data that has been collected and processed. |
Sections 1798.100, 1798.110 and 178.130, 178.145 Similar to GDPR but involves only the data from the last 12 months. |
| Right to Rectification |
User has the right to change any personal data that an organization had should it be incorrect. |
This right is not found in CCPA. |
| Right to Erasure |
User has the right to have their data deleted entirely from a system. |
Sections 1798.105. 1798.130 and 178.145 Similar to GDPR. |
| Right to Restriction of Processing |
User has the right to have their data retained by the organization but cease all processing (like a deactivation of their account). |
This right is not found in CCPA. |
| Right to Portability |
User has the right to receive their data in a form that is “structured, commonly used and machine-readable”. |
Sections 1798.100, 1798.110 and 178.130, 178.145 Similar to GDPR. |
Although there are clear differences between the two regulations, the main similarity is the ability for an user or individual to be able to access their data. Since this is a new request of companies, there are multiple processes that must be put in to place to support verifying the user, accessing their data, and packaging it in a way that is usable to the individual. Enzuzo is here to simplify these tasks by providing a seamless way to integrate with existing data, satisfying both the GDPR and the CCPA's rights for data access.
.png)
