CCPA vs GDPR Compliance Comparison

The GDPR is a European Union (EU) law that went into effect in April of 2016. The Regulation is designed to improve personal data protection and increase organizational accountability for data breaches to protect European Union residents. GDPR includes fines of up to 4% of global revenues or 20 million EUR (whichever is higher), and no matter where your organization is located, if it processes or controls the personal data of EU residents, your organization is subject to the regulation.

Notable data security requirements of GDPR
Some of the key provisions of the GDPR require organizations to:

• Process personal data in a manner that ensures its security, “including protection against unauthorized or unlawful processing” (Article 5)
• Implement technical and organizational measures to ensure data security appropriate to the level of risk, including “pseudonymisation and encryption of personal data.” (Article 32)
• Communicate “without undue delay” personal data breaches to the subjects of such breaches "when the breach is likely to result in a high risk to the rights and freedoms" of these individuals. (Article 34)
• Safeguard against the “unauthorized disclosure of, or access to, personal data.” (Article 32)

More about GDPR:

• What is GDPR? – Entrust webpage with complete list of GDPR chapters and articles
• GDPR.EU – Official European Union site with complete guide to compliance
• GDPR Overview – Entrust webpage with a general overview of GDPR

Article 6 (Lawfulness of processing) identifies “encryption or pseudonymisation” as “appropriate safeguards” for protecting subjects’ personal data.

Article 32 (Security of processing) states that “the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data …”

Article 34 (Communication of a personal data breach to the data subject) allows organisations suffering a data breach to avoid the communication requirement if they used encryption to “render the personal data unintelligible to any person unauthorised to access it.”

The California Consumer Privacy Act (CCPA) went into effect at the beginning of 2020. It was designed to give California residents more control over what personal data is collected and how that data is used.

Businesses found in violation of CCPA stand to incur a $7,500 fine for each intentional violation. Non-intentional violations are less onerous, but still costly, at $2,500 each. However, civil litigation can potentially have a negative impact on non-compliant organizations. For each consumer affected by CCPA non-compliance, organizations stand to face up to $750 in civil damages per consumer.

More about CCPA:

• CCPA Civil Code – Official code on California state legislation information site
• CCPA Overview – Entrust webpage with a general overview of CCPA

Section 1798.150 of CCPA states: “Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action …”

Additionally, the protection of encryption keys is addressed in legislation related to CCPA. Notably, Assembly Bill 1130, which was introduced to update the California breach notification statute, requires notifying people whose data has been breached unless that data is encrypted, and the encryption keys have not been obtained with the data.

How are GDPR and CCPA similar?
Both GDPR and CCPA are intended to protect the privacy and data rights of those living in their respective geographies. Both extend their reach to organizations doing business with their residents, regardless of whether those organizations reside in their geographies.

Both CCPA and GDPR grant to individuals certain rights regarding their personal data and require transparency from the organizations that hold and process that data.

Both CCPA and GDPR:

• Require businesses to disclose what personal information the businesses have compiled about those individuals.
• Require organizations to divulge what they do with the personal data.
• Require organizations holding personal data to delete that data upon request of the person the data pertains to.
• Require organizations to put in place cybersecurity measures to protect the personal data of individuals.
• Levy fines for non-compliance.

How are GDPR and CCPA different?

• GDPR requires companies to have legal basis before processing data about residents. CCPA does not.
• GDPR applies to all businesses that meet the legal basis requirement mentioned above. CCPA applies only to businesses with an annual gross revenue of more than $25 million.
• Under CCPA, an individual can keep companies from selling their private data, and organizations cannot discriminate against these individuals.
• GDPR imposes additional conditions for companies processing health-related information, because GDPR is more specific by including terms, such as “genetic data” and “biometric data.” CCPA uses a general umbrella term.
• In general, GDPR fines seem likely to be higher than CCPA fines. However, CCPA opens the door for civil litigation, which could prove just as costly to an offending organization.