DEV Community

Cover image for GDPR vs. CCPA: Data privacy requirements explained
Fauna for Fauna, Inc.

Posted on • Originally published at fauna.com

GDPR vs. CCPA: Data privacy requirements explained

Over the years, several key regulations have been introduced to protect customer data and its usage by third parties. In 2018, the European Union introduced the General Data Protection Regulation (GDPR), which brought sweeping changes on how the personal data of EU residents can be stored and processed. Two years later, the California Consumer Privacy Act (CCPA) went into effect to provide similar rights and protections to residents of California.

Before these regulations came into effect, there were no data privacy laws to oversee how consumer data was stored or handled, making it prone to data breaches. Now, non-compliance with these guidelines can result in costly penalties for organizations. Depending on the nature of the breach, GDPR fines can go up to $20 million EUR or 4% of a company’s annual gross revenue, whichever is higher. For organizations that do not meet CCPA guidelines, an infraction can cost them up to $2,500 USD for unintentional violations and up to $7,500 USD for intentional violations.

GDPR and CCPA have put increased pressure on organizations to ensure that they have clear user data policies in place. For organizations that conduct business on a global scale, it is critical to collect, handle and store user data responsibly. Let’s take a detailed look at the similarities and differences between GDPR and CCPA, so that you can ensure that your organization is meeting its data privacy requirements.

What exactly is personal data under the GDPR and CCPA?

First, let’s define what is considered “personal data” under GDPR or “personal information” under CCPA. In both cases, this refers to any information that can directly or indirectly identify someone. This type of information is often referred to as “personally identifiable information” or PII. It includes key identifiers such as full name, home address, email address, and document numbers such as a passport number or social security numbers. Personally identifiable information can also refer to IT-related information such as IP addresses that can be used to identify an individual.

How are the GDPR and CCPA similar?

Both the GDPR and CCPA have a common focus on protecting user data. Let us first look at the consumer rights that these regulations extend to residents of their respective territories:

  • The right to know – Residents have the right to know what information an organization collects about them and how it is used, including usage by third parties.
  • The right to access – Residents can request a copy of the personal information that an organization has collected about them.
  • The right to opt-out – In certain situations, residents have the right to opt-out of having their data processed by individuals, organizations, or third parties.
  • The right to portability – Organizations must provide the requested information readily accessible, in formats such as XML or CSV.
  • The right to be forgotten – Residents have the right to request the deletion or erasure of all personal data an organization has collected or stored about them at any time. An organization that complies with the above requirements has already done much groundwork to adhere to both regulatory frameworks. So, if your organization has already gone through becoming either GDPR or CCPA compliant, you are probably close to achieving the other requirement as well.

How are the GDPR and CCPA different?

While the GDPR and the CCPA grant similar rights, they diverge in a few key areas:

Data subjects (GDPR) vs. consumers (CCPA)

One of the most significant differences between the GDPR and the CCPA is the extension of its protections outside a geographic region. Under the GDPR, the rights detailed above are available to all “data subjects,” which refers to any EU citizen or a resident in the EU giving out their data, irrespective of citizenship. Any entity that does business in the EU or interacts with EU residents must comply with GDPR, giving it true global reach.

On the other hand, the CCPA extends these protections only to “consumers,” who are defined as residents of California by state law. This means that users who interact with organizations operating in California but are not considered a resident of California are not protected by these regulations.

Data controllers (GDPR) vs. businesses (CCPA)

The second key difference between the GDPR and CCPA lies in how organizations interact with different forms of data. The GDPR focuses on two types of data interactions by organizations, designated as data controllers and data processors.

  • Data controller – An organization that decides how and why they are processing data from EU residents. It can be a person or a legal entity, who alone or when joined with others, determines the purposes of any personal data and the means of processing it.
  • Data processor – A person or a legal entity that handles the processing of personal data on behalf of data controllers.

Irrespective of location, data controllers or processors that collect or process personal data from EU residents or citizens are subject to data privacy requirements under the GDPR.

On the other hand, CCPA requirements only apply to what it defines as businesses:

  • For-profit businesses that operate in the State of California.
  • Collect personal information from California residents and satisfy any following conditions:
    • Generate $25 million or more in gross annual revenue.
    • Buys, sells, receives, or shares the personal information of more than 50,000 consumers.
    • Derives at least 50% of its annual revenue from selling consumers’ information.

These requirements extend to organizations that may be based outside the state of California but conduct business in the state. For example, a Canadian organization operating in California would be subjected to these same requirements as those headquartered in the state.

Opt-in (GDPR) vs. opt-out (CCPA)

Another critical difference between the GDPR and CCPA is how users give control over their data. The GDPR allows users to either permit their information to be collected or request a change in how their information is being used. Before beginning data collection or processing, the GDPR requires entities to gain user consent through an opt-in process. On the other hand, the CCPA only requires organizations to offer the option to opt-out. If a user wishes to express their objections to how their data is being used or sold, they may use this option.

Processing (GDPR) vs. collecting, processing, and selling (CCPA)

The next difference between GDPR and CCPA lies in how entities use personal data. Under the GDPR, a blanket term of data processing is used to define any action performed on a data subject’s information. This includes the entire data lifecycle, including collecting the information, storing it, manipulating it, sharing, and finally destroying it.

The CCPA provides further granularity through a narrower set of definitions:

  • Collecting - Gathering of personal information from users.
  • Processing - Using data after it has been collected — including storage, manipulation, sharing, and erasing.
  • Selling - The transference, disclosure, or other communication regarding the consumer’s personal information. A financial transaction does not need to occur for data to be considered sold.

Data sharing requirements

The last key difference between the GDPR and CCPA is how it requires organizations to disclose if and how data is used or shared among third parties. Under the GDPR, data subjects must be notified when information is collected from them and shared with a third party, regardless of affiliation or intention. Organizations that obtain data from other organizations must disclose to users within a month that they have acquired the user’s data and reveal the acquisition source. Data controllers and processors must also notify data subjects when data that belongs to the data subjects is physically sent outside of the EU. To meet these requirements, many organizations leverage features like Region Groups to maintain GDPR compliance and ensure that users’ privacy is respected.

For CCPA compliance, businesses must also inform consumers when their personal data has been collected, sold, or disclosed but have a 12-month window to notify those affected. Additionally, any third-party organization must also inform consumers to sell it to another entity if they have obtained user data.

Conclusion

Data privacy regulations have led organizations to reconsider how they store, process, and use customer data. The good news is that there is a lot of overlap between GDPR and CCPA, so you’re pretty close to achieving compliance for both if you’re already compliant with one.

To meet your data privacy requirements, you can choose Fauna — a flexible, developer-friendly, transactional database delivered as a secure and scalable cloud API. Fauna’s region groups enable you to define a specific region that you want your data to reside in. Sign-up today and ensure you’re meeting GDPR requirements with Fauna’s EU region group, all without worrying about managing any database infrastructure.

Top comments (1)

Collapse
 
jayjeckel profile image
Jay Jeckel

Under the GDPR, the rights detailed above are available to all “data subjects,” which refers to any EU citizen or a resident in the EU giving out their data, irrespective of citizenship. Any entity that [...] interacts with EU residents must comply with GDPR, giving it true global reach.

Irrespective of location, data controllers or processors that collect or process personal data from EU residents or citizens are subject to data privacy requirements under the GDPR.

While, yes, that is the language of the GDPR, the idea that the EU has jurisdiction to regulate businesses outside its physical borders is patently rediculous. The fact of the matter is that the GDPR only applies to businesses with a physical presense in the EU or nations that have agreed to GDPR regulation by way of legally enacted treaties.

I understand it is your business to convince people that they need your company to implement GDPR and similar compliance, but that is no excuse to keep propagating these obviously overreaching claims.

Bottom line: Nations and similar organizations can only make laws and regulations that apply within their jurisdictions. Saying that the GDPR applies to businesses outside the EU is as nonsensical as saying Canadian speed limits apply to cars in Germany if the car is carrying a Canadian citizen. That is silly because obviously Canadian speed limits only apply to cars driving in Canada, just as the GDPR only applies to companies in the EU.