The European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are two of the most far-reaching and well-known data privacy laws. They have inspired other legal frameworks for protecting user data and privacy, and while compliance with one goes some way to compliance with the other privacy framework, they differ in technical implementation, scope, and enforcement.
For internal IT teams and managed service providers (MSPs), achieving and maintaining compliance with these legal frameworks can present a significant hurdle. Comparing CCPA vs GDPR can assist with understanding them (as well as other international laws that protect users’ rights over their data), and implementing the required processes and technologies to meet their requirements.
What are GDPR and CCPA, and why do they matter?
GDPR (taking effect in 2018) and CCPA (enacted in 2020) both give users certain rights over their private data, and stipulate how the organizations, including the tech teams that manage their IT infrastructure, must protect this data and provide the mechanisms for users to enact these rights.
These rights broadly include the ability for users to request that their data be corrected, deleted, and prevented from being transferred to other parties without their consent. Failing to do this can result in significant legal penalties under both laws, making compliance critical for any business that operates in the EU or California, two of the biggest markets for digital services.
What is the difference between GDPR and CCPA compliance?
GDPR and CCPA are two distinct legal frameworks that apply to different jurisdictions and have different requirements. Though they have similar goals, they have different compliance requirements, scope, definitions, and grant different rights.
It is vital that any organization planning their legal compliance (including CCPA and GDPR) refer directly to the official legal resources for those laws (see here for GDPR, and here for CCPA) and consult with legal experts in their industry. Relying on third-party interpretations may lead to accidental non-compliance.
CCPA vs GDPR: scope and applicability
The table below summarizes the scope and applicability of CCPA and GDPR. Note that it is good practice for organizations that do not meet the thresholds to be covered by privacy laws to comply with them anyway – this way, they are able to work as partners with businesses that do require compliance, and are already compliant when the time comes to scale up.
| Aspect | CCPA (California) | GDPR (European Union) |
|---|---|---|
| Who needs to comply? | Organizations that handle the personal information of California residents | Organizations that handle the personal information of residents of any country in the European Union (EU) |
| What kind of businesses must be compliant? | For-profit businesses that meet the thresholds | All organizations that process personal data |
| Thresholds | Over $25 million USD in revenue, or handling the personal data for over 100,000 residents in a year | Applies by activity rather than thresholds |
| Who enforces the law? | California Privacy Protection Agency (CPPA) | National Data Protection Authorities (DPAs) |
Note that you need to comply with CCPA and GDPR wherever your business is located – it’s where the user who the data concerns is located – not where your business operates that matters.
What is the personal data I need to protect under CCPA and GDPR?
Legal frameworks define “personal data” differently. As this affects what is considered personal data, it affects how you must process, store, and protect that data depending on where your users are located.
| Criteria | CCPA | GDPR |
|---|---|---|
| Personal Information | Information that identifies a specific consumer or household | Any data that can identify any individual |
| Special/sensitive Data (requiring additional protection) | Expanded via CPRA to include data such as education, location, and employment) | Special categories include health, political, biometric, and religious data |
Identifying personally identifiable information (PII) within the data you store requires data discovery tools that work with both structured and unstructured data, so that when a user requests the redaction or correction of information, all instances of it can be found and updated.
Consumer/subject rights under CCPA/GDPR
CCPA protects the rights of the ‘consumer’, California residents who provided data to covered businesses. GDPR protects the rights of ‘subjects’, which means any resident of an EU country regardless of their citizenship.
Consumers and subjects have different rights under their respective frameworks. Notably, CCPA works on an opt-out model for most processing and data sharing (except for consumers under 16 years of age), whereas GDPR always makes the organization seek the user’s explicit consent for specific activities.
| Consumer/Subject Right | CCPA | GDPR |
|---|---|---|
| Access to view their personal data | Yes | Yes |
| Ability to correct their data | Yes (added via CPRA) | Yes |
| Ability to delete their data (right to be forgotten) | Limited | Broad with specific exceptions, for example, for health data, or information in the public interest |
| Data portability (moving data to another controller) | Yes | Yes |
| Opt-out of data sale/sharing | Opt-out | Not required as consent is required to opt in |
| Consent before processing | Generally implied | Must be explicit and specific |
CCPA vs GDPR: Legal basis for processing
Under CCPA, no legal basis is required for processing personal data (though there are restrictions), but the business must disclose how it will be used and provide the consumer the opportunity to opt out. GDPR only allows processing based on one of six defined bases.
This has implications for how sensitive data is handled, especially for subjects covered by GDPR, as the legal basis or recorded consent for each user and their data must be tracked and stored.
Enforcement and penalties
CCPA has a maximum fine of $2,500 USD for each unintentional violation, or $7,500 USD per intentional violation. Fines under GDPR range from up to €10 million, or 2% of annual turnover to €20 million, or 4% of annual turnover, depending on the severity of the violation. This makes it a necessity for businesses affected by either CCPA or GDPR to document all data protection policies and log all activities so that they can demonstrate their compliance.
Technical requirements and controls
Protecting sensitive data requires several key technologies that are required by both CCPA and GDPR, including:
- Data access controls: Role-based permissions, multi-factor authentication (MFA), principle of least privilege (PoLP)
- Encryption: Required for protected data in transit and at rest
- Audit logging: Required for data access and processing activities
- Data subject request (DSR/)/subject access request (SAR) response tracking: 45 days (CCPA), 30 days (GDPR)
- Data Minimization: Required under GDPR, recommended for CCPA
There are a number of tools that can be used to build your IT infrastructure to assist with compliance: Azure AD and Okta can be used for identity and access management to protect data, Microsoft Purview and Symantec DLP can be deployed for data loss prevention, OneTrust and TrustArc are popular consent management solutions, while DataGrail and Microsoft Compliance Center can be used for DSR automation.
GDPR and CCPA: An ongoing challenge for IT administrators and MSPs
Your responsibility for your users’ protected data doesn’t end when it leaves your control: you remain liable for it if you share it with organizations that do not responsibly handle data. This requires data processing agreements (DPAs) that specify exactly how user data is to be used. Your users must also be made aware of any information sharing with third parties in accordance with these DPAs. You must also maintain an up-to-date list of all parties you share data with.
Privacy laws are also evolving: existing laws are updated, and new frameworks are implemented in countries or states that previously did not legally protect user data. This means you must continually assess your users and the laws that apply to them, and whether there are any new compliance requirements for storing or processing their data.
Tool choice is key to achieving full compliance: not only does data need to be able to be readily revised or deleted by users, all data must be updated to reflect this, including data held in backups. Shadow IT also presents a challenge, as it is difficult to protect data when staff upload it to third-party services without your oversight.
NinjaOne provides an extensive platform for managing IT, including backup for protecting data, monitoring tools for identifying data misuse and potential security breaches, and integration with endpoint security solutions. NinjaOne unifies the oversight of your entire IT infrastructure and operations in a single interface, and provides automation tools to help maintain compliance.
Chat with a member of the NinjaOne team today to find out how we can help you reach full data privacy compliance.
