Professional Documents
Culture Documents
CCPA GDPR Chart PDF
CCPA GDPR Chart PDF
A Chart comparing some of the key The CCPA grants California resident’s new rights regarding their
personal information and imposes various data protection duties
requirements of the California Consumer Privacy on certain entities conducting business in California. While it
Act (CCPA) and the EU General Data Protection incorporates several GDPR concepts, such as the rights of access,
portability, and data deletion, there are several areas where the
Regulation (GDPR). CCPA requirements are more specific than those of the GDPR or
where the GDPR goes beyond the CCPA requirements.
The EU General Data Protection Regulation (Regulation (EU) This Chart provides a high-level comparison of key requirements
2016/679) (GDPR) took effect on May 25, 2018 and replaced the under the CCPA and the GDPR. It is not a comprehensive list of all
EU Directive and its member state implementing laws. On June 28, measures required under the CCPA or the GDPR.
2018, California became the first U.S. state with a comprehensive For an overview of the CCPA, see Practice Note, California Privacy
consumer privacy law when it enacted the California Consumer and Data Security Law: Overview: General Data Protection and the
Privacy Act of 2018 (CCPA), which becomes effective January 1, California Consumer Privacy Act (6-597-4106) and Article, Expert Q&A:
2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). The California Consumer Privacy Act of 2018 (CCPA) (W-015-6908).
Given their comprehensiveness and broad reaches, each law
may have significant impact on entities that collect and process For an overview of the GDPR, see Practice Note, Overview of EU
personal data. General Data Protection Regulation (W-007-9580).
Who is Protected? Consumers, defined as California Data subjects, defined as Substantially different in CCPA
residents that are either: identified or identifiable approach, but similarly
persons to which personal broad in effect. Cal. Civ. Code § 1798.140(g)
In California for other than a
data relates. and Cal. Code Regs. tit. 18,
temporary or transitory purpose. Both laws focus on §17014.
Domiciled in California but are information that relates
currently outside the State for a to an identifiable natural Practice Note, California
temporary or transitory purpose. person, however the Privacy and Data Security
definitions differ. Law: Overview: CCPA Scope
Consumers include: (6-597-4106).
Customers of household goods and Both have potential
extraterritorial effects GDPR
services.
that businesses located Article 4(1).
Employees.
outside the jurisdiction
Business-to-Business transactions. must consider. Practice Note, Overview of
EU General Data Protection
Regulation: Identifiability
(W-007-9580).
What Information is Personal information that identifies, Personal data is any Substantially similar. CCPA
Protected? relates to, describes, is capable of being information relating to an However, the CCPA
associated with, or may reasonably identified or identifiable definition also includes Cal. Civ. Code §§ 1798.140(o)
be linked, directly or indirectly, with a data subject. information linked at the and 1798.145(c)-(f).
particular consumer or household. household or device level. Boxes, Categories of Personal
The GDPR prohibits
The statutory definition includes a processing of defined Information Under the CCPA
list of specific categories of personal special categories of and Information Excluded
information. personal data unless a From the CCPA’s Personal
lawful justification for Information Definition.
Personal information does not include processing applies.
certain publicly available government Practice Note, California
records. The CCPA also excludes certain Privacy and Data Security
personal information covered by other Law: Overview: Personal
sector specific legislation from its Information under CCPA
coverage scope. (6-597-4106).
GDPR
Articles 4(1) and 9(1).
Practice Note, Overview of
EU General Data Protection
Regulation: Personal Data and
Data Subjects (W-007-9580)
and Special Categories of
Personal Data (W-007-9580).
Anonymous, The CCPA does not restrict a business’s Pseudonymous data is The CCPA and GDPR CCPA
Deidentified, ability to collect, use, retain, sell, or considered personal data. pseudonymization
Pseudonymous, or disclose a consumer information that is definitions are very similar Cal. Civ. Code §§ 1798.140(a),
Aggregated Data deidentified or aggregated. Anonymous data is not and both require technical (h), (o), (r), and 1798.145(a)(5).
considered personal data. controls to prevent
However, the CCPA establishes a high Practice Note, California
reidentification to qualify. Privacy and Data Security
bar for claiming data is deidentified or
aggregated Law: Overview: Personal
Information under CCPA
(6-597-4106).
Must include a “Do Not Sell My However, the GDPR does GDPR
Personal Information” link in a clear contain other rights a Practice Note, Overview of
and conspicuous location on a website data subject may use to EU General Data Protection
homepage. obtain a similar result in Regulation: Processing for
certain circumstances. For Direct Marketing Purposes
Must not request reauthorization to example, it does permit
sell a consumer’s personal information (W-007-9580) and Lawfulness
data subjects, at any of Processing (W-007-9580).
for at least 12 months after the person time, to:
opts-out.
Opt-out of processing
data for marketing
purposes.
Withdraw consent for
processing activities.
This allows data subjects
to opt-out of third-party
sales that support
marketing purposes or
rely on consent for their
legal processing basis.
Children The CCPA prohibits selling personal The GDPR’s default Substantially different CCPA
information of a consumer under 16 age for consent is 16, requirements, other than
without consent. although individual ages involved. Cal. Civ. Code § 1798.120(c)-(d).
member state law may Practice Note, California
Children aged 13 – 16 can directly lower the age to no lower The CCPA only requires
provide consent. Children under 13 parental consent for Privacy and Data Security Law:
than 13. The person with Overview: Consumer Rights
require parental consent. parental responsibility personal data sales, while
GDPR’s parental consent Under the CCPA (6-597-4106).
Importantly, protections provided by must provide consent
for children under the requirement applies to GDPR
the federal Children’s Online Privacy all processing consent
Protection Act (COPPA) still apply on top consent age.
requests. Article 8(1).
of the CCPA’s requirements. Children must receive an
age appropriate privacy Practice Note, Overview of
notice. EU General Data Protection
Regulation: Children’s consent
Children’s personal data (W-007-9580).
is subject to heightened
security requirements.
Right of Disclosure or Consumers have a right to request Data subjects have a right Broadly similar rights of CCPA
Access disclosure of their personal information, to access their personal disclosure/access.
and to receive additional details data, including receiving Cal. Civ. Code §§ 1798.100(d),
regarding the personal information a a copy and to obtain The CCPA’s right is 1798.110, 1798.115.
business collects and its use purposes, certain information about only to obtain a written
disclosure of the Practice Note, California
including any third parties with which it the data controller’s Privacy and Data Security Law:
shares information. processing. information. The GDPR
allows broader access, Overview: Consumer Rights
which is not limited to a Under the CCPA (6-597-4106).
written disclosure in a GDPR
portable format.
Article 15.
Practice Note, Data Subject
Rights Under the GDPR:
Personal Data Access Right
(W-006-7553).
CCPA DEFINITIONS
CCPA. However, the third party definition excludes personal
The CCPA has a long list of defined terms (Cal. Civ. Code information recipients who obtain the data:
§1798.140). This box discusses certain defined terms used in Directly from the business.
this Chart. For the definition of personal information, see Box,
For a business purpose.
Personal Information Categories Under the CCPA.
Under a written contract that contains specific clauses.
Controls means:
Ownership of or the power to vote more than 50 percent of
To qualify for the exclusion, the business’s written contract with
the outstanding shares of any class of voting security of a the recipient must:
business. Prohibit the recipient from:
Control in any manner over the election of a majority of the zz selling the personal information;
directors or of individuals exercising similar functions. zz retaining, using, or disclosing the personal information for any
The power to exercise a controlling influence over the purpose other than for the specific purpose of performing the
management of a company. services specified in the contract, including retaining, using, or
(Cal. Civ. Code § 1798.140(c)(2).) disclosing the personal information for a commercial purpose
other than providing the services specified in the contract; and
Common branding means a shared name, service mark, or zz retaining, using, or disclosing the information outside of the
trademark. direct business relationship between the recipient and the
(Cal. Civ. Code § 1798.140(c)(2).) business.
Include a certification that the recipient understands the
Service provider means a sole proprietorship, partnership, restrictions and will comply with them.
limited liability company, corporation, association, or other legal
entity that is organized or operated for the profit or financial (Cal. Civ. Code § 1798.140(w).)
benefit of its shareholders or other owners that:
Processes information on behalf of a business.
Not sell personal information collected while the consumer sexual orientation (see State Q&A, Anti-Discrimination Laws:
was in California. California).
Commercial information, including records of:
The CCPA exception does not permit a business to store,
including on a device, personal information about the consumer zz personal property;
while present in California, and then collect that personal zz products or services purchased, obtained, or considered; or
information when the consumer or stored personal information zz other purchasing or consuming histories or tendencies.
is later outside of California.
Biometric information.
(Cal. Civ. Code § 1798.145(a)(6).) Internet or other electronic network activity information,
including:
zz browsing history;
zz search history; or
PERSONAL INFORMATION CATEGORIES UNDER
THE CCPA zz information regarding a consumer’s interaction with an
internet website, application, or advertisement.
The CCPA defines personal information more broadly than
Geolocation data.
California’s other laws. It includes any information that directly
or indirectly identifies, describes, relates to, is capable of being Audio, electronic, visual, thermal, olfactory, or similar
associated with, or can reasonably link to a particular consumer information.
or household. The statutory definition includes eleven specific Professional or employment-related information.
categories that businesses must use when providing their
Education information, defined as nonpublic personally
required disclosures. Those categories are:
identifiable information under the Family Educational Rights and
Identifiers, such as: Privacy Act (FERPA) (20 U.S.C. § 1232g and 34 C.F.R. Part 99).
zz real name; Inferences drawn from any of these personal information
zz an alias; categories to create a profile about a consumer reflecting the
zz postal address; consumer’s:
zz email address; zz preferences;
zz unique personal or online identifier; zz characteristics;
zz internet protocol (IP) address; zz psychological trends;
zz account name; zz predispositions;
zz social security number (SSN); zz behavior;
zz driver’s license or passport number; or zz attitudes;
zz other similar identifiers. zz intelligence;
Personal information categories described in the California
zz abilities; or
Customer Records statute (Cal. Civ. Code § 1798.80(e)), which zz aptitudes.
in addition to the identifiers described above, also lists a
person’s:
zz signature.
zz physical characteristics or description; INFORMATION EXCLUDED FROM THE CCPA’S
zz state identification card number;
PERSONAL INFORMATION DEFINITION
zz insurance policy number. Personal information does not include “publicly available”
information. However, the CCPA narrowly defines the “publicly
zz education.
available” term to only mean information lawfully made
zz employment or employment history. available from federal, state, or local government records.
zz bank account number, credit card number, debit card
The publicly available term does not include:
number, or any other financial information.
Data used for a purpose not compatible with the public
zz medical information or health insurance information.
recordkeeping purpose that caused the government entity to
Characteristics of protected classifications under California maintain or make the data available.
or federal law, like race, religion, gender, national origin, or
If you are not currently a subscriber, we invite you to take a trial of our online
services at legalsolutions.com/practical-law. For more information or to
schedule training, call 1-800-733-2889 or e-mail referenceattorneys@tr.com.
11-18
© 2018 Thomson Reuters. All rights reserved. Use of Practical Law websites and services is subject to the
Terms of Use (http://static.legalsolutions.thomsonreuters.com/static/agreement/westlaw-additional-terms.pdf)
and Privacy Policy (https://a.next.westlaw.com/Privacy).