GDPR VS CCPA: an Appraisal of GDPR-inspired US State Legislations
There is no federal legislation in the US that emulates or matches the General Data Protection Regulation (GDPR), as the last proposed federal online privacy bill, the American Data Privacy and Protection Act (ADPPA) was opposed by “big tech” and by California lawmakers.
Some states have adopted or proposed their own data privacy laws that are similar to the GDPR in some aspects, in an anxious bid to regulate how organizations keep and use personal/consumer data. Examples of these legislations are the California Consumer Privacy Act (CCPA), of 2020, the Virginia Consumer Data Protection Act (VCDPA), of 2021, and the Colorado Privacy Act (CPA), of 2021 and which took effect in 2023.
Chief among these legislations, the California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over personal information that businesses collect, and its regulations offer direction on implementing the law. As a result, California consumers benefit from new privacy rights including the right to know what personal information a business collects and its usage and dissemination; the right, with exception, to have their personal information deleted from the collecting organization; the right to opt-out from the dissemination of their personal information; and the right to non-discrimination when exercising their CCPA rights. Further, since November 2020 the CCPA was amended by Proposition 24, the California Privacy Rights Act (CPRA), which added additional privacy protections: the right to correct inaccurate personal information; and the right to limit the use and disclosure of sensitive personal information.
Businesses subject to the CCPA have several responsibilities, including responding to consumer requests to exercise rights and providing consumers with notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
CAPRA, the amended CCPA, and GDPR have some key differences between them, such as scope and applicability, definition of personal data, legal basis for processing, rights of data subjects, and data transfers to third countries. Scope-wise, GDPR applies to any organization that processes the personal data of individuals in the EU or EEA, regardless of where the organization is based or where the data are processed. CAPRA applies to for-profit businesses that operate in California and meet certain monetary or data-related criteria and their service providers.
GDPR VS CAPRA (CCPA Amended)
GDPR defines personal data as any information that can identify or relate to a natural person, either directly or indirectly. CAPRA (amended CCPA) defines personal information as any information that identifies, relates to, describes, or can be reasonably linked with a consumer or household, with some exceptions.
GDPR requires data controllers and processors to have a lawful basis for processing personal data, such as obtaining valid consent from the data subjects, or demonstrating that processing is necessary for a contract, a legal obligation, a vital interest, a public interest, or a legitimate interest. CAPRA does not require a legal basis for processing personal information, but it does require businesses to inform consumers of the purposes and categories of the processing and to obtain opt-in consent for minors or opt-out consent for adults for selling personal information.
GDPR grants data subjects various rights, such as the right to access, rectify, erase, restrict, or port personal data, the right to object or withdraw consent to certain processing activities, the right to lodge complaints or seek judicial remedies, etc. CAPRA grants consumers similar rights, such as the right to know, access, delete, or port their personal information, the right to opt out of the sale of their personal information, the right to non-discrimination, etc. However, CAPRA does not grant consumers the right to object or withdraw consent to processing activities other than the sale of personal information, or the right to restrict the processing of their personal information.
GDPR requires data controllers and processors to ensure an adequate level of data protection or appropriate safeguards when transferring personal data to third countries or international organizations outside the EU or EEA, such as binding corporate rules, standard contractual clauses, or certification mechanisms. CAPRA does not have specific rules for data transfers to third countries or international organizations, but it does require businesses to inform consumers of the categories of third parties with whom they share personal information and to ensure that their contracts with service providers prohibit the retention, use, or disclosure of personal information for any purpose other than performing the services.
VCDPA
The Virginia Consumer Data Protection Act (VCDPA), which was signed into law in 2021 and will take effect in 2023, grants consumers the right to access, correct, delete, or port personal data, the right to opt-out of the processing of personal data for targeted advertising, profiling, or selling, and the right to appeal decisions made by automated processing. The VCDPA also requires businesses to provide a privacy notice, obtain consent for processing sensitive personal data, and conduct data protection assessments.
CPA
The Colorado Privacy Act (CPA), which was signed into law in 2021 and will take effect in 2023, grants consumers the right to access, correct, delete, or port personal data, the right to opt-out of the processing of personal data for targeted advertising, profiling, or selling, and the right to appeal decisions made by automated processing. The CPA also requires businesses to provide a privacy notice, obtain consent for processing sensitive personal data, to conduct data protection assessments.
Terminology
Term | GDPR | CCPA/CAPRA | VCDPA |
Personal data or information | Any information that can identify or relate to a natural person, either directly or indirectly | Any information that identifies, relates to, describes, or can be reasonably linked with a consumer or household, with some exceptions | Any information that is linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified data or publicly available information |
Data controller or business | The entity that determines the purposes and means of the processing of personal data | The for-profit entity that operates in California and meets certain monetary or data-related criteria, and that collects, determines the purposes and means of the processing of, or sells consumers’ personal information | The person that, alone or jointly with others, determines the purposes and means of the processing of personal data |
Data processor or service provider | The entity that processes personal data on behalf of the data controller | The entity that processes personal information on behalf of a business | The entity that processes personal data on behalf of a controller |
Data subject or consumer | The individual whose personal data are processed | The natural person who is a California resident | The natural person who is a Virginia resident |
Data breach | The unauthorized or unlawful access, disclosure, alteration, or loss of personal data | The unauthorized access and exfiltration, theft, or disclosure of personal information | The unauthorized access or acquisition of computerized data that compromises the security, confidentiality, or integrity of personal data |
Conclusion
The clamour for privacy by data subjects, inclusive of consumers, and the absence of US federal legislation that emulates or matches the GDPR have prompted many US state legislatures, e.g., California, Colorado, and Virginia to legislate on data privacy laws. Other states that have introduced or considered similar bills, such as New York, Washington, Florida, etc. However, these state laws may differ from the GDPR and each other in terms of scope, applicability, definitions, requirements, rights, remedies, etc.
The CCPA, first enacted in 2018, and chief amongst the US state legislators emulating GDPR, and despite some differences, primarily in territorial scope, it has borrowed a lot in spirit, e.g., protection of the consumer, and terminology, e.g., personal data and data processor. Next time we look at the requirements of the professional service firm concerning the GDPR.
–Richard Thomas
Previous, Part V
Next, Part VII
