On Demand Library
Created in partnership with
GDPR vs. CCPA
8:04
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Transcript

00:07
Adam Stofsky
Okay, Shannon, we've got several kind of mammoth privacy laws out there. Two of the most well known are the GDPR. Probably the most well known is the GDPR, europe's big privacy law, and then the CCPA, which is California's big privacy law. So kind of a little bit, maybe kind of like the US's big privacy law. A lot of people want to know what are the key differences between these two things? Are they kind of basically the same thing in these two different jurisdictions? What are some of the key differences? 


00:43

Shannon Yavorsky
So that's a really great question. There are a bunch of really critical differences. They are drafted in the same spirit, which is protecting consumer privacy, but there are definitely differences. I'm going to start with the geographic scope. So the CCPA is a state level law that primarily applies to organizations that collect and process personal information of people located in California. The GDPR is a European wide regulation that applies across member states to businesses, whether they're within the EU or whether they are outside of the EU. So the GPR has a broader territorial scope than the CCPA, so it applies to a greater set of businesses. Another key difference is the legal basis. 


01:39

Shannon Yavorsky
So the GDPR sets out that there has to be what's called a lawful basis of processing, which essentially means you have to pick one of six different reasons that you're processing data, and that's things like consent or this concept called legitimate interest, like it's in the legitimate business interest of the organization to collect the data. And while the CCPA has the concept of consent with respect to collecting certain kinds of data, it really doesn't have this lawful basis of processing requirement. And that's a really important feature of the GDPR because before you process any European data, you have to figure out which one of those six different reasons you're allowed to use to process that data. Not the same thing for California. Another difference is in the definitions. The GDPR define uses the term personal data and the CCPA uses the term personal information. 


02:37

Shannon Yavorsky
They're fundamentally very similar. Under the CCPA, it's information that relates to, describes, or is reasonably capable of being associated with a consumer or household. The GDPR doesn't include that word household, but it is information relating to an identified or identifiable person. So there are some slight differences. I don't think they're that meaningful. But I know people get a little confused by the fact that the GDPR uses the word personal data and the CCPA uses the word personal information. They're basically the same. It's just really a different term. I think the other key difference is under the GDPR, there's an obligation to appoint a Data Protection Officer, which is an individual, whether within the organization or outside of the organization, that is tasked with sort of overseeing data processing. And the CCPA simply doesn't have that kind of requirement. 


03:43

Shannon Yavorsky
The GDPR also requires an organization to have a legal representative where there's not an address or a person within the EU. And the CCPA doesn't have any kind of similar concept. And then from a penalties perspective, the CCPA has penalties of up to $7,500 per intentional violation, while the fines under the GDPR can be 4% of annual worldwide turnover or €20 million, whichever is higher. So, so far, we've seen more significant penalties and more enforcement overall coming out of Europe than we have from right now. The California Privacy Protection Agency and before, it was the California AG, but enforcement's been more limited and the fines have been sort of less extensive than you would see under the GDPR. But those are just some of the key differences that immediately come to mind. 


04:45

Shannon Yavorsky
Otherwise, they really have a common goal of protecting individuals privacy, and the differences reflect the sort of distinct regulatory and legal frameworks in the US. And the EU. 


05:00

Adam Stofsky
Okay, I have a few follow ups on this, things that are maybe just in my brain. Can you talk about the company size requirements under each of these laws? Because those are quite different, right? 


05:12

Shannon Yavorsky
Yeah, it's a really different trigger for when the law applies. The GDPR applies in three main scenarios. One, if you have boots on the ground in Europe, an office, agency, or branch. The GDPR applies to no boots on the ground, but you're monitoring the behavior of individuals, which is sort of think about cookie tracking or clinical trials as another example. Or three, no boots on the ground, and you're offering goods or services to individuals. In Europe, the CCPA is much different. The CCPA is, are you doing business in California? And do you meet one of three criteria, which are you have revenue in excess of $25 million, you collect or process the data of over 100,000 or more California residents, or you derive 50% or more of your revenue from the sale of personal information. So really different criteria. 


06:13

Shannon Yavorsky
And companies are going to have to go through that exercise to figure out which of the laws or whether they trigger both of the laws. 


06:21

Adam Stofsky
So it sounds like in California, under the CCPA, it's kind of for either really kind of larger companies or sort of very specialized companies, where in Europe, under the GDPR, it's kind of like every company in theory, right? 


06:36

Shannon Yavorsky
Pretty much, yeah. It's pretty much every company. And every company in Europe has to think about it. There's unfortunately no de minimis threshold under the GDPR that know, if you're a very small company, it doesn't apply, while California seems to have a sort of greater appreciation for the capabilities of smaller companies to comply with the law. 


07:01

Adam Stofsky
So given all these differences, do most companies have separate compliance programs for both the GDPR and CCPA? Or can many kind of get away with one overall privacy program that complies with both? 


07:15

Shannon Yavorsky
We see most companies have if both laws apply, they'll have a single program. And they'll have one privacy notice that has a GDPR section and maybe a CCPA section. They'll have one individual rights policy that talks about the process for responding to a data access request or a request for deletion. And it really makes sense to try to have a single process because administratively it can just get really difficult and complex. So we definitely see global privacy programs rather than jurisdiction specific materials, except for where they're really required shared. 


07:55

Adam Stofsky
Okay, great. Thanks so much, Shannon. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly