California CCPA

How GDPR compares to California CCPA

First, we had Safe Harbour and the EU Data Directive, now we have GDPR and Privacy Shield, so who is the new guy on the block?

The US or at least a large part of it is catching up, GDPR came into full force on the 25th May 2018 ……. Hot on its heels, legislation was passed in California on June 29th 2018 governing data held on California residents. This piece of legislation is called the California Consumer Privacy Act 2018 (AB 375) and will come into force on the 1st January 2020, watch this space closely for other states to follow suit.

How does CCPA compare to GDPR?

CCPS doesn’t go quite as far as GDPR and therefore isn’t quite as stringent as Privacy Shield, however it is a step in the right direction.

The following table summarise some of the key differences:

Who does it apply toAny entity which operates for-profit or financial benefit of shareholders, that process personal data of California residents and either:

1. Have $25 million in annual revenue

2. Hold the personal data of 50,000 people, households, or devices

3. Derive at least 50% of their revenue in the sale of personal data

Any organisation holding personal data on EU citizens
When does it come into forceJan 1, 2020May 25, 2018
Rights for individualsRight to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold.

Right of access to data being held.

Right to know how personal data is being used.

Right to know who data has been provided to.

Access to data being held, right to erasure, correction, object to automated processing.

Right to notification if there is a data breach.

Basis for consentOpt outOpt in
Consent MechanismsRequirement to provide a conspicuous link on the website titled – “Do Not Sell My Personal Information”.All consent to use personal data for marketing must have granular, clear, unbundled consent via explicit opt in.
Marketing Consent Time Limits12 Months until the opt out expires.No time limit.
Making request to a controllerMandates at least two channels, including a toll-free number and a website address if available.Requests may be made by any mechanism and to any channel, or employee (including nominal employee).
Restrictions on access requestsInformation shall not be required to be provided more than twice in 12-month period.Where requests are repetitive in nature or manifestly deemed to be a nuisance.
Time allowed to respond to a request45 days with an extension if notified to the individual within the initial 45 days, the maximum extension is 90 additional days.1 month and an extension to 90 days from first request.
CostsFree unless, manifestly unfounded or excessive, in particular because of their repetitive character.Free unless, manifestly unfounded or excessive, in particular because of their repetitive character.
Provision of dataThrough the user account if such an account exists, or by mail or electronically at the choice of the consumer.Electronically if requested electronically.
Discrimination Clauses around denial of servicesExplicit within the CCPA.Implicit relating to not bundling consent within T+C’s or binding it into a contract.
Financial Penalties$7,500 per violation. Minimum $100 to maximum $750 or actual damages for each individual, whichever is greater.Up to 4% of turnover or €20m (whichever is greater)


2% of turnover or €10m (whichever is greater)

Depending on the violation.

Retention of personal dataNot addressed.For no longer than necessary pursuant to the purposes for which it was collected.
Documentation and Record KeepingNot addressed.Mandatory for organisations processing data on a ‘large’ scale and or have 250+ employees.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2018.