Privacy Policies in the Digital World

4. GDPR V.S. CCPA

Both the GDPR and the CCPA are meant to define how businesses handle consumers’ personal data, but there are just as many similarities as differences between the two. The CCPA was passed over 1.5 years later than the GDPR, and much of its policies are based on the GDPR. Both of them also carry penalties for companies found in violation, and they both address the right to be informed, right of access, and right of portability. All of these encompass consumers’ rights to own their private data. Specifically, they both give consumers the right to deletion of personal data, opting out, and data transparency. There are some key distinctions between the GDPR and the CCPA other than just location. The CCPA applies to Californian businesses that either have over $25 million in revenue or whose primary business is handling consumers’ data. The GDPR applies to any businesses handling European citizens’ data. Another big difference is the monetary punishment for the two, and the requirements for monetary punishments. The GDPR allows for up to 4% of a company’s annual turnover or $20 million, whichever is bigger. This punishment can be applied before and violation has happened if the company is determined to be at risk or has been irresponsible with their handling of data. The CCPA on the other hand is much lighter: violations occur up to $7,500, but allow consumers to mass-sue the company in violation. The requirements for these violations are only after a breach or incident has occurred. Many argue that this is too lenient and is too late for any real data breach prevention to occur. Overall the GDPR is focused on creating a "privacy by default" legal framework for all of the EU, while the CCPA is focusing on creating transparency in California’s huge data economy.