GDPR vs. CCPA: A Quick Reference Guide

Scope:

Applies to all organizations processing personal data of EU residents, regardless of the organization's location.

Key Principles:

Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and transparently.
Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes.
Data Minimization: Data must be adequate, relevant, and limited to what is necessary.
Accuracy: Data must be accurate and kept up-to-date.
Storage Limitation: Data must be kept in a form which permits identification of data subjects for no longer than necessary.
Integrity and Confidentiality: Data must be processed securely to ensure protection against unauthorized access.
Accountability: Organizations must demonstrate compliance with GDPR principles.

Rights of Data Subjects:

Right to Access: Individuals can access their personal data.
Right to Rectification: Individuals can correct inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): Individuals can request deletion of their data.
Right to Restrict Processing: Individuals can limit the processing of their data.
Right to Data Portability: Individuals can transfer their data to another organization.
Right to Object: Individuals can object to data processing.
Rights Related to Automated Decision Making and Profiling: Individuals have rights concerning automated processing and profiling.

Compliance Requirements:

Data Protection Officer (DPO): Appoint a DPO for large-scale monitoring or processing of sensitive data.
Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing.
Breach Notification: Notify supervisory authorities within 72 hours of a data breach.
Consent: Obtain explicit consent for data processing where required.

Penalties:

Fines up to €20 million or 4% of the annual global turnover, whichever is higher.

Scope:

Applies to for-profit businesses that collect personal data of California residents and meet certain criteria, such as revenue thresholds or data volume.

Key Principles:

Transparency: Businesses must disclose data collection practices and purposes.
Control: Individuals have more control over their personal data.

Rights of Consumers:

Right to Know: Consumers can request information about the categories and specific pieces of personal data collected.
Right to Delete: Consumers can request deletion of their personal data.
Right to Opt-Out: Consumers can opt-out of the sale of their personal data.
Right to Non-Discrimination: Consumers must not be discriminated against for exercising their privacy rights.

Compliance Requirements:

Privacy Policy: Update privacy policies to reflect CCPA rights and practices.
Verification: Implement methods for verifying consumer requests.
Training: Train employees on CCPA compliance and handling consumer requests.
Data Security: Implement reasonable security measures to protect personal data.

Penalties:

Fines up to $7,500 per intentional violation and $2,500 per unintentional violation.
Private right of action for data breaches, with statutory damages between $100 and $750 per incident.

Books:

Online Courses:

Coursera: "Understanding the GDPR"
Udemy: "GDPR Data Privacy Compliance"
LinkedIn Learning: "California Consumer Privacy Act (CCPA) Essential Training"

Professional Organizations and Certifications:

IAPP (International Association of Privacy Professionals): IAPP
CIPP/E Certification: Focuses on European data protection laws, including GDPR.
CIPM Certification: Covers privacy program management principles.

Websites and Blogs:

Research Papers and Journals:

Want to discuss this topic?