CCPA vs GDPR : Personal Scope
The CCPA and the GDPR both aim to guarantee the protection of personal data of natural persons, and apply to any businesses that receive, collect, use, share or sell consumer data solely or jointly with others. The CCPA differs from the GDPR in several ways, specifically with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. Let’s have a look at similarities and differences for “personal scope”.
Businesses, public bodies, as well as non-profit organizations, are subject to the GDPR, while the CCPA is applicable only for-profit businesses. The CCPA sets the conditions that determine the businesses covered by the law, on the other hand, GDPR does not.
The GDPR and the CCPA, both
As per the GDPR, “controller” is defined as the person/business which determines the purposes for which the personal data will be processed and by which means. While, in the CCPA, business is defined as an establishment which determines the means and purposes of the processing, though there are some other criteria also to be met.
GDPR – General Data Protection Regulation
- As per article 4(a) under the GDPR, “data subject” is a natural person which is an “identified or identifiable”. The data subject may be any individual whose personal data is processed, whether or not the data subject holds EU residency or citizenship.
- The GDPR does not apply to the processing of personal data of deceased persons.
- It applies to “controllers”, which can be businesses, public bodies, and non-profit organizations, irrespective of their size and whether they are public or private law entities, as long as they determine the purposes and means of processing activities.
- Also, applicable to “processors” which process personal data on behalf of “controllers”
CCPA – California Consumer Privacy Act of 2018
- Under the CCPA, “consumer” is a natural person who is “resident of California”.
- As per the criteria, the CCPA obligations apply to the business that:
- is for-profit;
- collects personal information;
- determines the purpose and means of the processing;
- does business in California; and
- meets one of the following conditions/thresholds:
- Revenue – Has annual gross revenues in excess of US$25 million;
- Revenue – Earns more than half of its annual revenue from selling consumers’ personal information; or
- Personal information – Possesses the personal information of 50,000 or more consumers, households, or devices.
- There are no direct obligations for the “service providers” controlled by businesses. However, these service providers must have to process the personal data solely on the documented instructions of business they serve.
Article 3 – Territorial scope
Article 4(1) – Definitions (‘Personal data’)
Recital 2 – Respect of the fundamental rights and freedoms
Recital 14 – Not applicable to legal persons
Recital 22 – Processing by an establishment
Recital 23 – Applicable to processors not established in the Union if data subjects within the Union are targeted
Recital 24 – Applicable to processors not established in the Union if data subjects within the Union are profiled
Recital 25 – Applicable to processors due to international law
Section 1978.140(c) – Definitions (‘Business’)
Section 1978.140(g) – Definitions (‘Consumer)
Section 1978.145(a)(6) – The obligations imposed on businesses by this title shall not restrict a business’s ability to Collect or sell a consumer’s personal information.