The GDPR Compared to The California Consumer Privacy Act

Jan
24

The article seeks to find the differences and similarities between the two privacy legislations and explores whether businesses will have to make further changes, when the CaCPA is implemented.

The GDPR was enforced in May 2018, and the implementation of the California Consumer Privacy Act (CaCPA) will happen somewhere in between January 1st and July 1st of 2020. The big question is whether businesses will have to make further changes when the CaCPA goes into force. Therefore, the article seeks to find the differences and similarities between the two privacy legislations.

The article looks upon subject access rights (right to access, right to correction, right to be forgotten and the right to data portability), transparency, security, processors vs service providers and finally lists other important requirements that GDPR contains and that CaCPA does not.

 

Here are a few of the areas the article touches upon:

Right of Access and Right to be Forgotten: The article finds that both laws include the right to access and the right to be forgotten/deleted, but there are differences in the way that businesses should deal with it. For example, response time on deletion for CaCPA is 45 days, while GDPR is around 30 days.

Right to Correction: The CaCPA does not include the right to correction, which means that if a consumer notices wrong information in their profile, they have to request for deletion. Whether a consumer can have some of their data deleted or it has to be all of it, is not yet known based on the publicised text of the CaCPA.

Right to Data Portability: Both legislations include right to data portability. However, there is a difference in when it applies. With the CaCPA the right to data portability “applies whenever the personal information to respond to the right to access is provided electronically.” (Clarip). On the other hand, "for the GDPR right to data portability to apply, processing must be based on either consent, a contract to which the data subject is a party, or the fact that the processing is performed via automated procedures." (Clarip).

Transparency:They have in common that they seek to increase transparency. They both specify that certain information has to be provided and that businesses need to make sure that they are “transparent in their data processing.” (Clarip).

While the article shows both differences and similarities, the most important thing is the mere fact that the desire for data portability etc. is spreading. It is clear to see that more countries are being inspired by the EU’s GDPR. They are interested in making sure that consumers feel safe and that their data should be accessible to them - and that is positive development.

 

If you want to read more about this, you can read the original article here.

If you are interested in learning more on how to adhere to the GDPR requirements, you are welcome to contact us and we will be more than happy to elaborate on this subject.

Kristina Lund
Partner at SafeOnline