How Can I Use What I've Done for GDPR to Help with CCPA? Part V
The California Consumer Privacy Act (CCPA) requires businesses with California customers to be transparent about the personal information they collect, why they collect it, and who they share or sell it to. Under CCPA, Californians are granted five key rights:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is being sold or shared—and with whom.
- The right to opt out of the sale of their personal information.
- The right to access their personal information.
- The right to equal service and pricing, even when they exercise their privacy rights.
For professionals like Data Privacy Officers, Privacy Staff, Consultants, HR, and Legal teams, comparing GDPR and CCPA is incredibly valuable. It helps them identify the additional steps needed to ensure full CCPA compliance while managing privacy risks.
In the previous blog, we explored CCPA's Personal Information Categories and compared key aspects of GDPR and CCPA, including law applies to, protects, protected information, and security measures. Now, let’s continue our deep dive into GDPR and CCPA.
| Details | GDPR | CCPA |
|---|---|---|
| Right of Disclosure or Access | Individuals have the right to access their personal data, which includes receiving a copy or to obtain certain information about the data controller's processing this is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. Corporations cannot charge a fee to deal with a request in most circumstances. | Consumers have a right to request disclosure or access to their personal information. To receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information. |
| Right of Data Portability | The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Receive a copy of the personal data in a commonly used and machine-readable format. It allows them to move, copy or transfer personal data easily from one IT environment to another. Transmit the personal data to another data controller. The right only applies to information an individual has provided to a controller. | In response to a request for disclosure, a business must provide personal information in a readily useable format. Consumer can transmit the information from one entity to another entity without hindrance. |
| Right to Deletion / Erasure (The Right to be Forgotten) | The GDPR introduces a right for individuals to request erasure of personal data under six circumstances (the right to be forgotten). Individuals can make a request for erasure verbally or in writing. The right is not absolute and only applies in certain circumstances. Data controllers must also take reasonable steps to inform any other data controllers also processing the data. | A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions. The business must also instruct its service providers to delete the data. |
| Right of Rectification | The GDPR includes a right for individuals to:
An individual can make a request for rectification verbally or in writing. In certain circumstances you can refuse a request for rectification. This right is closely linked to the controller's obligations under the accuracy principle of the GDPR (Article (5)(1)(d)). | None |
Leave a comment
Related Posts
Is Your Business Prepared? Key Steps for Disaster Recovery & Continuity Certification
But how does it relate to Disaster Recovery (DR), and why are they often misunderstood or misaligned? Let's break it down:
Artificial Intelligence Governance Part I
It's becoming increasingly clear that most new cybersecurity products involve some form of machine learning (ML) or artificial intelligence (AI).
How Can We Prevent, Detect, and Recover from Cyberattacks?
A thorough investigation of cyberattacks underscores the considerable damage these incidents can cause. Below are several key points that can help organizations identify potential threat actors.
