Data Subject Requests under GDPR vs CCPA

Jun 25, 2020 12:00:00 AM | ccpa Data Subject Requests under GDPR vs CCPA

Responding to Data Subject Requests has been an ongoing challenge for organisations worldwide due to the complexity and tight deadlines of the process. July 1st 2020, California will become the first US state with an enforced comprehensive consumer privacy law, the California Consumer Privacy Act (CCPA), creating new, broad privacy rights that impose significant obligations as well. The new law, which we can see as a Californian counterpart of the General Data Protection Regulation (GDPR), might have a significant impact on entities that collect and share and sell personal data. While both the GDPR and CCPA provide rights to individuals in regard to managing their personal information , there are several overlaps and differences between them. Let’s take a look. 

GDPR Right to access vs CCPA Right to disclosure

The rights of disclosure/access under GDPR and CCPA are broadly similar, but there are some differences.

GDPR’s right to access provides individuals with the right to access their personal data free of charge, including a copy. It applies to all personal data processed concerning the data subject, and also provides the right to obtain certain information from a controller (e.g. the purposes of the processing, categories of personal data, any recipients, sources of collection, retention period, data subject rights and data transfers outside of the EU). The GDPR does not limit the means by which a data subject can make this request, but the EU Regulation permits controllers to refuse to act if a request is manifestly unfounded, excessive or has a repetitive character.

It is by far the most well known and exercised right in regard to data subject requests under the GDPR, and we can presume that it will be the case under the CCPA as well. 

In contrast to GDPR, the CCPA’s right to disclosure only applies to personal information collected in the 12 months prior to the request. Furthermore, while the GDPR allows individuals a broader access to their personal data, CCPA’s right to disclosure is only to obtain a written disclosure of personal information. The right to additional information under CCPA covers solely the

  • categories of personal information collected/sold,
  • categories of sources from which personal information is collected,
  • business or commercial purpose for collecting or selling personal information, and
  • categories of third parties with whom the personal information is shared.

Furthermore, the CCPA requires consumers must at least be able to make their request via a toll-free phone or a webpage. As per the CCPA, businesses are not required to provide access more than twice in 12 months. 


GDPR Right to data portability vs CCPA Right to disclosure

As per the right of data portability under the GDPR, individuals have the right to a copy of the personal data in a structured, commonly used and machine readable format in order to transmit the personal data to another data controller, and prevent lock-in. Either by receiving the information themselves, or a controller-controller transfer. This right applies only when the personal data is supplied by the data subject actively and knowingly or observed through use, the processing is based on consent or contract, and carried out by automated means. 

The CCPA on the other hand includes this right under the right to disclosure: a business must provide personal information in a readily usable format that allows the consumer to transmit this information to another entity without hindrance. It therefore has the same requirements and exceptions, and does not enable business-business transfer.


GDPR Right to erasure vs CCPA Right to deletion

In the grand scheme of things, the right to erasure under GDPR and the right to deletion under CCPA appear very similar. However, while the GDPR right only applies if the request meets specific conditions, the CCPA right is broader. The CCPA also allows businesses more exceptions to refuse the request than the GDPR. 

According to the GDPR, individuals have the right to request erasure of personal data in a limited amount of cases, e.g. when consent is withdrawn and there is no other legal ground for processing, or when personal data is no longer necessary for the purpose for which it was collected. The CCPA’s right to deletion in the meantime does not limit the scope of this right; a consumer has the right to deletion of personal information a business has collected, or even sold/shared with its service providers. 

The GDPR and CCPA share exceptions to the right to erasure for freedom of expression, research, handling of legal claims and complying with legal obligations, but the CCPA adds several exceptions for internal use and technical reasons, whereas the GDPR adds only one, for public health.

Both regulations have the same requirements for means of making the request as well as deadlines for complying and responding to them as for their rights to access (for exact figures, please see the table at the end of the blog post).


GDPR Right to object vs CCPA Right to opt-out of personal information sales

Under CCPA, businesses must include a link titled “Do Not Sell My Personal Information” in a clear and conspicuous location on their website homepage. Following this link, consumers may request to opt-out of the sale of their personal information to third parties. After the individual opts-out, businesses must not request re-authorization to sell a consumer’s personal information for at least 12 months

The GDPR does not have a right to opt-out of personal data sales, but it does contain other options an individual might use to obtain a similar result in certain circumstances, such as the right to object. For example, data subjects may at any time make use of:

  • The ‘general’ right to object to processing that is based on legitimate interests of the controller or a third party or on a task carried out in the public interest
  • The specific right to object to processing for direct marketing purposes, for which opting-out by objecting must be as easy as opting-in
  • The possibility to withdraw provided consent for processing activities

The GDPR does contain exceptions to the right to object for certain situations, for instance, compelling legitimate grounds overriding the interests rights and freedoms of data subjects and the handling of legal claims.


GDPR specific rights

The GDPR grants data subjects several rights that CCPA does not. These include: 

    • the right to rectification, enabling data subjects to correct inaccurate personal data, and complete incomplete personal data.
    • the right to restriction, whereby the controller under certain circumstances has to restrict the processing of the personal data concerning a data subject and communicate this to each recipient to whom the personal data have been disclosed.
    • the right not to be subject to automated decision making, forbidding automated decision-making, including profiling, which has legal or other significant effects on the data subject, unless certain exceptions apply.


CCPA specific rights

The CCPA in turn offers consumers a right that EU data subjects will not directly find in the GDPR: the right not to be subject to discrimination for the exercise of rights. This right ensures that organisations must not deny or provide a different quality of goods or services, (suggest to) charge different prices or rate, or impose penalties based on the exercise of rights. The closest European equivalent might be that personal data must be processed ‘fairly’ according to GDPR .





What constitutes personal data

Any information that directly or indirectly relates to an identified or identifiable individual (the “data subject”).

Information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household

Who are protected by the law 

Any identified or identifiable natural living persons to which personal data relates. The GDPR does not only protect individuals located in the EU, but also individuals outside the EU, when their personal data is processed by an organisation in the context of activities of their EU establishment.

Any natural person who is a California resident, however identified, including by any unique identifier, who are either
i) in California for other than a temporary or transitory purpose
ii) domiciled in California but currently outside the State for a temporary or transitory purpose (e.g. customers, employees, B2B relations).

What is regulated?

Processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which (are intended to) form part of a filing system.
Processing having the definition of any operation performed on personal data. For example collection, structuring, storage, consultation, use, restriction, or erasure.

Requirements primarily for sharing or selling, with some requirements for collection of information.
Selling having the definition of communicating personal information for monetary or other valuable consideration (does not necessarily require payment).

What organisations are subject to the law 

Data “controllers” (determines means and purpose of processing) and “processors” (process on behalf of controllers)

(i) Established in the EU that process personal data in the context of activities of an EU establishment, regardless of whether the data processing takes place within the EU. „ 

(ii) Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior. 

Businesses - for-profit organization doing business in California, that determines the purposes and means of the processing of consumers’ personal information and
(i) gross revenue >$25 million; or
(ii) annually buys, receives, sells, or shares the personal information of >50,000 consumers, households, or devices for commercial purposes; or

(iii) >50% of annual revenues from selling consumers’ personal information 

Also any entity that either “controls” or is controlled by a business, or shares “common branding” with a business (eg. shared name, service mark, trademark)

Potential fines for non-compliance

Depending on the violation, “data protection authorities” of EU Member States may impose “administrative fines” up to 

  • 2% of global annual turnover or €10 million, whichever is higher
  • 4% of global annual turnover or €20 million, whichever is higher

Domestic laws may allow claimants to take private enforcement actions for GDPR violations

Depending on the violation, the Californian Attorney General may impose “civil penalties” up to 

  • $2,500 for each violation 
  • $7,500 for each intentional violation

CCPA also contains a private right of action.

Deadlines for DSRs

Data controllers must comply with requests “without undue delay and in any event within 1 month from the receipt.” Under circumstances, this may be extended by 2 additional months, but notice of the extension must be given within 1 month.

Upon receiving a request to know or delete personal information, a business shall provide information about the request process within 10 business days.
Businesses must comply with such requests 45 days from the receipt of the request. It could be extended by 45 days, but the consumer should be informed within the first 45 days.

A business shall comply with a request to opt-out as soon as feasibly possible, but no later
than 15 business days from the date the business receives the request.