CCPA (Californian Consumer Privacy Act) vs. EU GDPR (European General Data Privacy Act) – a comparison
Both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) aim to protect individuals’ privacy rights, but there are some key differences between the two. This blog will help you to understand the important distinctions between the CCPA vs. the GDPR. Furthermore, it will give you an insight about how SAP can help you to become compliant with regards to these data protection regulations.
The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. Since June 28, 2018 all businesses handling data from residents of the European Union must now comply with the EU’s new privacy standards. California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act of 2018 (CCPA), which became effective on January 1, 2020. Both laws have significant impact on entities that collect and process personal data.
The purpose of the GDPR was to modernize laws that protect individuals’ personal information. The previous EU laws, established by individual countries in the 1990s, failed to keep up with the rapid technological evolution. Now individuals have more control over their information and more rights to their data than ever beyond national boundaries. CCPA is viewed as the first measure of data privacy taken in the United States with no predecessor. Both regulations give individuals the right to access and delete their personal information, and they require businesses to be transparent about used information. CCPA is seen as a less strict version of the EU GDPR. What is similar, what is different between GDPR and CCPA? 
Distinction between GDPR and CCPA
|Rights of the individuals :||GDPR||CCPA|
|Information Right/Privacy notice: “Information to be provided where personal data are collected from the data subject…”||X||X|
|Right of Disclosure or Access: “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed…”||X||X|
|Right to erasure or “to be forgotten”: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay…the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed…”||X||X|
|Right of data portability: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format…”||X||X|
|Right of rectification: “The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her…”||X|
|Right to restrict processing: “The data subject shall have the right to obtain from the controller restriction of processing…”||X|
|Right to object processing: “The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her…”||X|
|Right to Object to Automated Decision-Making: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”||X|
Who is protected? CCPA: Consumers, defined as California residents. GDPR: data subjects, defined as identified or identifiable persons to which personal data relates. The regulation applies if the data controller or processor or the data subject is based in the EU, under certain circumstances the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU. 
Who they affect: The CCPA only affects for-profit entities that have an annual gross revenue of over $25 million, buy or sell data from over 50,000 consumers, or generate 50 percent or more of their annual revenue from selling data. In contrast the GDPR’s laws apply to all businesses and websites.
The penalties: The maximum fine for violation of CCPA is $2,500 per incident. The financial penalties for noncompliance or data breaches of the GDPR can be as high as $22 million or 4 percent of the violating company’s annual global income from the previous year.
Opt-Out Right for Personal Information Sales: In CCPA businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties. In GDPR there is no specific right to opt-out of personal data sales.
Let’s now take a closer look on how companies can ensure legal compliance. First, it is crucial to understand, meeting legal obligations defined by regulations such as CCPA and GDPR can require different types of technical and organizational measures. Technical measures are actions that need to be taken in an application or a computerized system. Organizational measures are actions that ensure the effective and smooth operation of an organization. Short example: The organizational measure of requiring a badge for an employee to enter the premises would be supported by the technical measure of assigning an ID to that employee in the database and then linking the badge to this ID. The appropriate and relevant technical and organizational measures for a business are highly specific to the company that implements them. The foundation is a comprehensive evaluation and consultation with stakeholders across the organization, including business, IT and legal departments. 
How do SAP solutions help with legal compliance regarding data privacy? SAP software helps organizations run their enterprise processes, and these business processes sometimes require personal data such as business partner names, addresses, bank account numbers, and credit card numbers. SAP has embedded features into SAP S/4HANA that provide the enterprises using them with a means to comply with data protection regulations such as CCPA and GDPR. Below is a (non-comprehensive) list of the most important feature highlights:
- Read Access Logging (RAL): This component can be used to monitor and log read access to data and provide information such as which business users accessed personal data (f. e. field related to bank account data), and when they did so.
- Information Retrieval Framework (IRF): The SAP NetWeaver component Information Retrieval Framework can be used to carry out a cross-application search for personal data of a specified data subject. The data is retrieved from the system and displayed in a structured, easy-to-read list, subdivided according to the purposes for which the data was initially collected and processed. The identified information can then be downloaded in an easy-to-read format and handed over to the data subject.
- Information Lifecycle Management (ILM): Personal data in a system can be blocked as soon as the business activities for which this data is needed are completed and the residence time for the data has elapsed. After this time, only users who are assigned additional authorizations can access the data. When the retention period has expired, personal data can be destroyed completely so that it can no longer be retrieved. Residence and retention periods are defined in the system. For this purpose, SAP Information Lifecycle Management can help to set up a compliant information lifecycle management process in an efficient and flexible manner. 
With CCPA and GDPR as well as new upcoming legislations around the world, data protection continues to be of crucial importance. Complying with data protection regulations requires comprehensive and deep discussions across the organization and has a considerable impact on a company’s business and technical landscape.
Please stay tuned, for more information about SAP S/4HANA and Data Protection!