Data Privacy Regulations
Quick Comparison Guide

Understand the differences between the most widely impactful data privacy regulations

 

Our expert Data Privacy Services team has put together a quick and easy comparison guide to the EU's GDPR, California's CCPA/CPRA and Virginia's VCDPA, focusing on the areas of most critical difference to help organizations understand how to adapt a global privacy programme to protect the rights of data subjects around the world.

 

These data privacy frameworks have been chosen because:

  • They are either live or have been fully passed and will soon be effective
  • They have enough similarity but also nuanced difference to make their practical application confusing for most organizations
  • They have created the most controversy in their creation and subsequent enforcement
  • They are the frameworks under which the most fines or punitive activity has taken place 

 

 

Data Privacy Regulations Quick Comparison Guide

 

GDPR

May 25th 2018

CCPA

January 1st 2020 (CPRA comes into effect on January 1st 2023)

VCDPA

January 1st 2023

GDPR

  • Any organization in the EU processing personal data, regardless of whether the processing takes place in the EU or not.

  • The processing of personal data of data subjects who are in the EU by an organisation not in the EU, where the processing activities are related to:

    • the offering of goods or services, irrespective of payment, to such data subjects in the EU; or

    • the monitoring of their behaviour within the EU.

CCPA

Entities that conduct business in CA that also:

  • Have collected data of more than 50,000 CA residents (increasing to 100,000 under CPRA); or
  • Have a gross revenue of more than $25 million; or
  • Derive more than 50% of revenue from sale / share of personal data

VCDPA

Entities that conduct business in VA or produce products that are targeted to VA residents that also:

  • Control or process data of 100,000 VA residents within a calendar year; or
  • Control or process data of 25,000 VA residents and derive over 50% of revenue from sale of personal data

GDPR

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly

CCPA

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

VCDPA

Any information that is linked or reasonably linkable to an identified or identifiable natural person

 

GDPR

Called “special category”, rather than “sensitive” data.

  • Personal data revealing:
    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership

  • The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or data concerning a natural person’s sex life or sexual orientation
  • Prohibited except in certain circumstances, one of which is explicit consent

CCPA

Explicit definition of sensitive personal data was not included in the CCPA.

Under CPRA…

  • Personal data revealing:
  • Racial or ethnic origin
  • Religious beliefs
  • Government-issued identification number
  • Financial account information
  • Account login credentials,
  • Geolocation information,
  • The contents of an email or text messages

Plus:

  • Genetic data, biometrics data, health data
  • Data concerning sex life or sexual orientation; or
  • Any personal data that is used for the purpose of inferring characteristics about a consumer.
  • CA residents will be allowed to opt-out of processing of sensitive data

VCDPA

Defined as:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • Genetic or biometric data (used for the purpose of identifying a natural person);
  • Personal data collected from a child; or
  • Precise geolocation data.

    Requires consent for processing

GDPR

Enforced by local Supervisory Authority, supervised by the EDPB.

Ceiling for administrative fines of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

CCPA

Enforced by AG with 30-day cure period (will be new CA data protection agency under CPRA)

No ceiling, $7,500 per violation.

VCDPA

Enforced by AG with 30-day cure period

Up to $7,500 per violation


GDPR

Exemptions apply for:
  • Activities which fall outside the scope of EU law;
  • Member States when carrying out activities which fall within the scope of the function of the EU;
  • Natural persons in the course of a purely personal or household activity;
  • Competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Note: no exemptions for businesses

CCPA

While an entity must comply with CCPA, the CCPA does not apply to an entity’s data that is otherwise regulated by HIPAA or GLBA.

VCDPA

Exempts any entity that is subject to GLBA or HIPAA. 

GDPR

No exceptions for employee or B2B communications

CCPA

Employee data and data collected for commercial, business-to-business communications are within the scope of CCPA and CPRA, but certain rights provided to California consumers (including access and deletion rights) do not apply to employees or business-to-business communications until the CPRA goes into effect in January 2023

VCDPA

VCDPA specifically carves out of the definition of consumer any person acting in a commercial or employment context

GDPR

No explicit right included in GDPR

CCPA

No explicit right included in CCPA 

VCDPA

Right to confirm whether controller is processing personal information

GDPR

Any person who has suffered material or non-material damage has the right to receive compensation from the organisation for the damage suffered.

CCPA

Only in relation to security incidents:

Minimum damages = $100 / Maximum damages = $750 per CA consumer per incident

VCDPA

No private right of action, even for security incidents

white-pyramids-2

GDPR Services & EU Representatives

Let us steer your organization through one of the widest-reaching data privacy regulatory frameworks

 

blue-spheres-1

California (CCPA) Privacy Services

We can help you navigate California’s ground-breaking privacy law, CCPA, and guide you through your new obligations

 

white-pyramids-1

Data Protection Officer as a Service 

Sidestep the difficulty of appointing internally, and the cost of hiring, with our outsourced expert service

 

 

Contact Us

Contact our consultants to discuss how Calligo can make your data work harder for you

Send An Enquiry