Of the GDPR and the CCPA

By: Eldad J. Ben-Giora - GRC Information Security Consultant   |   Updated: 12/4/2019

Part A: Privacy in law  


Various Laws and regulations may apply in various places and jurisdictions. They require adjustments and protection of rights by entities operating internationally or in their local scope. Today, it’s time for privacy. 

At the 27th of April 2016, a regulation has been enacted by the European Union: The General Data Protection Regulation (GDPR). The law created a cloak for the protection of rights in the areas of Privacy and Information Security. 

At the 28th of June 2018 the governor of California and the secretary of the state approved the California Consumer Protection Act (CCPA). Effected on 2020, the law intended to give consumers control of their personal information:

“… and Shine the Light, a California law intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”   

Although these laws are from Europe and California, they have an impact on the trade and the international law. For example, a corporation established in California and operates worldwide, may be subjected to EU Regulations whether a dispute will be resolved in a Californian or in an Israeli court, in accordance with the principles of international law. 

The right to Privacy

“Privacy” appears on the same page with basic human rights such as Liberty and Property. Thus, it is equivalent to other human rights that are “Inalienable” in the light of law. Both the GDPR and the CCPA regulating matters of Information security that related directly to Privacy. 

The GDPR states that the regulation respects all fundamental rights including Privacy: 

“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought…”

The CCPA states that the constitution of California recognises peoples’ right to Privacy among other inalienable rights:

“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and procuring and obtaining safety, happiness, and privacy.”      

The message is clear. The right to privacy is paramount. It is on the highest level of constitutional human rights, according to which laws, regulations, and directives were issued, and judgements were dictated standards that are being formulated to this day. 

Part B: The GDPR

 Objectives and scopes 

The GDPR sets rules regarding the processing of personal data. It focuses on the data subjects, natural persons and their fundamental rights, in particular, the protection of their personal data. 

This regulation applies to the processing of personal data automatically or otherwise in form of a filing system. 

Its territorial scope includes: 

  1. The processing of personal data by a controller or a processor established in the EU, regardless of whether the processing is in the Union or not. 
  2. The processing of personal data of data subjects who are in the EU, by a controller or processor not established in the EU, when the processing related to: Offering of goods and services, and monitoring behavior of data subjects within the EU.  
  3. The processing of personal data by a controller established where a member state law applies virtue of public international law. 

The Principals 

Personal data shall be processed lawfully, fairly and in a transparent manner. It shall be collected for a specific and legitimate purposes, relevant and limited to what is necessary to the purpose, and it shall be accurate, kept no longer than necessary and processed in a manner that ensures security of the personal data. 

The principals presented in article 5 of the GDPR require: ‘Lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, ‘storage limitation’, ‘integrity and confidentiality’, and ‘accountability’.  

For example: ‘Lawfulness’ – Processing will be lawful only if one of the following applies:

  1. Consent: The data subject has been giving a consent to the processing of her or his data for a specific purpose. 
  2. Contract: The processing is necessary for performing a contract of which the data subject is part of. 
  3. Compliance: A legal obligation of which the controller is subject to. 
  4. Interest of the data subject: The processing in necessary to protect a vital interest of a natural person. 
  5. A public interest: The processing is necessary to carry out a task in the public interest or of official authority. 
  6. Legitimate interest of the controller: For legitimate purposes of the controller or a third party, except when they overridden by the interests of fundamental rights of data subjects required data protection, in particular, where the data subject is a child.   

Part C: The CCPA

Objectives and scopes 

Based on the right to privacy, the Californian legislature has adopted specific mechanisms to protect California citizens. Due to various cases of violation by international organizations: 

“In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened.”

Therefore, the intention of the Californian legislator is to apply citizens’ right to privacy by providing effective tools for controlling personal information by ensuring the following rights: 

  1. The right to know what personal information is being collected about them. 
  2. The right to know whether their personal information is sold or disclosed and to whom.
  3. The right to say no to the sale of personal information. 
  4. The right to access their personal information. 
  5. The right to equal service and price, even if they exercise their privacy rights.

The CCPA applies to businesses that process personal information of consumers who are residents of California. A ‘Business’ in the CCPA means: 

A legal entity that is organized or operated for profits or financial benefits and that collects consumers’ personal information, that does business in the state of California, and that meets one of the following terms: 

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000). 

(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. 

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information. 

(2) Any entity that controls or is controlled by a business, and that shares common branding with the business.

Rights of the consumers 

1. Deletion – The CCPA gives consumers the right to request from a business to delete any personal information about the consumers, that the business collected from them.  

2. Disclosure – Upon receipt of a verifiable request from a consumer, a business that collects personal information shall disclose the information:

“A business that collects personal information about consumers shall disclose…: 

(1) The categories of personal information it has collected about that consumer. 

(2) The categories of sources from which the personal information is collected. 

(3) The business or commercial purpose for collecting or selling personal information. 

(4) The categories of third parties with whom the business shares personal information. 

(5) The specific pieces of personal information the business has collected about that consumer.”

The consumers also have the right to request that business that sells their personal information or disclose it for business purposes, disclose to the consumer categories of personal information that been collected, sold, or disclosed. 

3. Objection – The right to Opt-Out. At any time’ the consumer shall have the right to direct a business not to sell the consumers’ personal information.