The GDPR, the HIPAA, and the CCPA are some of the most influential and discussed laws in the privacy sector, but of course there are important differences between them. A very obvious one is that the GPDR is a regulation of the EU while the HIPAA and CCPA are US laws. Specifically, the HIPAA is a federal law while the CCPA is a law of the State of California. But the differences are deeper than that.
- What are these laws about?
- What is the scope of these laws?
- To whom do the GDPR, CCPA, and HIPAA apply?
- How are these laws enforced?
- How do these laws protect personal data?
- How do these laws protect sensitive information?
- Do these laws preempt other laws?
- Is the GDPR better than the CCPA and the HIPAA?
- Conclusions
What are these laws about?
The GDPR is the easiest one to explain: it is a privacy law, pure and simple. The CCPA sits somewhere in between privacy law and consumer protection law, which is why it mostly focuses on businesses.
As for the HIPAA, it is a medical sector law that only applies to healthcare providers and entities that work with them. Unlike the GDPR and CCPA, the HIPAA covers a lot more than privacy: it is a sectorial legislation that includes security standards, administrative requirements, and more.
What is the scope of these laws?
The GDPR has the widest scope of the three because it covers all the processing of personal data with narrow exceptions- for instance, criminal investigations are covered by a different EU law (the Law Enforcement Directive). The GDPR also does not cover national defense because the matter falls outside the mandate of the EU.
The CCPA only applies to the personal information of consumers, which is why it generally only applies to businesses.
Finally, the HIPAA only applies to protected health information (PHI). PHI is a complex notion: whether data are PHI or not depends not only on what the data are, but also on who controls them. For more info on the notion of PHI, feel free to check our blog.
To whom do the GDPR, CCPA, and HIPAA apply?
The GDPR is general in scope and applies to pretty much anyone, although it contains a household exemption for activities that are purely personal in nature. So, you don’t need to worry about the GDPR when you post on your Facebook home, but you do need to worry about it when you post through your company’s profile or business page.
The CCPA only applies to certain businesses. These are:
- businesses with a gross annual revenue of $25M or more
- businesses that buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
- businesses that get half or more of their revenue from selling personal information of Californian residents.
In other words, it’s either large businesses, or smaller businesses that process a lot of personal information. The deli next door probably doesn’t need to worry about the CCPA, but a supermarket chain might need to, and data brokers definitely need to.
Non-profits are generally exempt from the CCPA, although there can be exceptions when the ownership and branding of a non-profit can be tied to a business.
As for the HIPAA, it applies to entities involved in heath care (hospitals, practitioners, insurance providers, and so on). It also applies to businesses that work with them (business associates), provided that they collect PHI.
The rules on the scope of the HIPAA are fairly complicated, so this is a gross simplification. For more information, check our blog on the scope of the HIPAA or the NHS’ website.
How are these laws enforced?
The GDPR is enforced by both courts and data protection authorities (DPA). The two play slightly different roles: as a rule of thumb, courts award damages, and DPAs impose fines.
From a practical perspective, DPAs are often understaffed and this tends to be a bottleneck for GDPR enforcement. The system for handling cross-border cases across the EU is also slow and sometimes messy due to differences in procedural rules between Member States (something the EU is working to address).
The CCPA has so far been enforced by the Advocate General of California. In 2024 the Avocate Genera will be joined by the California Privacy Protection Agency (CPPA- yes, the acronyms are confusing!).
The HIPAA is enforced by the Health and Human Services’ Office for Civil Rights.
How do these laws protect personal data?
Both the GDPR and the CCPA are essentially about what can and cannot be done with data, but the two laws take different approaches.
The GDPR sets strict rules to process personal data. Personal data can only be collected and processed on a specific legal basis, and whoever controls the data is under some general obligations.
It is a common myth that the GDPR always requires consent. In truth, the GDPR always requires a legal basis, and consent is not the only option. But there is a grain of truth to the myth, as are specific cases where consent is the only viable option.
The CCPA also sets rules to process personal information of consumers, but they are somewhat more lax. Businesses do not need consent or a legal basis to collect personal information, but they do need to offer consumers the option to opt out of the selling and sharing of their personal information, and to restrict the use of sensitive information. Overall, the CCPA is less prescriptive than the GDPR and more reliant on opt-out systems.
As for the HIPAA, its main privacy tenets are found in the Privacy Rule. According to the Rule, some disclosures of protected health information can only take place with the patient’s written consent, while others cannot. The CCPA allows disclosure without consent when they are strictly needed for the healthcare system to work: for instance, forwarding a patient's medical history to their new hospital, or disclosing medical expenses to its insurance provider for billing purposes.
The Privacy Rule also applies to business associates and restricts what they can do with PHI.
How do these laws protect sensitive information?
Both the GDPR and the CCPA protect sensitive information, but they define it in different terms and protect it in different ways.
Sensitive data under the GDPR is the kind of stuff you really don’t want to be abused or fall in the wrong hands: data about your religion, health, sexual life, political affiliations, ethnic origin, and so on. These data can only be processed in specific scenarios listed by the GDPR- outside of those scenarios, they cannot be touched.
The notion of sensitive data under the CCPA is somewhat similar but also includes data which are commonly used for fraud, such as social security numbers and bank account credentials.
Unlike the GDPR, the CCPA does not require a specific reason to collect this data. But companies need to offer the consumer the option to restrict the use and disclosure of sensitive information to what is strictly required- similar to how they must allow opting out from the selling and sharing of personal information
The HIPAA has no specific rules for sensitive data. This makes sense: pretty much everything covered by the HIPAA would be considered sensitive data in most legislations.
Health data collected outside the healthcare sector enjoys little or no protection because** it falls outside the scope of HIPAA**,. Because there is no federal US data protection law, businesses are free to do more or less what they want with this data- unless State legislation forbids them from doing so.
This is a huge privacy issue, especially for women. Last year the Republican-leaning US Supreme Court lifted a decades-long ban on anti-abortive legislation with the Dobbs v. Jackson ruling. Following legislative bans on abortion in Conservative States, women seeking reproductive care are being prosecuted based on their digital footprint- and easy access to health data is making enforcement all too easy.
Do these laws preempt other laws?
In general, the GDPR applies directly and “trumps” Member State law. However, some Articles leave some room for Member State law to add extra safeguards.
As a rule of thumb, the HIPAA preempts State laws, unless they provide stronger privacy protections. The HIPAA’s rules on preemption are complicated, so refer to the NHS’ website for more details.
Is the GDPR better than the CCPA and the HIPAA?
We would not really say so- all of these laws have their pros and cons. If you want to draw a comparison, looking at EU and US privacy law as a whole is more useful than pitching individual laws against each other.
In our opinion, US privacy law has two big problems. First, there is no federal data protection law. This means that many cases are unregulated or underregulated. Second, the privacy laws adopted by US States do not always include a private right of action. In some cases, you may not be able to act directly when your rights are violated, and all you can do is hope that the Attorney General of your State takes action. For these reasons, we like EU data protection law better than US data protection law.
This does not mean that the GDPR is better than US privacy laws. There are plenty of cool things in US laws that are missing from the GDPR. For instance, the content of emails and text messages is sensitive data under the CCPA but not under the GDPR. The CCPA also requires websites to honor "Do Not Track" signals coming from browsers- which is a very good way to streamline privacy preferences and reduce click fatigue. There are other really good things in US privacy law, such as the innovative one-stop erasure system of California's Delete Act, and strong protection for location data in a recent wave of legislation (with Washington's My Health, My Data Act paving the way).
We Europeans sometimes get a little cocky because of the GDPR's (deserved) reputation as a strong and innovative law, but this is not a useful attitute. There is plenty to learn from other data protection laws around the world.
Conclusions
The GDPR, the CCPA, and the HIPAA are all important laws but are very different. We hope this post gave our readers a clearer idea about these laws and their purpose.
We like writing about privacy because we believe it is important. This is also why we made privacy the cornerstone of Simple Analytics. Simple Analytics does not collect personal data, does not track visitors, and does not violate their privacy in any way- all while providing the customer with all the insight they need! If this sounds good to you, feel free to give us a try!