CCPA vs GDPR
The GDPR and CCPA regulations are each responsible for protecting personal data in their respective regions. But they aren’t just carbon copies of one another, which is why companies operating in both jurisdictions could struggle to comply.
Written by a human
In this article, we’re comparing CCPA versus GDPR, and sharing the nuance associated with both regulations. The aim is to help compliant companies to reach the regulatory requirements and operate their personal data collection with certainty.
Summary of the CPPA and GDPR regulations
GDPR is a European Union regulation, standing for the General Data Protection Regulation. It came into force in May 2018, and was the first-of-its-kind data protection law, extending online data security rights to all citizens of Europe.
The California Consumer Privacy Act (CCPA) on the other hand, focuses on consumer data rights only in the US state of California. It was amended on the 1st of January 2023 when the California Privacy Rights Act (CPRA) came into play, moving it closer to GDPRs rules.
| Feature | CCPA | GDPR |
| Date effective | 1 January 2023 (amended from 2020 version) | 25 May 2018 |
| Regulator | California Attorney General’s Office | Eu Commission, European Data Protection Board and individual country legislation systems |
| Type of legislation | Statutory and regulatory (does not require individual State consent) | Regulatory (requires different jurisdictions to enforce the rules in their area) |
| Who must comply? | Large for-profit businesses that collect personal data on Californian residents | Data collectors and processors based anywhere that rely on data from subjects within the EU |
| Types of data collected | Personal data | Personal data |
| Data exclusions | – protected medical sources – from clinical trials – from driver agencies – Derived from the sale of businesses – protected under the Gramm-Leach-Bliley Act | Nothing specific |
| User rights | Know, access, delete, port and non-discrimination | Know, access, delete, port, correct, restrict, object |
| Opt in, opt out | Consumers have the right to opt out | Requires explicit opt-in consent upfront |
| International data sharing | No requirements on international data transfer | No restrictions within the EU. Non-EU recipients must comply with EU’s standard contractual clauses (SCCs) to provide adequate data security protection. |
| Penalties for non-compliance | Up to $7,500 per breach, with no cap on the total | Up to €20 million total or 4% of the company’s annual turnover (whichever is higher) |
Similarities of the CCPA and GDPR
The overall purpose of both data privacy regulations is the same– to promote the security of personal data. The main channel for obtaining consent for data collection and processing, in both regulatory cases, is through digital cookies.
The CCPA and GDPR both define user rights, the grounds to collect and process data, consent terms and penalties. Moreover, the data subjects in both jurisdictions have the rights to:
- Know that their data is being collected and processed
- Access their data
- Opt out of data collection and processing (or request deletion)
- Transfer their data in secure files
Clearly, both regulatory environments aim to increase transparency and give some power back to the data subjects. However, that’s just about where the similarities end.
Differences of the CCPA and GDPR
Although the two regulations aim to achieve similar goals, they have very different approaches. The CCPA is a blanket regulation for all businesses with Californian customers, whereas GDPR is open to interpretation for the varying jurisdictions within the EU.
The table above shows a summary of the comparisons between the two regulations. Here, we’ll go into a little more detail for some of the differences.
Who must comply?
Businesses are the only entities required to comply with the CCPA. In particular, it’s large businesses– with any organization that meets one of the following three conditions required to comply:
- Generates $25 million dollars or more in annual gross revenues
- Buys, receives, sells, or shares the personal information of at least 50,000 consumers, households, or devices
- Derives at least 50% of annual revenue from selling consumers’ personal information
But the scope of GDPR compliance is much wider, with all organizations that can be classed as data controllers or data processors required to comply. These groups are defined by the following characteristics:
- Controller: An entity that determines the purpose and means of processing personal data
- Processor: An entity that processes data on behalf of controllers
This breadth of scope is also reflected in those protected by the regimes, with a wider group protected under the GDPR (as you’ll see below).
Who is protected?
GDPR protects all data subjects living within the EU, as long as the data can identify them. For example, any visitor to a website who accepts cookies on their browser, or anybody based in the EU that fills in an online form or survey.
On the other hand, the CCPA aims to protect consumers as the sole data subjects within their law. In practice, this narrows the scope. It could mean online shoppers based in California who give their payments and address information to an e-commerce store, for example.
What data is collected?
Under both regulations, personal data is collected. However, each framework has a different definition of personal data.
For GDPR, it’s direct identifiers like names, addresses, ID numbers, and indirect identifiers like IP addresses. Even seemingly unrelated information, like website cookies and biometrics can fall under GDPR if it can be used to identify a user. There are no specific exclusions.
The CCPA’s definition of personal information is equally broad, but specifically includes physical identifiers such as physical descriptions, physiological data and genetic makeup.
Data collection exclusions
One interesting feature within the CCPA scope is that there is a list of exclusions for the companies collecting data, typically because they are covered under other laws in the US.
One example of an exclusion is data protected under the Gramm-Leach-Bliley Act. This applies to financial institutions and requires them to safeguard sensitive data, as well as the requirement to provide customers with detailed information-sharing practices.
Other exceptions include warranty and recall information, data collected and used wholly outside of California, the sale of personal data for subjects under the age of 16. Plus employee information (such as background checks), information collected for non-profit activities and publicly available personal information, like a number in a phone book.
How can data be used?
GDPR specifies six legal grounds for the use of personal data by organizations:
- Consent: users have given permission (and can withdraw this)
- Contract: processing data is required to honor a contract
- Legal obligation: data collection is required to comply with the law
- Vital interests: data processing is required to save someone’s life
- Public tasks: when data collection or processing has a legal basis for being in the public interest
- Legitimate interests: this is the most vague purpose for data collection and processing, and is typically used by third parties such as businesses to improve their customer experience, for example
However, the CCPA allows businesses to process data by default, so the scope is much wider. It means that companies who collect data aren’t required to have specific corporate governance reasons.
What rights do data subjects and consumers have?
As previously mentioned, under both regimes, data subject has the rights to:
- Know: find out when, what and how data is collected on themself
- Access: gain the data that has been collected on themself
- Delete: request that the data collected on themself is deleted within 30 days
- Portability: transfer the data to another provider
The CCPA data retention scope also stipulates the right to non-discrimination for data subjects who exercise their rights.
The GDPR adds three more rights for data subjects:
- The right to correction: change personal data when it is inaccurate
- The right to restriction: request the limitation of data processing
- The right to objection: prevent automated data processing for decision-making and profiling purposes
Opting in, opting out
Under the CCPA, consumers are presumed to opt into the collection and processing of their data. However, they may opt out at any time.
Oppositely, GDPR requires data controllers to present subjects with the choice to opt in or out at the very beginning of their data collection, and for different types of data collection.
In practice, much of this happens with cookie banners on websites. For the CCPA, an opt-out button is mandatory. Under GDPR, both ‘accept’ and ‘refuse’ buttons are typically present. But users often see options to approve or deny the collection of the following data:
| Necessary | Preferences | Statistics | Marketing |
What are the penalties for non-compliance?
Finally, the penalties for non-compliance with both regulations also vary.
GDPR penalties place a lot of emphasis on fines that are proportionate and dissuasive for each case, so are decided individually. To give you an idea of the range, Article 85 in the regulation lists fines of up to €20 million per violation or 4% of the company’s turnover– whichever is higher.
Alternatively, the CCPA is a little more lenient with violations, as the Attorney General’s Office gives non-compliant companies 30 days to fix things. In these cases, a dedicated CCPA compliance checklist on how to comply with the CCPA can help companies to rectify their mistakes.
If they still fail to comply after this period, then the maximum financial penalty is $7,500 per breach. But in the case of multiple breaches, there is no cap on the total fine. Individual consumers are also able to claim up to $750 per breach for their own inconveniences.
Compliance is complicated, let us help you
No matter whether your business operates in the EU or California, there are a ton of regulatory requirements to meet. And organizations looking to expand into new territories might face a shock when they realize that the GDPR and CCPA compliance solutions are quite different, after all.
At Global Relay, we’ve existed for 25 years to help companies overcome the challenges of compliance. We’ve adopted the newest AI technology to bring efficiency to regulatory compliance, while continuing to place data security at the heart of the business.
