California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are two of the biggest regulations regarding consumer privacy in recent times. Rightfully so with the amount of data that is being collected about individuals. While both laws are focused on user privacy rights and putting control over personal data back into users’ hands, there are many differences between the two. Here is a look at the key CCPA vs GDPR differences.
CCPA vs GDPR: 11 differences explained
Here is a brief overview of CCPA vs GDPR:
Let us look at some of these in detail.
#1 Type of law
The CCPA is both regulatory and statutory. Statutory means that it can be enforced without further action from the state’s legislature. Any violation of the CCPA will immediately trigger a cause of action that can be used to file a civil lawsuit in California state court.
GDPR is merely regulatory. Unlike CCPA, it does not have a direct impact on the outcome of civil litigation in its jurisdiction. The EU and the EEA Member States can incorporate the GDPR framework into their national laws and enforce it.
#2 Subjected entities
The CCPA applies to any for-profit organization that collects personal data about California residents for commercial purposes or for selling goods or services to California residents. They should meet at least one of the following criteria:
- At least $25 million in gross annual revenue
- Buys, sells, or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes or
- Derives more than 50% of its annual revenue from the sale of personal information
The GDPR applies to all organizations that collect data on individuals within the European Union (EU) and European Economic Area (EEA), regardless of where those organizations are located.
The GDPR is much broader in the sense that the number of organizations holding personal data on EU customers will most likely be more than California customers.
#3 Type of data protected
Both laws have a nearly similar definition for personal data. However, the information covered by CCPA is broader than GDPR.
“Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer, device or household.” E.g. name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information.
CCPA excludes the following personal data sets from its scope:
- medical information protected under CMIA or HIPPA,
- information collected for clinical trials,
- sale of information to or from consumer reporting agencies;
- personal information under the Gramm-Leach-Bliley Act,
- information covered by California’s Driver’s Privacy Protection Act and
- any publicly available information from federal, state, or local government records.
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”. E.g. identification number, online identifier, email address, phone number, or data related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:
- Data related to deceased persons,
- Data processed through non-automated means,
- anonymous data and
- data processed for personal or houseful purposes.
#4 Disclosure to users
Transparency is a common requirement between the two laws. Both laws require organizations to disclose how they handle the users’ personally identifiable information (PII). Both the CCPA and GDPR require businesses to inform users about what type of PII they collect, how and why, and to whom do they share (or sell) the data, what rights users have to control their data, and how they can contact you. However, there are minor but key differences in the information the GDPR and CCPA require you to inform users.
There is a 12-month look-back period in CCPA where businesses must inform users when their personal information was collected and processed after 12 months.
Read more about CCPA Notices.
Third-parties are also liable to inform users when they sell personal information to another third party.
The GDPR requires that organizations inform users how long they will retain their personal data, the users’ right to withdraw consent at any time, and when they share the data with other organizations.
#5 Rights of users
Under both laws, people get certain data rights that they can exercise.
- Right to know about and access personal information
- Right to delete personal information if collected from consumers
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising the CCPA rights
The CCPA allows businesses 45 days to respond to the requests and they can extend it by another 45 days with notification to consumers.
- Right to access personal data
- Right to correct personal data in case of inaccuracy
- Right to delete personal data
- Right to restrict personal data processing
- Right to port data to another controller
- Right to object to personal data processing
- Right to object automated data processing for decision making and profiling
The businesses have one month to respond to the requests. They may extend it by another two months if the request is complex, but they should provide a legitimate reason for doing so.
#6 Right to opt-out
CCPA allows businesses to collect personal information from users as long as the information is of an individual over the age of 16. However, you must provide users with an opt-out choice and give them a chance to object to the collection.
If your business has a website, then you must add a “Do Not Sell My Personal Information” link on your website’s homepage and all other pages where personal information will be collected. This link should lead to a dedicated page or setting where users can exercise their right to opt out. Once users opt out, you cannot collect personal information for 12 months.
GDPR’s right to opt-out is similar to CCPA’s, but with a notable difference. Under GDPR, businesses must provide options for both opt-in and opt-out. This means that businesses that rely on the processing of data for their business model must ask users to explicitly consent to the collection and use of their information.
The users have the right to opt out of data collection and use at any time, even if they previously opted in.
#7 Age of consent
Businesses are not required to seek consent before collecting or selling consumer data unless the consumers are below 16 years of age. Children under 13 years of age require parental consent.
GDPR states that the minimum age of consent is 16 years old. Member States may lower the minimum age of consent to 13, but parental consent is necessary if the user is under 16.
#8 Cookie control
CCPA is not as strict as GDPR in terms of requiring explicit consent from visitors to store cookies on their devices. Websites do not require explicit consent for storing cookies on visitors’ devices. It only requires websites to let visitors opt out of cookies that sell their personal information. They should also provide information about what kind of cookies are used by the website, why, and how can visitors manage them.
Unlike CCPA, GDPR requires websites to explicitly ask for consent from users before storing cookies on their devices. It also requires websites to provide clear settings that allow users to opt out of the cookies.
Like CCPA, the GDPR also requires websites to disclose information on what kind of cookies are being used and why they are being used as well as providing clear instructions on how visitors can control or delete them.
Leading cookie compliance solution for GDPR and CCPA
Sign up on CookieYes and make your website GDPR and CCPA compliant for cookies for free.FREE COOKIE CONSENT
*no credit card required
#9 Security requirements
Although the CCPA does not focus on any specific security requirements, it allows consumers to take action against companies that do not maintain adequate security measures.
Data security is one of the main requirements of the GDPR. Organizations are expected to implement necessary technical and organizational measures to ensure the security of personal data. The GDPR advises organizations to use techniques like encryption and pseudonymization to protect personal data.
#10 Fines and penalties for non-compliance
Up to $2,500 per violation and $7,500 per intentional violation. Consumers can claim statutory damages up to $750 per violation (minimum is $100). CCPA gives businesses a 30-day cure period for rectifying the violation.
The fines are imposed by the California state court.
There are two levels of GDPR fines depending on the severity of the violation:
- For less severe violations, Up to €10 million or 2% of annual global turnover, whichever is higher.
- For severe, high-risk violations, up to €20 million or 4% of annual global turnover, whichever is higher.
Data protection authorities in the EU Member States impose the GDPR fines.
#11 Enforcing authority
California Attorney General enforces CCPA.
In general, the two acts by themselves are immensely similar, but certain differences need to be taken into account when considering the effects of each. The regulations they put in place do have a breadth that reaches beyond the boundaries of their respective home countries. Companies that want to comply with both laws should understand the differences between them, or risk making decisions that could land them in legal trouble.
Frequently asked questions
What does GDPR and CCPA stand for?
The GDPR stands for General Data Protection Regulation and it is an EU regulation for the data protection and privacy of EU residents. The CCPA stands for California Consumer Privacy Act and it is a US state law to protect the data and privacy rights of Californian residents.
How is CCPA different from GDPR?
The CCPA is different from GDPR, as it’s a self-executing law that directly affects all civil litigations in California. In comparison, the GDPR is a set of regulations each European Union member state may choose to include in its own nation’s laws.
Is CCPA like GDPR?
No, CCPA is not like GDPR. Though it may seem CCPA was borrowed from GDPR, they are two completely different laws. The CCPA is an American state law that focuses exclusively on protecting the privacy of California residents. The GDPR is a European Union (EU) regulation that protects the personal data of those living in the EU by imposing strict data protection requirements and strict penalties for non-compliance. The CCPA doesn’t give them as much control as the GDPR gives Europeans.
Was the CCPA modeled after the GDPR?
The CCPA was not modeled after the GDPR. The CCPA is actually much narrower in scope, whereby it only applies to California residents and does not extend outside of the U.S. Whereas, the GDPR applies to the personal data of EU residents regardless of where that data is processed).
The CCPA also has a much lower threshold for applicability, as it applies to companies that have more than $25 million in annual revenue or have more than 50,000 Californian users. In contrast, the GDPR applies to any organization that processes the personal data of EU residents.
The CCPA also takes a less prescriptive approach than the GDPR. Whereas the GDPR sets out detailed requirements for what organizations must do regarding data subject rights, the CCPA leaves many aspects open to interpretation without clear guidance as to how these should be met.
Does CCPA cover GDPR?
The CCPA goes beyond the scope of the GDPR by covering personal data that relates to a household or device. Whereas the GDPR does not apply to personal data used for personal or household activities. However, the CCPA excludes information collected for non-commercial purposes.
CCPA vs GDPR: Which is better?
Both laws have similar goals regarding user privacy. However, GDPR has a broader scope of applicability, given that it protects the data of all EU citizens. CCPA is specific to California residents. It provides more user rights and offers slightly better privacy control to users especially when it comes to opt-in consent. Overall, GDPR has a larger global impact than CCPA due to it being used as a blueprint for international privacy regulations.
What is CCPA compliance?
CCPA compliance refers to the adherence of a business’s privacy practices to the laws of the California Consumer Privacy Act.
The CCPA is a US legislation that applies to any company that processes the personal information of California residents. It was created to give consumers more control over their data and increase transparency about how that data is handled.
The CCPA went into effect on January 1, 2020.
What is GDPR compliance?
GDPR compliance means complying with the requirements put forth by the EU GDPR. The GDPR affects organizations, regardless of where they operate if they process the personal data of EU individuals to offer them goods or services or monitor their behavior in the EU.
The basic requirements of the GDPR are fairly broad. It applies to anything related to personal data, including collecting, storing, or transferring it, unless they are used for personal or household purposes.
It went into effect on May 25, 2018.