California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are two of the biggest regulations regarding consumer privacy in recent times. Rightfully so with the amount of data that is being collected about individuals. While both laws are focused on user privacy rights and putting control over personal data back into users’ hands, there are many differences between the two. Here is a look at the key CCPA vs GDPR differences.
Since CPRA will amend CCPA and will come into effect from January 1, 2023, we will also mention how CPRA differs from GDPR.
For a detailed look at CPRA and how it differs from CCPA, click here.
CCPA vs GDPR: 11 differences explained
Here is a brief overview of CCPA vs GDPR:
Let us look at some of these in detail.
#1 Type of law
The CCPA is a statutory law, which means that it can be enforced without further action from the state’s legislature. Any violation of the CCPA will immediately trigger a cause of action that can be used to file a civil lawsuit in California state court.
GDPR is merely regulatory. Unlike CCPA, it does not have a direct impact on the outcome of civil litigation in its jurisdiction. The EU and the EEA Member States can incorporate the GDPR framework into their national laws and enforce it.
#2 Subjected entities
The CCPA applies to any for-profit organization collecting personal data about California residents for commercial purposes or selling goods or services to California residents. They should meet at least one of the following criteria:
- At least $25 million in gross annual revenue
- Buys, sells, or receives personal information (PI) about at least 50,000 California consumers, householders or devices for commercial purposes or
- Derives more than 50% of its annual revenue from the sale of personal information
CPRA: It has similar criteria except that it applies to buying, selling, or sharing of at least 100,000 consumers or households.
The GDPR applies to all organizations that collect data on individuals within the European Union (EU) and European Economic Area (EEA), regardless of where those organizations are located.
The GDPR is much broader in the sense that the number of organizations holding personal data on EU customers will most likely be more than California customers.
#3 Type of data covered
Both laws have a nearly similar definition of personal data. However, the information covered by CCPA is broader than GDPR.
“Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer, device or household.” E.g. name, email address, purchase records, browsing history, location, biometric data, and inferences from other personal information.
CCPA excludes the following personal data sets from its scope:
- medical information protected under CMIA or HIPPA,
- information collected for clinical trials,
- sale of information to or from consumer reporting agencies;
- personal information under the Gramm-Leach-Bliley Act,
- information covered by California’s Driver’s Privacy Protection Act and
- any publicly available information from federal, state, or local government records.
CPRA: CPRA expands on the PI covered by CCPA and covers additional types of personal information called Sensitive Personal Information (SPI)—like GDPR. This includes race, sexual orientation, political views, etc.
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”. E.g. identification number, online identifier, email address, phone number, or sensitive type ofdata related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject. GDPR excludes the following sets of personal data:
- Data related to deceased persons,
- Data processed through non-automated means,
- anonymous data, and
- data processed for personal or houseful purposes.
#4 Disclosure to users
Transparency is a common requirement between the two laws. Both laws require organizations to disclose how they handle the users’ personally identifiable information (PII). Both the CCPA and GDPR require businesses to inform users about what type of PII they collect, how and why, and to whom they share (or sell) the data, what rights users have to control their data, and how they can contact you. However, there are minor but key differences in the information the GDPR and CCPA require you to inform users.
There is a 12-month look-back period in CCPA where businesses must inform users when their personal information was collected and processed after 12 months.
Read more about CCPA Notices.
Third parties are also liable to inform users when they sell personal information to another third party.
The GDPR requires that organizations inform users how long they will retain their personal data, the users’ right to withdraw consent at any time, and when they share the data with other organizations.
#5 Rights of users
Under both laws, people get certain data rights that they can exercise.
- Right to know about and access personal information
- Right to delete personal information if collected from consumers
- Right to opt out of the sale of personal information
- Right to non-discrimination for exercising the CCPA rights
The CCPA allows businesses 45 days to respond to the requests and they can extend it by another 45 days with notification to consumers.
CPRA: In addition to expanding upon the existing rights granted under CCPA, CPRA introduces several new rights for consumers. These include the right to know about and opt out of automated decision-making, the right to correct personal information (PI), the right to limit the use of sensitive personal information (SPI), and the right to opt out of the sharing and selling of sensitive PI.
- Right to access personal data
- Right to correct personal data in case of inaccuracy
- Right to delete personal data
- Right to restrict personal data processing
- Right to port data to another controller
- Right to object to personal data processing
- Right to object automated data processing for decision-making and profiling
The businesses have one month to respond to the requests. They may extend it by another two months if the request is complex, but they should provide a legitimate reason for doing so.
#6 Right to opt-out
CCPA allows businesses to collect personal information from users as long as the information is of an individual over the age of 16. However, you must provide users with an opt-out choice and give them a chance to object to the collection.
If your business has a website, then you must add a “Do Not Sell My Personal Information” link on your website’s homepage and all other pages where personal information will be collected. This link should lead to a dedicated page or setting where users can exercise their right to opt-out. Once users opt out, you cannot collect personal information for 12 months.
CPRA: Consumers have the right to opt out of the sharing of their personal information (including the PI of minors) for cross-context behavioral advertising. However, this right does not apply to non-targeted advertising. You must add a “Do Not Sell or Share My Personal Information” link on your website’s homepage and all other pages.
GDPR’s right to opt-out is similar to CCPA’s, but with a notable difference. Under GDPR, businesses must provide options for both opt-in and opt-out. This means that businesses that rely on the processing of data for their business model must ask users to explicitly consent to the collection and use of their information.
The users have the right to opt out of data collection and use at any time, even if they previously opted in.
#7 Age of consent
Businesses are not required to seek consent before collecting or selling consumer data unless the consumers are below 16 years of age. Children under 13 years of age require parental consent.
CPRA: This expands to sharing of consumer data as well.
GDPR states that the minimum age of consent is 16 years old. Member States may lower the minimum age of consent to 13, but parental consent is necessary if the user is under 16.
#8 Cookie control
CCPA is not as strict as GDPR in terms of requiring explicit consent from visitors to store cookies on their devices. Websites do not require explicit consent for storing cookies on visitors’ devices. It only requires websites to let visitors opt out of cookies that sell their personal information. They should also provide information about what kind of cookies are used by the website, why, and how can visitors manage them.
CPRA: This expands to cookies that share the personal information of consumers with third parties.
Unlike CCPA, GDPR requires websites to explicitly ask for consent from users before storing cookies on their devices. It also requires websites to provide clear settings that allow users to opt out of the cookies.
Like CCPA, the GDPR also requires websites to disclose information on what kind of cookies are being used and why they are being used as well as providing clear instructions on how visitors can control or delete them.
Leading cookie compliance solution for GDPR and CCPA/CPRA
Sign up on CookieYes and make your website GDPR and CCPA/CPRA compliant for cookies for free.Try FREE Cookie Consent
*Free 14-day trial *No credit card required
#9 Security requirements
Although the CCPA does not focus on any specific security requirements, it allows consumers to take action against companies that do not maintain adequate security measures.
CPRA: Builds upon the existing requirements by requiring businesses to implement additional measures to protect sensitive personal information. It also requires businesses to conduct regular risk assessments, perform cyber security audits, and maintain records of data processing activities.
Data security is one of the main requirements of the GDPR. Organizations are expected to implement necessary technical and organizational measures to ensure the security of personal data. The GDPR advises organizations to use techniques like encryption and pseudonymization to protect personal data.
#10 Fines and penalties for non-compliance
Up to $2,500 per violation and $7,500 per intentional violation. Consumers can claim statutory damages up to $750 per violation (minimum is $100). CCPA gives businesses a 30-day cure period for rectifying the violation.
The fines are imposed by the California state court.
CPRA: CPRA removes the 30-day cure period that allowed businesses to correct any violations before facing penalties. In addition to that, the CPRA imposes a penalty of $7,500 for any violations related to the rights of minors under the age of 16.
There are two levels of GDPR fines depending on the severity of the violation:
- For less severe violations, Up to €10 million or 2% of annual global turnover, whichever is higher.
- For severe, high-risk violations, up to €20 million or 4% of annual global turnover, whichever is higher.
Data protection authorities in the EU Member States impose GDPR fines.
#11 Enforcing Authority
California Attorney General enforces CCPA.
CPRA: It establishes a new agency, California Privacy Protection Agency (CPPA) which will investigate, enforce, and make decisions under CPRA.
The law is enforced by the EU Commission, EDPB, and data protection authorities of EU Member States. They can adopt the GDPR standards in their own state’s data protection laws.
In general, the two acts by themselves are immensely similar, but certain differences need to be taken into account when considering the effects of each. The regulations they put in place do have a breadth that reaches beyond the boundaries of their respective home countries. Companies that want to comply with both laws should understand the differences between them, or risk making decisions that could land them in legal trouble.
Frequently asked questions
What do GDPR and CCPA stand for?
The GDPR stands for General Data Protection Regulation and it is an EU regulation for the data protection and privacy of EU residents. The CCPA stands for California Consumer Privacy Act and it is a US state law to protect the data and privacy rights of Californian residents.
How is CCPA different from GDPR?
The CCPA is different from GDPR, as it’s a self-executing law that directly affects all civil litigations in California. In comparison, the GDPR is a set of regulations each European Union member state may choose to include in its own nation’s laws.
Is CCPA like GDPR?
No, CCPA is not like GDPR. Though it may seem CCPA was borrowed from GDPR, they are two completely different laws. The CCPA is an American state law that focuses exclusively on protecting the privacy of California residents. The GDPR is a European Union (EU) regulation that protects the personal data of those living in the EU by imposing strict data protection requirements and strict penalties for non-compliance. The CCPA doesn’t give them as much control as the GDPR gives Europeans.
Was the CCPA modeled after the GDPR?
The CCPA was not modeled after the GDPR. The CCPA is actually much narrower in scope, whereby it only applies to California residents and does not extend outside of the U.S. Whereas, the GDPR applies to the personal data of EU residents regardless of where that data is processed).
The CCPA also has a much lower threshold for applicability, as it applies to companies that have more than $25 million in annual revenue or have more than 50,000 Californian users. In contrast, the GDPR applies to any organization that processes the personal data of EU residents.
The CCPA also takes a less prescriptive approach than the GDPR. Whereas the GDPR sets out detailed requirements for what organizations must do regarding data subject rights, the CCPA leaves many aspects open to interpretation without clear guidance as to how these should be met.
Is CCPA stricter than GDPR?
The CCPA is a privacy law that is specific to businesses operating in California or collecting personal information from California residents. It applies to businesses that meet certain criteria, such as having a certain level of annual revenue or buying, selling, or sharing the personal information of a certain number of consumers for commercial purposes. On the other hand, the GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is based. Both laws aim to protect the personal data of individuals and give them certain rights, but the GDPR has more detailed requirements and stricter penalties for non-compliance. It’s hard to say which law is stricter, as they have different provisions and serve different purposes.
Does CCPA cover GDPR?
The CCPA goes beyond the scope of the GDPR by covering personal data that relates to a household or device. Whereas the GDPR does not apply to personal data used for personal or household activities. However, the CCPA excludes information collected for non-commercial purposes.
CCPA vs GDPR: Which is better?
Both laws have similar goals regarding user privacy. However, GDPR has a broader scope of applicability, given that it protects the data of all EU citizens. CCPA is specific to California residents. It provides more user rights and offers slightly better privacy control to users especially when it comes to opt-in consent. Overall, GDPR has a larger global impact than CCPA due to it being used as a blueprint for international privacy regulations.
What is CCPA compliance?
CCPA compliance refers to the adherence of a business’s privacy practices to the laws of the California Consumer Privacy Act.
The CCPA is a US legislation that applies to any company that processes the personal information of California residents. It was created to give consumers more control over their data and increase transparency about how that data is handled.
The CCPA went into effect on January 1, 2020.
What is GDPR compliance?
GDPR compliance means complying with the requirements put forth by the EU GDPR. The GDPR affects organizations, regardless of where they operate if they process the personal data of EU individuals to offer them goods or services or monitor their behavior in the EU.
The basic requirements of the GDPR are fairly broad. It applies to anything related to personal data, including collecting, storing, or transferring it, unless they are used for personal or household purposes.
It went into effect on May 25, 2018.