What is the difference between GDPR and CCPA?
Here are the main differences between CCPA and GDPR:
| CCPA | GDPR | |
|---|---|---|
| Type | Statutory and regulatory | Regulatory |
| Scope | Applies to for-profit businesses that hold personal information of California residents | Applies to businesses that hold personal data of EU/EEA residents |
| Personal data | Information that relates to an individual, household or device. Excludes publicly available personal information recorded by federal, state, or local government. | Data that relates to a living individual and is used for commercial purposes. Excludes publicly available information. |
| User rights | – Right to know about and access personal information – Right to delete personal information – Right to opt-out of the sale of personal information – Right to non-discrimination for exercising the CCPA rights |
– Right to access personal data – Right to correct personal data in case of inaccuracy – Right to delete personal data – Right to restrict personal data processing – Right to port data to another controller – Right to object to personal data processing – Right to object automated data processing for decision making and profiling |
| Opt-in necessary for data collection | No (unless the consumer is under 16 years old) | Yes |
| Right to opt-out | Yes | Yes |
| Age of consent | 16. Parental consent is mandatory for consumers below 13 years. | 16 (Member State laws can lower it to 13). Parental consent is mandatory for those who are below 16. |
| Cookie usage | Opt-in consent not necessary but opt-out is mandatory for cookies that sell personal information. | Opt-in consent is necessary to use cookies that track personal data. Opt-out should also be available for users. |
| Fine | Up to $2,500 for each violation and $7,500 for each intentional violation. | – Up to €10 million or 2% of annual global turnover, whichever is highest, for less severe violations. – Up to €20 million or 4% of annual global turnover, whichever is highest, for severe violations. |
| Enforcer | California Attorney General | EDPB, EU Commission, and Member State data protection authorities. |