What Is the Difference Between the CCPA & GDPR?

May 5, 2020
What Is the Difference Between the CCPA & GDPR?

The CCPA (California Consumer Privacy Act) helps give Californians new rights to autonomy over data they generate. It went into effect on January 1, 2020. This act is the first major US privacy legislation that is being enacted after the European GDPR (General Data Protection Regulation), which became effective in May 2018. While some have called the CCPA the California GDPR, there are some differences.


Even though Nevada and Maine have passed different privacy legislation or amendments to existing laws, the CCPA is the first statewide privacy legislation in the country. The CCPA is of different magnitude than other laws and other amendments to laws. This law in California changes the way residents can handle their own data. It can empower them with new rights in order to request businesses delete or disclose the data that has been collected or they can completely opt out of third-party data sales. The law now creates new requirements for commercial entities that are doing business in California. Whether or not a business falls under these new requirements depends on a set of definitions. The main requirement under this is that the businesses are to provide consumers with information about how their data has been processed, collected, and sold in the past 12 months.

While the CCPA only affects one state, the GDPR is a European Union law that is for all 27 member-states. This law controls how companies, organizations, and websites are allowed to handle personal data. Personal data can be anything from browser history and email addresses to location data, names, and other things. If you have a website with visitors from the EU and you have a third-party service, such as Facebook or Google, that processes personal data then this law states that you need to first get prior consent from the user. In order for the consent to be valid, it needs to be based on clear information about the duration, extent, and purpose of the data processing. For example, if you are doing this through a cookie consent banner then the banner can’t have any pre-checked boxes. This law actually applies to any website in the world, regardless of where you are located and from where you are operating. If you get any visitors from the European Union then you need to be in compliance. Even if the website is in California but gets visitors from the EU, it still needs to follow the GDPR.

Overall Comparison of CCPA vs. GDPR

CCPA is more about creating transparency and giving rights to consumers while GDPR is more focused on creating a “privacy by default” framework. The GDPR instead creates a door for a user to lock so that none of their data can be processed. The CCPA creates a window that allows a consumer to find out where there data has been sold to a third party or gathered by a business.

Legal Bases

The GDPR requires that businesses, websites, and companies have a legal basis for processing personal data in the EU. The first legal basis is consent. However, the CCPA doesn’t have this same framework. Under the CCPA, a business doesn’t actually need prior consent from a user before they process the data and a website doesn’t need any prior consent from a user before they sell the data to a third party.

Main Rights of Each Law

Both of the laws deal with some main rights that include the right of access, to be informed, and portability. The minor difference between the two is the right of prior consent and the right to opt out. These can almost be seen as the same since the right to opt out is also included in the right to withdraw consent.

When you compare the right of each one closely, it’s prior consent that makes all the difference. Prior consent is exclusive to GDPR. With this, it can create the legal framework across the European Union that is based on privacy first with user control.

What Do the Laws Deal With?

Both laws define things a bit differently. The CCPA deals with personal information and this is information that relates to, describes, identifies, or is capable of being associated with a particular consumer or household, whether it’s linked directly or indirectly. The GDPR deals with personal data or any information related to an identifiable natural person indirectly or directly. The CCPA definition is more personal and this means it includes data that isn’t necessarily individual specific but can also be categorized as household data. However, the GDPR does have a special category of data that is called Sensitive Personal Data.

The GDPR has created six different legal grounds for processing personal data. However, the CCPA doesn’t have any for processing that data in the state. This means that businesses can process data as they want, unless a customer actually exercises their right to opt out of having the data sold. This is shown in the requirement for businesses to provide a link or button on the website that says, “Do not sell my personal information.” By clicking this button, consumers can opt out of these third-party data sales.

Who Do the Laws Apply to?

The laws have some differences on who is affected, whether it’s individuals or businesses.

Data Subjects vs. Consumers

The CCPA gives rights to consumers and this is a person who is a California resident. The GDPR protects what are known as data subjects, defined as identifiable or identified natural persons. A data subject can be any person and doesn’t necessarily have to be a EU citizen or resident. For example, if an American citizen is traveling in the EU and their data is processed while there, he or she is then protected by the GDPR. The companies that process the data, even if they are outside the EU, still have to comply if they are offering services to data subjects within the union.

Scopes of the GDPR and CCPA

Both laws have extraterritorial scope. The CCPA applies to companies that fit the definition of a business, whether or not the company is actually located in California. A business, according to the law, is a for-profit entity that collects personal information, does business in California, and determines the means and purpose of processing. They must meet one of these thresholds: process information for at least 50,000 Californians every year, annual revenue over $25 million, or gets 50% or more of its revenue from the sale of personal information. This definition excludes a lot of websites, organizations, and companies that do process personal data of Californians and still allows them to do business as usual.

A company that is based in Europe can still fit into the definition of a business under the CCPA and is obligated to comply the law. The GDPR applies to organizations, companies and websites in the world if they offer services or goods to individuals within the EU. The difference is that the GDPR actually protects the data subject who happens to be in the EU at the time of the processing or collection of data. However, the CCPA only protects you if you fall under the definition of being a California resident.

The GDPR doesn’t set any restrictions for the size of profit of the data collectors. A data controller, according to the law, is just any entity that processes or collects data in the European Union. This can include any company, organization or business, and website. This is one of the main differences between the two laws and the GDPR has a much broader scope. The GDPR protects more people.

Enforcement of the Laws

When it comes to the enforcement of the laws, both are similar but there are some differences.

The GDPR is enforced by monetary penalties issued by the national data protection authorities. Penalties can be as high as 4% of a company’s global annual turnover or 20 million euros, whichever is higher. The fines are determined by the gravity, nature, and how long the infringement was. So far, the highest fine has been 50 million euros. The CCPA is being enforced by the Attorney General of California, also with monetary penalties. However, the monetary penalties for the CCPA are much smaller than ones issued for violating the GDPR. There is a maximum of $2,500 per violation.

According to the GDPR, it’s the national data protection authorities that have the task for offering guidance and promoting awareness to organizations and companies on how to be GDPR compliant. The EU data protection authorities have the ability to conduct audits of companies that could be in breach of the GDPR. They are allowed to order data controllers to comply and issue warnings. With the CCPA, there aren’t as many supervisory opportunities and it’s up to the state’s Attorney General to start any investigations. The Attorney General is expected to have created regulations to specific areas of supervision and enforcement by July 2020.

The CCPA and GDPR do a lot to help with privacy but there are more limitations to the CCPA than there are the GDPR and each law works a bit differently.