CCPA vs GDPR: What’s the difference?

The General Data Protection Regulation (GDPR) applies within the European Union and safeguards the data privacy of EU residents. The California Consumer Privacy Act (CCPA) applies in the State of California and protects the privacy and personal data of state residents.

The two regulations share many similarities in goals and requirements. However, they differ in terms of emphasis and content. This article will explore how the regulations compare and help you create a comprehensive regulatory compliance strategy.

Key takeaways

CCPA aims to make data processing more transparent and empower individuals via privacy rights. GDPR is a comprehensive data security and privacy law enforced by national regulators.
CCPA applies to larger businesses active in California and companies focused on data processing. GDPR applies to all businesses that interact with EU residents.
CCPA protects personal information that can reasonably be linked to an individual or household. GDPR is broader, and protects any data related to an identifiable individual.
CCPA allows individuals to opt-out of data processing. GDPR gives individuals more power to limit data processing or block sharing entirely.
Under CCPA, the state levies penalties via lawsuits and enables private actions. Standard fines are limited to $7,500 per violation. GDPR fines can reach €20 million or 4% of global turnover.

What is CCPA?

Enacted in 2018, the CCPA protects the data privacy rights of California residents. The Act gives residents the power to access, amend, delete, and transfer personal data held by companies, providing more control over their digital identities.

The CCPA aims to enhance transparency and encourage responsible data practices. It operates via a system of investigations and fines. The Office of the California Attorney General launches CCPA lawsuits, which can levy statutory fines of $7,500 per individual violation.

The California Consumer Privacy Act applies to businesses operating within California's boundaries, but does not affect all California companies. The Act only applies to firms that collect, process, or sell personal data. There are also several thresholds below which the CCPA does not apply.

The General Data Protection Regulation (GDPR) was also enacted in 2018, this time by the European Union. GDPR regulates the collection, processing, storage, and sharing of personal data across all EU jurisdictions. It applies to all organizations that handle the data of EU subjects, whether they have European subsidiaries or not.

The GDPR provides EU residents with rights of access, rectification (amendment), erasure, and portability. Subjects can request all data held about them, restrict or object to data processing, and retrieve their data in a portable format.

Under GDPR, national Data Protection Authorities levy fines. Penalties can be high, reaching 4% of global revenues or 20 million euros (whichever is higher). GDPR also mandates data protection by design and default and requires data breach notifications within 72 hours.

Both CCPA and GDPR cover organizations that handle sensitive data. It's important to understand whether you fall under data security regulations, as exemptions apply.

The California Consumer Privacy Act applies to companies with revenues above $25 million operating in California. It covers all companies that derive over half of their revenues from selling private data (regardless of revenues). Companies must also comply with the CCPA if they handle the data of more than 100,000 California residents.

GDPR has a broader scope. The General Data Protection Regulation applies to all organizations that collect or process the data of EU residents. For example, US-based companies that sell to Germany must align their data privacy compliance with GDPR.

GDPR also includes data controllers and processors. Controllers collect data and deal directly with customers. Processors store or handle data on behalf of controllers. CCPA does not make this distinction, although companies can be liable for the data failures of third-party vendors.

Many companies in the global economy must comply with the CCPA and the GDPR. This overlap can lead to compliance challenges, as the regulations differ in subtle (but important) ways.

One-size-fits-all compliance strategies can expose businesses to regulatory action, making it vital to understand the main differences. Let's quickly compare GDPR vs CCPA to clarify the situation:

Scope

As discussed above, CCPA and GDPR take different approaches to scope. GDPR is extra-territorial. It applies to all businesses that interact with EU residents, wherever they are. CCPA is focused on activities within California.

The extra-territorial nature of GDPR often challenges online businesses. Any organization that collects the personal information of EU subjects or those living in Europe must do so in line with GDPR rules.

CCPA also has an extended territorial reach, affecting out-of-state companies that meet revenue or data processing criteria. However, many local companies are exempt due to their limited revenues or data collection practices. Companies must be CCPA-compliant if they:

Earn gross revenues of $25 million and above.
Buy, process, or sell personal information from 100,000 Californian individuals or households. This includes sharing personal data with third parties without payment.
Derive over 50% of their gross revenues from data processing activities.

Third parties also come under the scope of CCPA and GDPR. Service providers that process personal information for other companies must follow relevant privacy regulations.

Personal data definition

Personal data is an area where the GDPR vs CCPA comparison is stark. GDPR adopts a broad definition of personal data. EU regulators view personal data as all information relating to identifiable data subjects.

Data related to GDPR compliance includes names or email addresses, as well as IP addresses, device and geolocation data. Organizations using pseudonymized data must also carefully erase all identifiers.

CCPA uses a tighter definition of personal data. Under CCPA, personal information identifies or is capable of identifying an individual or household. The Act states that personal information must be "reasonably linked" to California residents. This clause gives businesses scope to gather data for business purposes.

Personal information includes social security numbers, driver's license numbers, login credentials, names, phone numbers, email addresses, IP data, biometric data, photographs, and medical histories. Information about internet activity is included, bringing tracking cookies under the CCPA umbrella.

Note that CCPA also refers to "households". GDPR does not do so and focuses on individuals. CCPA compliance extends to the personal information of people within an individual's household, not just the individual subject.

Rights and powers

GDPR and CCPA grant different bundles of rights to data subjects. We will look at this in more depth below. Both regulations provide individuals with extensive rights to access, delete, and edit personal data. GDPR goes slightly further. EU laws allow subjects to challenge how companies use data. GDPR also demands specific opt-outs relating to automated data profiling.

Data security

CCPA is primarily a privacy regulation and does not include comprehensive data security clauses. The Act requires businesses to implement "reasonable" security practices relating to their data processing activities.

When companies fail to secure personal data, California residents can exercise a private right of action under CCPA. Penalties from civil lawsuits can reach $750 per violation, in addition to standard CCPA fines.

GDPR has stricter data security requirements. Regulated companies must adopt data security by design and default. Robust data security must be an integral part of business operations before organizations start processing data from EU subjects.

Data breach rules are also more demanding. Companies must notify national regulators within 72 hours if a consumer data breach is likely to affect the data rights of EU residents. Companies must also carry out Data Protection Impact Assessments (DPIA) for joint enterprises and international data transfers.

Enforcement

CCPA is enforced by the Office of the California Attorney General. Regulatory action by the Attorney General can lead to penalties of up to $2,500 per violation if breaches are unintentional. Penalties can reach $7,500 per violation in cases of intentional or severe consumer data breaches.

As noted above, CCPA also relies on the courts to enforce data privacy. Individuals can exercise their right to private action. Private actions can incur fines of $750 per personal data violation.

GDPR is enforced by Data Protection Authorities (DPAs) in European Union members. Investigations can lead to significant financial penalties.

Less serious cases may be classed as Tier 1 violations. In these cases, regulators can levy fines of 2% of global turnover or €10 million, whichever is larger.
More serious cases fall under Tier 2 penalties. In these cases, regulators can fine companies 4% of their global turnover or €20 million. Again, the largest penalty applies.

Consent

GDPR and CCPA take prior consent seriously but adopt slightly different approaches. This has important implications for designing websites and delivering tracking cookies.

GDPR gives data subjects greater control over how companies collect data. Covered entities must provide consent forms when users visit websites or purchase services. Consent forms must enable opt-outs of all data collection actions (unless data collection is covered by a legal justification).

Consent forms must also inform users about their privacy rights. Users should know their rights to access, erase, and amend personal information. They should also have the right to withdraw consent to share when desired.

Under CCPA, businesses do not need to gain consent to collect customer data. However, data subjects must be able to opt out of data sharing (including data gathered online via tracking cookies). Websites should provide tools to withdraw consent, and companies must notify individuals if they wish to share their personal information with third parties.

Legal justification

Under GDPR, companies must have a legal justification to collect data. Reasons to gather personal information include contractual and law enforcement obligations, protecting a vital interest, and acting in the public interest. Consent also counts as a justification for data collection.

CCPA does not require companies to justify data collection, provided businesses allow customers to opt out of data gathering if they wish.

Data protection responsibilities

Finally, GDPR requires larger organizations to appoint a Data Protection Officer (DPO). The DPO coordinates privacy measures and liaises with regulators. DPOs are mandatory if the core of the company's business involves processing data or the organization deals with sensitive data such as medical records.

CCPA does not require a DPO. Regulators allow companies to choose their administrative measures, provided they comply with CCPA requirements.

Rights are critically important when comparing CCPA vs GDPR. Both regulations protect privacy by defining a set of core rights. These rights are the basis for regulatory actions and prosecutions, so companies must understand what they are and how they apply to data processing.

The six core rights protected by the CCPA include:

Access: Individuals must have access to personal information held by companies.
Deletion: Subjects must be able to request erasure of records if required.
Correction: Subjects must be able to request amendments to incorrect data.
Consent: Individuals have the right to opt out of sharing or selling data.
Non-disclosure: Organizations must not disclose sensitive information without prior consent.
Non-discrimination: Organizations must treat all individuals equally, with no discrimination against those who choose to opt out of data sharing.

GDPR protects a slightly longer list of rights. Data controllers must protect the right to:

Information: Data controllers must tell subjects how they collect, store, use, and share data.
Access: Data subjects must be able to access personal information held by companies.
Rectification: Controllers must edit incorrect records if requested.
Be forgotten: Individuals can request the deletion of all personal data if the information is no longer necessary for a business purpose.
Restriction: Individuals can ask companies to limit data processing if doing so is illegal or unnecessary.
Portability: Companies must provide user data in a standardized and machine-readable format.
Objection: Individuals can object to data processing if they feel companies breach their data privacy. Companies must change their processing methods unless they can provide a legitimate justification.
Withdraw from automated data collection: GDPR allows individuals to withdraw from automated data processing activities such as AI profiling tools.

CCPA and GDPR are closely related data privacy regulations, but they are far from identical.

In general, GDPR compliance is more complex. EU regulators require companies to secure data and protect privacy rights. CCPA is less focused on data security. It mainly deals with protecting consumer rights.

CCPA gives companies more freedom to design privacy systems, while GDPR is prescriptive. Companies must meet defined standards, and regulators hold them to account if they fail to do so. CCPA puts individuals first, promoting transparency and accountability via public action lawsuits.

Cookie consent shows how GDPR and CCPA differ. Under CCPA, websites simply need to provide an opt-out for data sharing. Under GDPR, companies must allow consumers to opt into data collection and sharing.

Companies often have to satisfy both GDPR and CCPA requirements. Fortunately, despite many differences, the privacy regulations overlap in many core areas. Many of the rights listed above are shared by both regulations. Companies in California and the EU must provide privacy notices, allow access, and facilitate data subject requests promptly.

Businesses should take a dynamic approach that understands the divergences between GDPR and CCPA but uses the similarities to limit compliance costs. Assess your data processing activities, and plan carefully to meet privacy requirements wherever you operate.