General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two data privacy regulations that dictate how companies collect, process, and share private user information. While they serve the same purpose, GDPR and CCPA ensure data privacy differently and require businesses to adapt in different ways.
This article explains the main differences between GDPR and CCPA. Read on to learn what sets these laws apart, where they overlap, and how to achieve compliance with both regulations.
GDPR vs. CCPA: The Main Differences
GDPR and CCPA both protect personal data, but the two statutes differ in many areas, including:
- Territorial scope.
- Application of the regulation.
- The nature and extent of processing restrictions.
- Penalties and fines.
- The rights of data owners.
The table below outlines the main differences between GDPR and CCPA:
|Point of Comparison
|May 25, 2018
|January 1, 2020 (signed into law on June 28, 2018)
|Create a “data privacy by default” legal framework within the European Union
|Create transparency in the California data economy and grant rights to its consumers
|Who must comply with the law?
|Organizations that process personal data of individuals in the EU (even if the organization is outside of the EU)
|For-profit entities that process data of California residents and meet specific revenue and operations criteria
|Who does it protect?
|Any individual in the European Union at the time of data collection or processing (no residency or citizenship requirements)
|California residents only
|What data does it protect?
|Any information relating to an identified or identifiable data subject
|Personal information that identifies, relates to, describes, or associates (directly or indirectly) to a specific consumer, device, or household
|Excluded data types
|Medical data, clinical trial data, data from consumer reporting agencies, GLBA information, DPPA information
|Protection of publicly available data
|Legal basis for processing personal data
|Prior consent from the data owner
|No (but data owners have the option to opt out of data sales)
|Protection of household-specific data
|Up to 4% of a company’s global annual turnover or €20 million (whichever is highest)
|Maximum of $2.500 per accidental violation and up to $7.500 for intentional violations
|National data protection authorities on a state level
|Attorney general of California
|Data controllers and processors must take technical and organizational measures to ensure data safety
|Does not directly impose data security requirements, but consumers can sue the company in case of a data breach
|Right to data deletion
|Yes (for all data types; response time is 30 days)
|Only for data collected directly from and about consumers (response time is 45 days)
|Right of data rectification
|Right to restrict processing
|Yes (under certain circumstances)
|Right to object to processing
|Does a business require a Data Protection Officer (DPO) to achieve compliance?
|Collecting data from minors
|Minors under 16 require parental consent
|Minors under 13 require parental consent
If an organization is GDPR-compliant, it does not make it CCPA-compliant and vice versa. Both CCPA and GDPR regulate online processing of personal data, but they do it differently.
What is GDPR?
The General Data Protection Regulation (GDPR) is the most comprehensive data protection law in the world. This regulation controls how organizations process personal data within all 27 member states of the European Union (EU).
The GDPR empowers owners of private data (data subjects) to dictate how companies process their information. The GDPR defines processing as any form of collecting, recording, organizing, structuring, storing, altering, or destroying personal data.
The data subject status does not apply only to EU citizens. According to the GDPR, any individual within the EU at the time of data processing is a data subject.
This regulation extends many benefits to data subjects, including the right to:
- Know how organizations use their personal information.
- Access their personal information in possession of any company.
- Make changes to personal data.
- Request the deletion of their private data.
- Restrict and object to processing activities.
- Transfer data between different organizations.
To process any form of personal data, an organization must receive consent from the data subject. The permission is only valid if the request is clear about the purpose, extent, and duration of data processing.
The GDPR only protects natural persons and does not apply to legal persons.
Who is Regulated by GDPR?
The GDPR applies to all companies, organizations, and websites that offer services to or monitor the behavior of people within the EU. This regulation has no geographic restrictions and concerns all entities that collect data from EU customers.
The GDPR recognizes two types of companies that must comply with the data privacy rules:
- Data controllers: These companies determine the means and purposes of data processing.
- Data processors: These entities process personal information on behalf of data controllers.
Every EU state has a national data protection authority responsible for:
- Conducting audits of companies and their data privacy measures.
- Promoting awareness about the GDPR and data privacy.
- Offering guidance to companies wishing to achieve compliance.
Failing to comply with the regulation can lead to monetary penalties of up to 4% of a company’s annual turnover or €20 million. Authorities can also punish non-compliance by banning certain types of processing and ordering companies to erase data. The nature and gravity of the violation determine the extent of the penalty.
The GDPR is not applicable in the law enforcement and national security areas. However, businesses offering services to law enforcement or security agencies must comply with the regulation.
What Data is Covered by GDPR?
The GDPR covers personal information that directly or indirectly relates to an identified or identifiable individual within the EU. Some data types the GDPR protects are:
- Dates of birth.
- Email addresses.
- Home addresses (street, zip, postal code, city).
- Phone numbers.
- Bank accounts.
- Credit card numbers.
The GDPR does not cover:
- The processing of anonymous data that does not reveal identities.
- Data of deceased data subjects.
- Any data processing occurring on a personal or household level.
The GDPR includes publicly available data. If a controller or processor collects personal data from a public source, the company is subject to the GDPR.
To achieve compliance with the GDPR, a company must set up technical and organizational protection measures. An organization must protect the data it collects and processes, and GDPR holds businesses accountable in case of a data breach.
Know the difference between security and compliance, two related concepts vital to cybersecurity.
What Does it Take to be GDPR Compliant?
Achieving GDPR compliance starts with data mapping. Document how data flows through your company to identify areas that could cause privacy problems.
- The legal basis for data processing.
- Data retention periods.
- Visitors’ rights under the GDPR.
Next, adjust all the forms you use on your website. The GDPR insists that all data subjects consent to data processing, so ensure visitors opt in before you start collecting data. Also, inform users about the purpose of cookies and trackers.
Ensure employees know the importance of data protection and GDPR rules. Train the staff on basic principles of the regulation and necessary procedures.
Some organizations need to hire or promote a Data Protection Officer (DPO) to comply with the GDPR. Organizations that require a DPO are:
- Public authorities.
- Entities that run regular monitoring of data subjects on a large scale.
- Companies that process sensitive personal data on a large scale (race, ethnicity, religion, political history, medical history, sexuality, financial history, etc.).
A DPO is also useful for keeping the records of processing activities, which is another GDPR requirement.
Remember that the local supervisory authority helps companies become compliant with the GDPR. Schedule regular audits of processing and security controls in your organization and take steps towards compliance.
Our article about the General Data Protection Regulationu offers an in-depth analysis of how to comply with the GDPR.
What is CCPA?
California Consumer Privacy Act (CCPA) is a statute that ensures privacy rights of citizens in California, United States. The CCPA is the first significant state-wide privacy legislation in the US.
The CCPA protects consumers, natural persons who are California residents. The definition of a CCPA consumer is:
- An individual who is in California for other than a temporary or transitory purpose.
- An individual who resides in California but is outside the State for a temporary or transitory purpose.
Consumers have the right to:
- Know what personal data a business possesses.
- Know if a company is selling their private information.
- Stop a business from selling their private data.
- Move the data between different entities.
- Request data deletion.
- Ask for a copy of their data.
- Receive the same services and prices regardless of whether they exert their CCPA rights.
The CCPA obligations apply to collecting and selling of personal information:
- Collecting includes buying, renting, gathering, receiving, or accessing personal data directly from the consumer or indirectly.
- Selling includes renting out, revealing, or communicating personal information for monetary gain.
According to the CCPA, a business does not require prior consent from a user to process personal data. However, consumers reserve the right to opt out of data sales.
Like the GDPR, the CCPA does not protect legal persons.
Who is Regulated by CCPA?
The CCPA applies to companies that collect, sell, or disclose personal data of California residents. The regulation does not extend to non-commercial activities.
The CCPA only applies to an organization that:
- Is a for-profit company.
- Collects consumers’ personal data.
- Determines the purposes and means of data processing.
- Conducts business in California.
Additionally, a company must meet any of the following thresholds to fall under the CCPA:
- Annual gross revenue of more than $25 million.
- Annually purchases, acquires, sells, or shares the personal data of more than 50,000 consumers, households, or devices.
- Earns 50% or more of its annual revenue from the sale of personal information.
The CCPA also applies to any entity or organization that controls or is controlled by the business. Any company that shares the same branding with a covered business (name, service mark, or trademark) is also subject to the CCPA.
Like the GDPR, the CCPA does not extend to the law enforcement and national security areas.
The responsibility of enforcing the CCPA belongs to the Attorney General of California. Penalties for not complying with the statute range from $2,500 for accidental violations to $7,500 for intentional breaches.
What Data is Covered by CCPA?
The CCPA protects personal information that directly or indirectly relates to a specific consumer, household, or device. Examples of data the CCPA covers:
- Demographic information (name, address, email, etc.).
- A unique identifier (IP addresses, device identifiers, geolocation, etc.)
- Employment, and education data.
- Account and Social Security numbers.
- Driver’s licenses.
- Personal property records.
- Online activity.
- Biometric data.
- Audio recordings.
The CCPA does not apply to the collecting and sharing of some types of personal data, such as:
- Medical and health information under other US legal frameworks (The Confidentiality of Medical Information Act and The Health Insurance Portability and Accountability Act).
- Personal data for clinical trials.
- Personal data of consumer reporting agencies.
- Information under the Driver’s Privacy Protection Act.
- Personal data moving through credit reporting agencies.
- Information under the Gramm-Leach-Bliley Act.
Use our HIPPA compliance checklist to ensure your company safely collects and stores patient health data.
The CCPA does not cover publicly available data. Processing information from federal, state, or local government records is safe if the use of data aligns with the sharing purpose.
The CCPA also excludes some processing activities from its definition of “selling,” including:
- When a consumer uses or directs a business to share personal data with a third party.
- When a company shares personal data with a service provider to achieve a necessary “business purpose.”
- When a business transfers personal data to a third party as a part of a merger, acquisition, or bankruptcy.
The CCPA does not cover the processing of anonymous consumer information. “Deidentified” data has no individual identities or indicators of a particular person, household, or device. However, businesses collecting deidentified data must set up technical measures to prevent reidentification.
What Does it Take to be CCPA Compliant?
Start by mapping all the personal data flowing through your organization. Answer the following questions:
- What personal data do you collect and possess?
- How do you collect consumer information?
- Where and how do you store private data?
- Do you share sensitive data with other businesses?
Next, update your privacy disclosures. Let the consumers know what personal data you collect and for what purpose. According to the CCPA, a company should provide a disclosure “at or before the point of collection.”
The CCPA also requires businesses to add a privacy link on the Home Page with the title of “Do Not Sell My Information.” The link should lead to a page that allows consumers to opt out of the sale of their data.
You also need to ensure your team can meet the consumer requests, such as:
- Sending a copy of their data.
- Deleting their personal information.
- Explaining what categories of their data you sell.
- Requesting to opt out of the sale of personal data.
Ensure the staff has adequate training to know how to direct and process customer requests.
Does GDPR cover CCPA?
If a company operates in California and collects data from EU visitors, the business is subject to GDPR. However, due to the differences between the two laws, that business will also have to account for the CCPA if it collects local information.
As two separate statutes, the GDPR does not include CCPA rules. Any organization that falls under the scope of these two regulations must comply with both GDPR and CCPA.
Two Completely Different Data Privacy Regulations
GDPR and CCPA create different legal frameworks for data privacy and autonomy. Any business within the two regulations’ scope must know the difference between GDPR and CCPA to ensure full compliance and safe operations.