GDPR vs CCPA: Main Similarities and Differences
Table of Contents
GDPR vs CCPA: Comparing the Two Laws
The main difference between the GDPR vs the CCPA is how the two laws approach consent management and the operating restrictions they impose on businesses.
The GDPR is widely (and correctly) viewed as the stricter of the two data privacy laws — with businesses required to ask customers for explicit permission before collecting any personal data and larger fines for privacy violations. The GDPR also impacts the entire European Union, while the CCPA is squarely focused on companies doing business in California.
This article will provide all the details you need to become compliant with either or both of these regulations or to learn more about the similarities and differences between GDPR and CCPA.
Let's dive in.
What is GDPR?
GDPR stands for General Data Protection Regulation, a legislative framework that replaced the previous data privacy laws in the European Union.
GDPR came into effect in May 2018 to provide individuals with greater protection and control over their personal data and how that data was handled, stored, and processed by companies, partners, and third parties.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy law that gives Californian residents the right to know what personal information is collected about them. CCPA also gives Californian residents the right to have their data deleted, and the right to refuse its sale to third parties. The CCPA came into effect on the 1st January 2020.
California voters passed Proposition 24 in November 2020, also known as the California Privacy Rights Act (CPRA). The CPRA amended and extended the CCPA by adding additional rights to Californian residents and altering the metrics businesses had to reach to be required to comply with the CCPA. The updated CCPA laws came into effect on 1st January 2023.
For the avoidance of doubt, where this article refers to CCPA we are referring to the updated regulations as of 1st January 2023.
GDPR vs CCPA Comparison Chart
It is generally accepted that GDPR is stricter and has greater reach than CCPA due to the controls it places on an individual’s data and the level of fines it levies on organizations in breach of the rules. Organizations need to be aware of the differences between both laws to ensure they are compliant. There is some natural overlap between both regulations, but organizations should not assume that because they are compliant with one set of data privacy laws they meet the obligations of both.
The table below shows the similarities and differences between the two laws in terms of who they impact and the maximum fines imposed.
CCPA |
GDPR |
|
Data collection consent |
Businesses do not need user consent to capture data (e.g. via website cookies) but must provide a clear link to opt out of data collection and the sale of an individual’s data. |
Opt in is required to be displayed and accepted by the individual user for data collection to be allowed. An opt out option must also be available for the user. |
Maximum fine |
$7,500 per each intentional violation. $2,500 per non-intentional violation. $7,500 per violation of the rights of a minor intentionally or unintentionally. |
For severe cases: up to 20 million euros, up to 4 % of their total global turnover of the preceding fiscal year. Less severe cases: €10 million or 2% of a firm's annual revenue from the preceding financial year. |
Who the law applies to |
For-profit companies that process the data of Californian residents. CCPA applies to any businesses that collects the data of Californian residents and meets at least one of the three listed criteria:
CCPA rules also apply to service providers and contractors processing the data on behalf of the business under a written contract. |
Organizations that process the data of an individual within the EU. GDPR rules apply to the original data controller (who decides the purpose and method of processing personal data), and also to any processors and sub processors that process the data on behalf of the controller. |
The table above shows a few key differences between GDPR and CCPA. The first big difference is that under CCPA businesses are not required to gain user consent when collecting data but must provide an opt-out for the user. In contrast, GDPR requires that the individual accepts tracking and data capture via an Opt-In button to track an individual's data. Under GDPR an Opt-Out must also be offered.
The Impact of GDPR and CCPA
As the table comparison above shows, GDPR applies to any organization within or outside the European Union that processes the data of an EU citizen. According to the European Union website, the EU has 448.4 million residents. According to the Public Policy Institute of California, the state has 39.03 million residents - making it the most populous state in the US.
The statistics show the European Union has more than 11 times the residents of California meaning GDPR impacts many more people than CCPA. The table comparison also shows that GDPR laws apply more broadly - any company that processes data of EU citizens must comply with GDPR even if they are based outside of Europe.
In comparison, under the CCPA many organizations collecting the data of Californian residents are exempt from the CCPA regulations if they do not fall under the criteria of making more than $25 million in annual revenues, do not collect, buy, or share the data of more than 100,000 consumers or households, or if the organization makes less than 50% of revenue from selling user data.
GDPR vs CCPA: Maximum Fines
Maximum fines are another area of difference between GDPR and CCPA. For serious breaches, GDPR fines can be severe. An illustration of this is the maximum fine imposed under GDPR so far - in May 2023, the Irish Data Protection Commission (DPC) imposed a fine of €1.2 billion on US tech giant Meta.
The first enforcement action under the CCPA occurred in 2022. On August 24th, the Attorney General of California, Rob Bonta, announced that beauty brand Sephora had reached a settlement of $1.2 million after breaking CCPA laws.
According to the Attorney General’s Office, Sephora illegally sold consumers’ data using third-party trackers. This enabled the brand to run targeted ads and get discounts on analytics. In addition, Sephora failed to enact the opt-out requests made by customers via their web browser.
The Sephora case is also interesting because it is the first time the CCPA has taken action against a business unrelated to a security breach, but instead over inadequate compliance to privacy rules.
While the fines for GDPR can be much higher, as the Sephora case shows, CCPA settlements can also run into significant sums of money even for large businesses.
GDPR vs CCPA: Rights of the Individual
Both GDPR and CCPA give individuals the right to know their data is being collected, the right to know what data is held about them and how that data is used, the right to rectify inaccurate personal information, the right to request deletion of personal data, and the right to restrict the ways in which their data is used.
Both frameworks also give users the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes. Organizations should allow individuals to move, copy, or transfer personal data easily from one IT environment to another.
There are also a few areas where data subject rights differ between CCPA and GDPR.
CCPA - The Right to Opt In
CCPA provides restrictions regarding the selling of personal data of children. A company should not sell the personal information of individuals it knows are under 16 years old. Selling of personal data of anyone under 16 is only allowed subject to an opt-in right.
The company has to receive a consent for selling of personal data from:
- The individual, if aged between 13 and 16; or
- The individual’s parent or guardian, if aged under 13
CCPA - The Right to Nondiscriminatory Treatment for Exercising Rights
Businesses cannot deny you access to goods or services, charge a higher price, or offer a different quality of goods or services as a response to an individual exercising their rights as listed by CCPA.
A business may not be able to provide goods or services if you refuse or remove or ask the business to stop selling your personal information if they require that information to provide the goods or services.
CCPA - The right to Initiate a Private Cause of Action for Data Breaches
When a data breach occurs compromising the data of an individual, as a result of a business's failure to implement and maintain acceptable security procedures and practices, the individual has the right to initiate a lawsuit against the business that violated the CCPA before California state courts.
An individual can apply for a statutory amount of damages which the CCPA rules currently set at between $100 and $750 per consumer per incident, or the actual damages they have suffered as a result of the breach, whichever is greater.
GDPR - Right not to be subject to a Decision Based Solely on Automated Processing
The GDPR data protection law establishes that you have the right not to be subject to a decision based solely on automated processing if the decision produces legal effects.
Automated processing can influence your circumstances, choices, or behavior. For example, where automation is used to make a decision in the case of a bank loan, you must be informed that you may express your opinion, contest the decision, and ask that the decision made automatically by an algorithm be reviewed again by a person.
A long-awaited first draft of the California Privacy Protection Agency's rulemaking on automated decision-making technologies was announced on 27 November 2023. It is expected an individual’s right to opt out of profiling and automated decision-making will be introduced in future iterations of CCPA which will bring it closer to the current GDPR.
GDPR vs CCPA: Consent Management
We've outlined previously how consent management was first introduced by the GDPR. Under the law, all businesses operating in Europe or collecting data on European residents must have tracking cookies disabled by default. It is only after a user gives express consent that organizations are allowed to collect and share personal data.
The CCPA treats consent slightly differently. Under the law, companies can collect data and the burden of opting out is on the individual. Hence, your cookie banner can be set up to track information by default.
The biggest difference between GDPR and CCPA aside from the reach of each legislation, is around user consent. GDPR means any organization processing the data of an individual in the EU needs consent from the individual first.
CCPA allows users to opt out of having personal data processed but does not automatically protect personal data without first obtaining consent or requiring the individual to opt in.
What is the Future of GDPR vs CCPA Compliance?
GDPR and CCPA are not going to go away. Privacy, control of personal data, and corporate transparency are important issues for consumers and regulators.
Many other states throughout the US are bringing out similar laws to CCPA. Connecticut, Florida, Montana, Oregon, Utah, Iowa, Tennessee, Virginia, Colorado, Texas, New Hampshire, Delaware, New Jersey, Kentucky, and Nebraska have passed comprehensive data privacy laws.
California, Utah, Virginia, Connecticut, and Colorado’s laws are currently effective. Oregon, Florida, Texas, and Montana's privacy laws come into effect in 2024.
The future of data privacy is going to become even more complex. Failure to comply with privacy laws can be damaging to an organization due to large financial penalties, reputation damage, loss of public trust, and consumers seeking out alternative suppliers for goods and services.
The Role of Enzuzo
How can Enzuzo help?
Enzuzo is the leading provider of data privacy compliance software. Our automation tools can help automate data privacy compliance tasks, including Data subject consent tracking and management, privacy policy management, and cookie consent banners.
One area where Enzuzo is helping achieve compliance is via Google Consent Mode, a new requirement from Google to use the Google Ads platform across Europe.
All advertisers must be integrated with a Google-certified consent management platform (CMP) or their Google Ads account will be blocked. Enzuzo is a Google-certified CMP and 100% compliant with Consent Mode V2.
Enzuzo can also provide a data privacy risk assessment to establish your compliance risk.
If you hold the data of external data subjects, you are required to keep that data secure. Without robust data security, an organization will have no way to prevent data misuse in violation of one or more data subject rights.
IT resources should be knowledgeable about the role of data security in data privacy compliance to help avoid breaches and the potential for large fines and reputation damage.
For more information or to schedule a demo, contact Enzuzo today.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.