GDPR vs. CCPA: Key Differences and Similarities
Europe’s General Data Protection Regulation (GDPR) law is the strictest privacy law in the world.
Soon after it was introduced in May of 2018, California created their own privacy law—the California Consumer Privacy Act (CCPA). Enforcing the data privacy rights of consumers in California, CCPA has often been called the “GDPR” of California.
But is CCPA actually comparable to GDPR?
In this article, we’ll take a deep dive into both privacy laws by exploring their requirements, fines, and definitions. Finally, we’ll look at where they overlap, and how they differ to see if CCPA is in fact the “GDPR of the Golden State.”
What is GDPR?
The General Data Protection Regulation, or GDPR, was created to protect the privacy rights of individuals in the European Union. This includes website visitors, consumers, non-profit donors, or anyone else who engages with a platform that collects data. GDPR was created in response to a growing number of users engaging with cloud-based services, and a growing number of data breaches, leaks, and cyber attacks.
To protect the rights of users in all 27 countries (also called Member States) of the EU, GDPR enforces strict regulations around how websites, companies, and organizations process and retain the personal data of users. GDPR gives users control over how companies collect, use, and share their personal data.
According to GDPR, data controllers include any individuals in an organization that decide how and why to process data. This could be an owner or employee in an organization or business.
Data processing refers to any automated or manual action that applies to data. Data subjects can include consumers or site visitors.
Finally—and most importantly—GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’). This includes information such as names, physical addresses, or email address, but also “ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions.”
What is CCPA?
The California Consumer Privacy Act, or CCPA, was created to protect the data privacy rights of consumers in the state of California. CCPA regulations apply to for-profit businesses, and concerns transparency.
Most notably, CCPA gives consumers the:
Right to request or delete data that has already been collected.
Ability to opt in or out of having their data sold to third parties.
Right to correct inaccurate information.
Right to limit use of personal information.
According to CCPA, businesses and for-profit entities to whom the law applies include any business operating in California with at least one of the following features:
Has an annual gross revenue exceeding $25 million.
Processes the data of more than 50,000 consumers (or devices, or households) in California.
Makes at least 50% of its revenue from selling personal information.
CCPA defines consumers as customers, employees, or businesses (such as in a business-to-business transaction) that purchase from a business operating in California.
Finally, CCPA defines personal information as any data that may be connected to an individual or household. This can include social security numbers, account log-in information, credit card information, geolocation information, ethnic or religious information, and genetic data.
Expansion of CPRA
The California Privacy Rights Act, or CPRA, was approved in 2020 and makes significant changes to CCPA.
One main difference deals with the enforcement of the law. CCPA is enforced by the California Attorney General, whereas the CPRA is enforced by the California Privacy Protection Agency and the California Attorney General.
Additionally, the CPRA expands one of the thresholds for applicability by increasing the number of California consumer records processed from 50,000 to 100,000.
CPRA expands the definition of sharing data to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
It also adds contractors to the law. The CPRA stipulates that contractors must only use the personal information of consumers to perform the services agreed on in a contract. It requires them to use safeguards, and to tell consumers when they are using subcontractors. Keep in mind that CPRA regulations apply to subcontractors as well.
The GDPR and CCPA/CPRA do have some areas of overlap.
Were created to protect privacy rights.
Concern personal information that can be used to identify an individual, such as basic personal information, addresses, and ethnic/religious information.
May affect entities outside of the specific area (EU or CA).
However, the regulations do include key differences. The GDPR is far more stringent and results in much higher fines. In the next section, we’ll take a look at the core differences between GDPR and CCPA/CPRA.
While GDPR and CCPA/CPRA are both designed to protect privacy, they have different requirements.
CCPA/CPRA requires businesses to inform individuals (or applicable entities) when their data was used for business purposes within 12 months of data collection. Users must also be informed when third parties collect that data and sell it to other third parties.
GDPR, on the other hand, requires that individuals are always notified when their data is collected. They must also be told why their data is being used, and be reminded that they have the right to take back their consent.
GDPR also carries much higher fines than the CCPA/CPRA. A company or organization that violates GDPR regulations can be fined up to €20 million or 4% of global revenue (whichever is higher).
CCPA/CPRA charges $2,500 per violation and $7,500 per intentional violation.
Simply put, GDPR provides more proactive protection for consumers, while CCPA/CPRA focuses more on retroactively informing consumers that their data has been collected (opt-in vs. opt-out models).
For additional resources, here’s the GDPR checklist for data controllers and a breakdown of CCPA regulations.
In general, if your organization is GDPR compliant, then you are well on your way towards CCPA/CPRA compliance. Sustained compliance with both laws requires continuous monitoring of controls and a unified view of your team’s security posture. To learn more about how to automate this process for you, schedule a demo with our team.