74% of consumers around the world feel they have little to no control over their personal data, according to research by Ponemon Institute. Even more Americans (81%) feel they have little to no control over their personal data once it's shared with companies, according to a study by Wakefield Research.

Governments around the world have introduced major data privacy legislation in response to consumers’ growing concerns about sharing their personal information. Most notable are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), in the United States.

Understanding how these laws compare in terms of who they apply to, what types of information they protect, and what they require is essential for growing organizations. We’ll cover everything you need to know about CCPA vs GDPR below.

CCPA vs GDPR

The California Consumer Privacy Act (CCPA) is data privacy legislation that passed in 2018 to give California residents greater insight into and control over how businesses collect and use their personal information. The General Data Protection Regulation is a law passed in 2016 by the European Union to help keep data safe while giving consumers greater insights into and control over who can process their personal data and why.

Both CCPA and GDPR are considered some of the world’s strictest data privacy laws, and the two share several commonalities. However, they aren’t interchangeable.

Below are key similarities and differences to know.

Effective date

CCPA went into effect on January 1, 2020. It was amended by CPRA, a ballot initiative that passed in November 2020. CPRA amended CCPA by updating the qualifying criteria and adding additional consumer privacy rights, among other changes. The CPRA provisions which were in the ballot initiative went into effect on January 1, 2023. Since then, the California Privacy Protection Agency finalized additional regulations to flesh out the new requirements of the law on March 29, 2023. Enforcement on these new regulations will not begin until March 29, 2024.

GDPR went into effect on May 25, 2018. 

Who’s affected by the legislation

CCPA applies to any for-profit organization that collects the personal information of California residents and also meets one of three thresholds below, as well as their service providers.

• Exceeds $25 million in annual gross revenue
• Buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more consumers, households, or devices
• Earns 50% or more of its annual revenue from selling or sharing personal data

GDPR applies to data controllers and processors that process the personal data from EU residents. Data controllers are organizations that decide how and why to process personal data. Data processors are organizations that process personal data on behalf of data controllers. 

Scope

Both laws apply to companies that are located outside their borders. Any organization that serves either EU residents or Californians needs to understand its obligations under these data privacy laws.

What’s considered personal data

GDPR defines personal data as any information that relates to an individual who can be identified, either directly or indirectly. Examples include names, birth dates, phone numbers, customer numbers, IP addresses, telephone or credit card numbers, location or biometric data. 

CCPA takes a broader approach to data privacy by defining personal data as any information that can be linked to a particular consumer, household, or device, either directly or indirectly. Examples include names and addresses, Social Security numbers, purchase histories, and device identifiers like IP addresses. 

Sensitive data

GDPR defines a special category of personal data that’s subject to specific processing conditions. This “sensitive” personal data may reveal a person’s racial or ethnic origin, political opinions, or sexual orientation, among other identifiers, and can only be processed for very particular reasons, like establishing legal claims.

Under CCPA as amended by CPRA, there is no separate special category of data. However, there are types of data that fall under CCPA’s definition of personal information that are considered special categories under GDPR. These include a person’s racial or ethnic origins as well as passport numbers, precise geolocation, biometric data, text messages, and more. Organizations must allow consumers to opt-out of the use and disclosure of their sensitive personal information.

Data subject rights

Both CCPA, as amended by CPRA, and GDPR grant data subjects similar rights, including:

• Right to know what personal data is being collected
• Right to access personal data
• Right to request deletion of personal data
• Right to correct inaccurate personal information that a business has about them
• Right to data portability

Some of these are only broadly similar but have some differences. For example, a data subject’s right to access under CCPA is limited to obtaining a written disclosure of their personal information. This right under GDPR allows broader access.

Other data subject rights are substantially different between the two laws. For example, only under CCPA do data subject have the:

• Right to opt-out of the sale of personal information
• Right to limit use and disclosure of sensitive personal information
• Right to contact information for submitting requests related to consumer rights
• Right to non-discrimination for exercising data subject rights (although this is implied in GDPR)

Only under GDPR do data subjects have the:

• Right to restrict the processing of personal data under certain circumstances
• Right to object to the processing of personal data for certain purposes, including automated processing and profiling

What’s required

In addition to respecting consumer rights regarding their personal data, organizations have additional responsibilities under CCPA and GDPR.

In effect, both laws require that organizations have a legitimate reason for collecting and processing personal information. Under CCPA, organizations must establish a valid business purpose for the collection and/or processing of personal data. Under GDPR, organizations must establish a legal basis for processing the data and obtain explicit consent from consumers.

Both laws require an organization to implement and maintain reasonable security practices and procedures to help ensure any personal information it collects is secure from a data breach. While neither specifies what reasonable security measures are, examples include data encryption, firewalls, access controls, employee security training, and maintaining an up-to-date privacy policy.

Opt-ins and cookies

CCPA has less strict requirements around opt-in than GDPR. Under CCPA, businesses are only required to obtain explicit consent from users under the age of 16. opt-in is not required unless under the age of 16. Businesses also do not need to obtain explicit consent for cookies that track personal data. They only need to provide an option on their website for users to opt-out of cookies that sell their personal information. 

Under GDPR, consumers have to make a clear, informed decision to opt into data processing. Companies can’t coerce consumers into agreeing to share their data by denying access to products or services, and they can’t trick consumers into agreeing by hiding the opt-in or by using confusing language. 

Companies also need to obtain explicit consent for cookies that track personal data and provide a clear option for users to opt-out to comply with GDPR.

Data transfer restrictions

GDPR includes specific provisions for transferring personal data outside of the EU or European Economic Area (EEA). In cases where data transfers are made, strict conditions apply to ensure appropriate data protection. 

The CCPA, on the other hand, doesn't regulate the transfer of personal information across international borders.

Who enforces the law

CCPA compliance is enforced by the California Attorney General. GDPR compliance is enforced by data protection authorities in EU member states. 

Penalties for non-compliance violations

GDPR and CCPA are both strict data protection laws, with potentially significant fines for failing to comply.

Companies that fail to comply with CCPA requirements can be issued fines by the California Attorney General, up to $7,500 per violation. Sephora was fined $1.2 million in 2022  for not disclosing to consumers that it sells their personal information. It was the first company to be penalized under CCPA.

Organizations that violate GDPR can pay a much higher price, especially for intentional violations.

Non-compliance with GDPR can mean significant financial penalties — fines of up to 20 million euros, or 4% of a company’s global annual revenue from the previous financial year, whichever is higher. Amazon was famously fined $888 million in 2021 for tracking customer data without proper consent and Google has paid several violation penalties amounting to upwards of $200 million.

Get GDPR and CCPA compliant with Secureframe

Our security and compliance automation platform makes it quick and easy to ensure you're compliant with data privacy legislation, including GDPR and CCPA. Get access to procedures and policies vetted by GDPR and CCPA experts, proprietary training for automatic employee compliance, access to in-house experts, and everything else you need to get and stay compliant. We also stay up-to-date on the latest data privacy regulations for you, so you can focus on what matters most — serving your customers and growing your business.

To learn more about our GDPR and CCPA offerings, schedule a demo with one of our product experts.